| Riastradh | If I spin up an OpenStack compute instance, say with the openstack CLI or terraform, how can it publish a public key, like its newly generated ssh host key, on an authenticated channel through which I can retrieve it? | 00:45 |
|---|---|---|
| Riastradh | Does OpenStack expose any kind of secret API key to the instance that can be used with other APIs like pushing to object storage, the way Amazon EC2 and Google Compute Engine and Oracle OCI expose some kind of per-instance key through the instance metadata service? | 00:48 |
| DHE | if it runs cloud-init (which most openstack images do), it will run some commands of your choosing on startup. you can have it download some more complex script and run it... | 00:49 |
| Riastradh | Right, but what can it do in that script to transmit the credentials to me over an authenticated channel? | 00:49 |
| DHE | I don't know much about EC2, etc... what I do know is that the server should see its own instance/VM UUID within itself and be able to identify itself that way... | 00:52 |
| Riastradh | So how would you use that to transmit its new ssh host key to me, when I run openstack CLI or terraform or whatever, so that it can't be forged by anyone else on the network? | 00:54 |
| DHE | there is a project called barbican to act as a secrets storage system.. i've never used it, and I'm not 100% sure it's the right fit for the job... | 00:55 |
| DHE | starting to think I didn't understand the question and maybe I'm not the right person to answer | 00:56 |
| Riastradh | What are you suggesting putting in this script? | 00:57 |
| Riastradh | Something like `curl -X PUT --data-binary @/etc/ssh/ssh_host_ed25519_key.pub https://some.storage.endpoint/mysshkey'? | 00:57 |
| DHE | maybe, except mysshkey is derived from the machine uuid, which can be found in /sys/devices/virtual/dmi/id/product_uuid | 00:58 |
| Riastradh | OK, so how does some.storage.endpoint verify that the request is coming from the legitimate compute instance that was just created, and not from some random other host on the network? | 00:59 |
| DHE | guessing a machine's uuid should be impossible without having access to the openstack interface/API itself | 00:59 |
| DHE | I don't have a great answer.. if the endpoint is also a VM in openstack, you could have them all on the same private network with no router. otherwise you could just use SSL for protection and just include some secret header value that must be present, and just hard-coded along with the curl command... | 01:01 |
| DHE | I'm making this up as I go. I'm not proud of this advice right now... | 01:01 |
| Riastradh | So with EC2 and GCP and OCI, the host creates a secret key that it exposes to the guest through instance metadata (http://169.254.169.254/stuff). That secret key can be used to authenticate API calls like storage PUTs. | 01:02 |
| Riastradh | I would expect OpenStack does something similar, but I can't find it. | 01:03 |
| DHE | the main issue I see with that is openstack authentication keys always have a time limit... so you would have to provide instances with an actual username/password pair for them to authenticate as periodically | 01:05 |
| Riastradh | Sure, in EC2/GCP/OCI the secret keys you get out of the instance metadata are time-limited and rotated from time to time. | 01:08 |
| Continuity | Riastradh: the vendordata api might meet your needs you would need something at the other end to return the data. https://relf.co/2023/10/21/openstack-nova-metadata-api.html | 13:02 |
| Riastradh | Continuity: So this is something that the admin of an OpenStack needs to set up, and there's no instance identity key baked into baseline OpenStack functionality? | 17:48 |
| Continuity | Riastradh: not that im aware of, and yes this would need to be setup by the admin | 18:07 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!