Monday, 2025-07-07

« Sunday, 2025-07-06 Index Tuesday, 2025-07-08 »
*** mikal5 is now known as mikal01:01
masahitosean-k-mooney: late ack.  Thanks. yes, I'm thinking to push the PoC code early as much as possible and trying to go the features in the early next cycle.01:39
mikalOh nice, because rebasing a patch series now involves adding a signed off header, it also invalidates all votes against that review, even if the code hasn't changed.02:25
opendevreviewMichael Still proposed openstack/nova master: libvirt: Add objects and notifications for sound model.  https://review.opendev.org/c/openstack/nova/+/92612604:52
opendevreviewMichael Still proposed openstack/nova master: Implement sound model extra spec for libvirt.  https://review.opendev.org/c/openstack/nova/+/94077004:52
opendevreviewMichael Still proposed openstack/nova master: libvirt: Add objects and notifications for USB controller model.  https://review.opendev.org/c/openstack/nova/+/92735404:52
opendevreviewMichael Still proposed openstack/nova master: Implement USB controller extra spec for libvirt.  https://review.opendev.org/c/openstack/nova/+/95064304:52
opendevreviewbenlei proposed openstack/nova master: FIX: instance live migration failed after swap volume  https://review.opendev.org/c/openstack/nova/+/95421007:53
opendevreviewbenlei proposed openstack/nova master: FIX: instance live migration failed after swap volume  https://review.opendev.org/c/openstack/nova/+/95421011:12
opendevreviewKamil Sambor proposed openstack/nova master: Replace eventlet.event.Event with threading.Event  https://review.opendev.org/c/openstack/nova/+/94975414:43
*** haleyb|out is now known as haleyb14:58
opendevreviewBalazs Gibizer proposed openstack/nova master: [pci]Keep used dev in Placement regardless of dev_spec  https://review.opendev.org/c/openstack/nova/+/95414915:11
opendevreviewRajesh Tailor proposed openstack/nova master: Clarify that [pci]device_spec={} matches all devices  https://review.opendev.org/c/openstack/nova/+/95427415:50
fungisean-k-mooney: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607 was finally switched to public on friday, and contains the rationale behind cloud-init's decision to break that functionality we were discussing18:01
sean-k-mooneyfungi: ack ill skim it but the problem is that even on x86_64 using dmi is not a correct way to determin if the openstack data souce shoudl be enabled19:29
mikalHow does AWS handle this given they use exactly the same IP mechanism (we copied from them)?19:29
sean-k-mooneyfor it to be somethign they could rely on it would have to be somethign we suport for all virt driever includign ironic 19:30
sean-k-mooneymikal: it handeled by you confiruting the backedn in the image19:30
sean-k-mooneyyou are ment ot have custom images per cloud19:30
sean-k-mooneyso the uec images are the amazon flavor19:30
mikalAlso, its not strictly true that someone can man in the middle that IP address, assuming they're actually on OpenStack. We intercept that traffic and special case it.19:30
sean-k-mooneywell the 169 address were chosen because those are not allowed to be routed19:31
fungiyeah, where this presents a challenge is e.g. distros producing official bootable cloud images that are intended for use in multiple environments19:31
fungimikal: yes, the concern raised was booting a generic cloud image in a non-openstack environment19:31
sean-k-mooneyand since clouds are ment to prvode thing like ip/mac spoofing protection in general19:31
sean-k-mooneyspoofing that ip shoudl nto be possibel in general19:32
mikalHonestly this seems like a pretty weak security concern to me.19:32
sean-k-mooneyfungi so wether someitng responce on that address is ment ot be how you determin if its ec2/openstack19:32
sean-k-mooneyyou differecniate tbetween the two based on the reported filestyem in the metadtaa endpoint19:33
fungion non-x86 architectures cloud-init was assuming that the metadata addresses, if they replied, were trustworthy and not an attacker serving up backdoor userdata19:33
sean-k-mooneyfungi: it does that on x86 as well19:33
sean-k-mooneythe may have added some ectra condtional checks at some point19:33
fungibut only if the dmi data indicates it's booted by nova (or ec2 i suppose?)19:33
mikalCan't I make the same argument about DHCP? I just trust the first reply, that reply needs to not be malicious.19:33
sean-k-mooneybut ofrigally it woudl hit the ec2 endpoint even on openstack19:33
sean-k-mooneyfungi: not that im aware of. i think in older release if it was enabeld in the config it was used uncondtionally even on x8619:34
fungimikal: yes, i think this is the same degree of risk as a rogue dhcp server, assuming the system is configured to also run arbitrary code at boot that the dhcp server points it to? (not sure, that could be a bit of a pathological situation)19:34
sean-k-mooneybut there are several other first boot systems like ignition and cloudbase init that use the same 169.254.169.254 or http://f8e0 well know adddreses19:35
fungiright, i have no idea if cloud-init supports getting metadata from those19:36
mikalWouldn't it be better to spend any development effort here on something like TLS for the metadata service with certificate verification turned on, instead of changing a mechanism that no one has complained about in nearly 20 years?19:36
sean-k-mooneyi think they "fixed" it by just chaging thte default in the config to not enmebrate by defualt19:37
fungiwell, technically someone *did* complain about it, hence the bug report19:37
sean-k-mooneybut i woudl expect distor to override that19:37
fungiyes, distros could override it, or they could just build separate ec2/openstack images and othercloud images19:38
sean-k-mooneyas it stands they will have broken metadata supprot for ironic by default. so if you dont enbale configdrive with yoru ironic instnace it wong be able to use metadata out of the box19:38
fungii have no idea if e.g. debian's or ubuntu's generic cloud images are used on ironic19:38
sean-k-mooneyi have used them before19:39
mikalBuilding N cloud images is actually a fairly big hosting problem I imagine. That's a fair bit of repeated data just for a very minor problem.19:39
sean-k-mooneybut it depend on yoru hardware19:39
fungiseems like you'd want a more full-featured image with broader hardware support?19:39
fungiyeah19:39
sean-k-mooneysomethime they dont have the drivers requried soemtimes they do19:39
sean-k-mooneyits been a long time since i tried but i think i used diskimage builder with the cloud image as a base to build one19:39
sean-k-mooneycloud image doen nto mean qemu/kvm or vm based19:40
fungidebian not including ahci support in the generic cloud kernels because "most" cloud providers (amazon/azure/google) is a good example of why i'd be skeptical of using such images in ironic for bare metal19:40
mikalDIB definitely uses the various cloud images as the base for builds.19:40
sean-k-mooneymikal: it can/does btu it can replace the kernel ectra19:40
mikalsean-k-mooney: yeah, package installs etc etc.19:41
fungimmm, these days the dib elements we're using start from docker images instead, though previously we used elements that bootstrapped from scratch with tools like debootstrap19:41
mikalThis is how the SF "official" images are built. DIB with the SF agent sprinkled in.'19:41
sean-k-mooneyfungi: when did we move the ubuntu ones19:42
fungibut yes, i think dib does have some non-"minimal" elements that instead modify cloud images with virsh tools19:42
sean-k-mooneybecause they used to use the cloud image until relitivly recently19:42
fungisean-k-mooney: move from using debootstrap to container images? not sure if we have done that for the ubuntu images yet, i have to check19:42
fungibut at least for the dib-created images we boot in opendev we've never used cloud images as the base19:43
sean-k-mooneyfungi: last time i looked and when i was lookign to add alpine most still did not use contianers19:43
sean-k-mooneyfedora i think did19:43
sean-k-mooneybut most still default to clodu images as a base19:43
sean-k-mooneyhttps://github.com/openstack/diskimage-builder/blob/master/diskimage_builder/elements/ubuntu/root.d/10-cache-ubuntu-tarball#L16-L2119:44
sean-k-mooneyok they use the sqsfs rather then the qcow19:44
sean-k-mooneyor rather the filesystem image19:44
fungisean-k-mooney: yeah, looks like we're still using ubuntu-minimal (debootstrap into a chroot) not ubuntu-container19:44
sean-k-mooneyso i know there is a fedora container element https://github.com/openstack/diskimage-builder/tree/master/diskimage_builder/elements/fedora-container19:45
fungithe rocky images we build are using the rocky-container element by contrast19:45
sean-k-mooneyright19:45
sean-k-mooneybut it think that was only done for 1 or two and most didnt move yet19:45
fungiyeah, looking back at it i think you're right, i assumed we were further along on that already19:46
fungii guess it's been on hold while we switch from nodepool to zuul-built images19:46
sean-k-mooneyi was playing with packer and trying to buidl a alpine image at the weekend and i was debating if i wanted to revive my dib serise for that19:47
sean-k-mooneybuilding os images is alwasy a pain regardess of the tooling19:48
sean-k-mooneyalpine now provides a cloud iamge with cloudinit however19:48
sean-k-mooneyits just larger then i was hoping19:48
sean-k-mooneyfungi: i still think exporeing alpine to have a replacement for cirros or moving to using nested kvm might be the only way we elimiate the kernel panics we see in our jobs19:49
fungiit seems worth exploring, i agree19:50
sean-k-mooneyit does not have to be alpine but there are very few other distos that are small enough and well supproted to consider19:50
sean-k-mooneyanyway back to the topic at hand if folks are building an ironic image they can still use https://github.com/openstack/diskimage-builder/tree/master/diskimage_builder/elements/cloud-init-datasources#environment-variables19:51
sean-k-mooneyto list openstack19:51
fungii want to say someone (doug?) was playing with using distros that target embedded systems (openwrt? emdebian? building something with yocto?)19:52
fungibut it's been years ago now19:52
sean-k-mooneyfungi: i got it partly work i was just missing growpart :)19:52
sean-k-mooneybut ya i brefily considerd tinycore since ironic used it for the ipa19:53
sean-k-mooneythe problem is the combination of small disk footpring <100MB and small ram foot pring <128MB + cloud-init or glean +busybox/tools needed byt tempest19:54
sean-k-mooneyfungi: now that they offically publish cloud images i shoudl proably jsut poing my testing patch at that and see if it works19:55
fungiworth a shot, sure19:56
sean-k-mooneyfungi: how is the ci since the roolout of the zuul change19:57
sean-k-mooneyfungi: have cross provider builds been avoided as expected?19:57
fungisean-k-mooney: not 100% solved, we discovered that we also need https://review.opendev.org/95428419:58
sean-k-mooneyhum the cross tenant sharing of python object is slightly scary but ok19:59
sean-k-mooneyi guess that will rool out next weekend19:59
fungiwe'll probably restart the launchers onto it as soon as the container images promote19:59
fungiturns out we had done that when the previous (partial) fix merged but i didn't realize it when discussing later in the week20:00
sean-k-mooneyoh i see the sharing is not a generic thing just in that funtion20:03
sean-k-mooneyi was slighly concured that semapheroes or secretes ectra could be shared but this is not related to the job objects20:03
fungino, you could look at it as the problem arising from a generally cross-tenant resource not having been correctly shared since zuul normally separates objects in one tenant from the others20:04
opendevreviewsean mooney proposed openstack/nova master: [WIP] use alpine instead of cirros  https://review.opendev.org/c/openstack/nova/+/88191220:06
sean-k-mooneyi think i had previously customised the alpin image i built to allow password login with gocubsgo for tempest although that might works via ssh key loging20:08
fungiamusing, i never realized that was the default password for cirros images. i guess someone's a baseball fan20:11
sean-k-mooneyits hard to tell becase i never wrote the nodepool change to build the image in ci i only built it locally so i dont recall if i use the dev-user element or not20:11
mikalfungi: that would be Scott Moser.20:11
sean-k-mooneyit used to be "cubswin:)" until they one and now its "gocubsgo"20:11
fungihah20:11
clarkbre dhcp vs metadata service I think a difference is that typically dhcp is a fairly locked down service within hosting providers. The hosting services may not all realize hey needt o prevent traffic on that special metadata address20:12
clarkbbasically lock down dhcp is pretty standard stuff. Lock down metadata service isn't20:12
mikalI just think this is a pretty big breaking change for a relatively minor "security vulnerability".20:12
sean-k-mooneyim not sure. i woudl cosnider both to be simialr leveles of treat20:12
clarkbsean-k-mooney: they are. But one is super standard that everyone knows about. The other is not20:13
clarkbbasically the differencesi s one has an rfc the other doesn't20:13
mikalEspecially when I can think of use cases which want to get rid of the customized DMI data entirely20:13
fungialso i don't know how i would go about using a malicious dhcp server to get a machine to run arbitrary code at boot or install access for my personal ssh key20:13
sean-k-mooneymikal: i mentione dthis else whre but the dmi info is technically configuable by pakcager/deployers20:13
sean-k-mooneynova reads a vendor.conf file if it exits20:14
sean-k-mooneywhich change what that info is20:14
fungibut yeah, all of this is great feedback to the cloud-init maintainers20:14
mikalSo now deployers can accidentally break cloud-init with a DMI customization?20:14
sean-k-mooneywe do not use that downstream in redhat partly because we saw the ablity to tell it was openstack or worse what version of openstack as a potital security problem20:14
mikalThat's not great either.20:14
fungiand now that the bug is public, i suppose comments could be added tehre20:14
fungisean-k-mooney: i don't see us relying on the dev-user element anywhere, we have a custom element that we inject ssh keys with20:16
sean-k-mooneyfungi: that was not upstream i ment whewn i built my test alpine image locally20:17
fungiah20:17
sean-k-mooneywheni was workign on the dib support i was usign the dev-user image to debug but its been 4 years so i have no idea if the iamge i was testing with still had that or not20:17
fungiokay, just re-read your earlier comment about dev-user and now i get what you were saying20:17
sean-k-mooneyfungi: i got it to boot in the ci and it apear to be workign but boots hung because i did not expand the disk 20:18
sean-k-mooneyso it would start ot boot and then fail20:18
sean-k-mooneyi actully did 2 impelmetions the most recent one was 2 years ago based on teh continar file support https://review.opendev.org/c/openstack/diskimage-builder/+/755410/420:19
sean-k-mooneymikal: ya you need to have a file like this https://github.com/openstack/nova/blob/master/etc/nova/release.sample20:20
sean-k-mooneymikal: https://github.com/openstack/nova/commit/4aa45d2900a3063305a7b2c727abfc2371909b2120:20
sean-k-mooneythe support for that still technially exists https://github.com/openstack/nova/blob/master/nova/version.py20:21
sean-k-mooneybut nothing i know of actully uses that20:21
mikalBut that's the key point. OpenStack tries hard not to break existing behaviour. cloud-init apparently does not.20:22
mikalI think this is the strongest argument I've seen as to why people should move to glean, especially because glean implies that config drive will not in fact one day be removed.20:22
sean-k-mooneythere are other light wight alternitives too. the problem with glean is partly its streght 20:23
sean-k-mooneyit does not supprot metadtaa only config drive20:23
sean-k-mooneywhich si why glean is so reliable20:23
sean-k-mooneybut since we cant update config dirve it only really good for first boot but honestly if your doing day two thinbgs use ansible20:24
fungii don't think it's entirely fair to say that cloud-init doesn't try to preserve existing behaviors, just in this particular case they judged the existing behavior to be a greater risk than the impact from breaking it (whether they judged that accurately is another matter)20:25
sean-k-mooneyi guess we will see if we get a spike in reports of "my ssh key was not injected" or similar20:25
fungithey're typically pretty good about not breaking functionality, and in this particular case the bug was open in private for over a year while they debated the risks of doing so20:26
sean-k-mooneyon a related not the thing i whish we had time to do was add supprot for jwt or applciation creditials via config dirve. i.e. provide a way simialr to k8s for you to provide and authentication token to the workloads20:27
fungibut yes, the complexity and expansive scope of cloud-init, as well as their choice to rely on lots of different non-stdlib python libs, is why we made and use glean for our ci nodes20:27
sean-k-mooneyits something that aws and all the other cloud already do but providing a way to do athestation or the server and auth is a gap we have today.20:28
fungizuul has jwt support and can do oidc claims too20:28
sean-k-mooneyfungi: we are only using glean for the nodepool images right? cirros has its own mini implemation in bash that it uses instead20:29
fungithough i'm not sure if we could leverage that to authenticate metadata server responses20:29
fungisean-k-mooney: correct20:29
clarkbfungi: the zuul implementation requires the third party set up zuul as a trusted oidc provider20:29
fungiwe don't (currently) build cirros images ourselves afaik20:29
fungiclarkb: yeah, i was trying to think if there was a way client-side to leverage that, but the booting server instance would be the client in that case and needs to be reachable before zuul can interact with it20:30
sean-k-mooneythis is there code https://github.com/cirros-dev/cirros/blob/main/src/usr/bin/ec2metadata and not we dont we use the upstream images and back them into the ci images to avoid downloadeing it in the job20:30
fungiyeah, we download the upstream cirros images and ship convenience copies in the cache in our test nodes20:31
clarkbnote that is a cache though. we can and do remove old versions or lag on adding new versions20:31
sean-k-mooneyclarkb: well new version very rarely happen20:32
sean-k-mooneythe last cirrors release was 26th of september 202420:32
fungithough i expect we're overdue for pruning some of the current list of cirros images we include20:32
sean-k-mooneyi think there were still some jobs using 0.5.x last time i checked20:33
sean-k-mooneythey shoudl all be on 0.6.3 at this point but ...20:33
clarkbsean-k-mooney: I'm calling it out because someone noticed a cirros image wasn't baked in recently and while it was a bug it was also a buggy job not falling back to download it20:33
sean-k-mooneyi belive there is a 0.7.0 in the works btu that has been true for a while now20:33
clarkband yes they were using 0.5.x and I indicated that those old versions should probably be considered removable too20:33
fungiif the jobs are run infrequently, e.g. on aging unmaintained branches, we usually consider it safe to drop them from the cache since those jobs can still fetch the files at runtime when they occasionally happen to run20:34
sean-k-mooneyso the kernel panics we hit in 0.6.3 rarely are much more common on 0.5.x becase there is at least 1 addional kernle bug that is not fixed there.20:34
mikalsean-k-mooney: a less terrible spiffe arrestor would probably meet your needs while pleasing the hipsters. It's on my mental list of things to one day look at, possibly with some TPM sprinkled in.20:55
mikalfungi: they had it open for a year and never thought to ask a Nova core?20:56
sean-k-mooneyi mean it was a private "secuirty issue" so i would not nessisarly expiect them to20:57
sean-k-mooneyalhtough if they were unsure they coudl have. i guess fungi was at least somewhat aware20:57
sean-k-mooneyso i asusme they asked the vmt?20:58
fungijamespage convinced them on adding me to the bug as a heads up, though technically not for a vmt perspective since the vulnerability doesn't exist in openstack clouds, it was more of a question about the potential impact of the breaking change they were considering20:58
mikalI don't see that on the bug? I might have missed it because it only skimmed, but they seem to have spent much more like talking to Canonical than the affected platform team.20:58
mikal(The VMT being asked that is)20:59
fungiand since it wasn't a report for an openstack project, i didn't feel like i had the authority to pull more people into it21:01
fungii was absolutely out of my depth on whether cloud-init's reliance on reading dmi data was a good choice, but also that seemed to already be happening in prior versions21:02
sean-k-mooneyfungi: ya i dont expect you to knwo those details21:05
sean-k-mooneyit just sad that the chice is to break eveyr nova virt driver that is not libvirt21:05
sean-k-mooneywell not break but the dmi interface was only supproted in the libvirt driver so the auto detection wont work genericlly21:06
mikalsean-k-mooney: one issue with machine credentials is that OpenStack lacks an IAM role system, so what credentials would you give the machine and with what permissions? Oslo policy is such a mess Red that won't take support calls if you use it, and there really is nothing else.21:06
mikalsean-k-mooney: in other clouds that machine credential would be of the form "can read from this one specific object store bucket and this one special user". We can't do that right now.21:07
sean-k-mooneymikal: i wanted to supprot passign an applciation credetial that you precreate or askign for nova to create one that on the users behalf21:08
sean-k-mooneyand we dont supprot custom policy because oslo.plicy is a mess 21:08
sean-k-mooneyits not21:08
sean-k-mooneywe dont supprot it by default because custoemr kept breaking thing by incorrectly configuring it21:09
sean-k-mooneyso we say if you want to have custom policy file a supprot exception to at least get a cursory ok form someone who shoudl under stand it21:09
fungiit just seems like a catch-22 since you'd need some way to pass data into a server booted from a generic image so it knows what to validate the signature with (public key for example)21:10
fungiand if you already had a secure communication channel, you could just use that for the metadata too21:11
mikalWell, qemu supports secure communications channels, we just don't use them.21:12
sean-k-mooneywell metadta was ment to be the secure channel but ya...21:12
sean-k-mooneymikal: we wanted it to be mostly one way, and we intentally dont allow direct db access form the compute agent21:13
sean-k-mooneyfungi: the problem is that it does nto mattter how secure we make this in neutron21:13
sean-k-mooneyits ever othe rcloud that woudl need ot be secure for them to feel ok with this being enabled by default21:14
sean-k-mooneylike on the nuetorn side we already trap the reqest based on that ip and then use the soruce mac/ip to proxy it to nova with the neutron proxy authentiication using a shared secret21:16
sean-k-mooneyneutron also does not allow other vms to respond to the requeest eith its anti spoffing rules21:16
sean-k-mooneybut unless azure and every other cloud also did that they would consider any well knwo address to be insecure21:16
sean-k-mooneyi can kind of get where they are commign form it just how cloud images are expected to work21:17
sean-k-mooneyif they dont supprot metadta by defualt it not really a cloud iamge anymore since tha was kind fo the defining factor at least in the context of cloud-init21:18
sean-k-mooneyanyways i better call it a day o/21:18
clarkbmikal: you actually can configure a bucket (swift container) that only a specific one off account can edit21:19
clarkbits a bit under documented and the tooling is rough. infra uses it and we end up doing direct curl stuff to make it happen iirc21:20
fungisean-k-mooney: by "secure communication channel" i meant one which the booted operating system can somehow verify is trustworthy. a trusted third party (like a well-known public certificate authority) is one possible solution, but probably a terrible one21:33
fungibasically include a reference in the metadata blob to the location of a signature and a certificate corresponding to the key that signed the metadata, where that certificate is issued by a trusted third party that cloud-init or whatever knows and can validate it against21:37
fungias soon as you eliminate the ttp, i think you're stuck having to inject some custom trust information into the server, and the trustworthy injection problem becomes essentially the same as the the trustworthy metadata problem21:39
fungibut it's likely there are common solutions i'm just not aware of21:40
sean-k-mooneyfungi: your thinking of something liek the grub efi shim21:41
fungiyes, that's the same sort of implementation21:42
fungiand faces effectively the same challenges21:43
sean-k-mooneyso with something like config drive youy can sort of do that in the sense tha tyou could provdie a ca cert to use to authenticate but at that point you might as well just provide the metadta as well21:43
fungimy point exactly21:43
sean-k-mooneywe also try to aovid injecting things directly into the image now if we can avoid it21:44
fungibootstrapping trust is a nontrivial problem21:45
sean-k-mooneyyep and the trusted compute folks would go as far as saying proving nvram or other uefi stores is not secure enough21:45
mikalclarkb: other clouds let you do it effectively for any API call.22:02
clarkbya I know. Its just that is the one example where you can do it with openstack22:03
mikalfungi: this "credential zero" problem is literally what SPIFFE is aimed at. Its just the OpenStack attestor is meh. One day someone should fix it.22:04
mikalLike the hypervisor could produce a certificate for the instance at boot and ram it into the TPM, to my current understanding of TPMs.22:05
fungiyeah, and then the tpm is your implicitly trusted communication channel, albeit one that probably isn't suitable for ramming all the metadata through22:09
fungibut can at least bootstrap a more general-purpose source at that point22:09
sean-k-mooneymikal: so injecting things into tpm would generally not eb considered secure22:13
sean-k-mooneyi know you could add a root of turst to teh tpm22:14
sean-k-mooneybut if we supprot that soemoen woudl ask to be able to lock that out so that only there root of trust form barbiacn could be injected22:14
sean-k-mooneythat woudl not be so terrible i gues.. allow them ot updload somethign to barbican and pass a refence ot it when booting and have nova inject it into the tpm usign the users token ot retirve it22:16
mikalsean-k-mooney: noting that I've never managed to find a good guide to TPM stuff and am therefore a noob, why would the hypervisor generating a unique certificate that identifies the instance and storing it in the TPM so inside the instance can sign things but not actually get to the certificate not be secure? Isn't that almost exactly what the22:16
mikalfirmware is doing, just with a CA for the cloud instead of a CA for jus the TPM?22:16
mikalsean-k-mooney: understanding TPMs is also on my todo list of things I'll never get around to.22:17
sean-k-mooneymain thing to under stand to day is we cant live migrate with tpms to day because we encypt them with a secreate stored in barbican that only the user that create the vm can acess :) so tpms equal pain22:18
sean-k-mooneywe coudl likely generate a cert to "sign" or attest the identiy of the vm, and maybe put that in the config drive or tpm for you to atteset22:19
sean-k-mooneybut im not sure we could use that for auth22:19
sean-k-mooneythat was one of the jwt propsoals that was made not too long ago. inject a jwt token purly for attestation of the identiy of the sever but not for actual keystone auth usage22:20
sean-k-mooneymikal: https://github.com/bbc/nova/commit/382984a3a23032c96089cb5877a55e425db7cee422:21
mikalsean-k-mooney: so that injected JWT has a name in SPIFFE that I've forgotten, but its a definitely a thing they do. Then again, how do you handle the JWT expiring for long lived VMs?22:25
sean-k-mooneymikal: no idea the bbc impleaiton was just an experiment and it never landed upstream22:27
mikalhttps://kasm.stillhq.com/#/session/9606cb74-10e3-4e1e-8990-0779495f79dd -- SPIFFE calls it a SVID apparently.22:28
mikalUgh, wrong url.22:30
mikalhttps://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md this one.22:30
« Sunday, 2025-07-06 Index Tuesday, 2025-07-08 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!