Adds metadata password POST at the hypervisor level

Registered by Alessandro Pilotti

Metadata password POST (i.e.: nova get-password) has been added in Grizzly and is currently supported by Cloudbase-Init (Windows Cloud-Init).

The main issue with the current approach is that it is not supported by ConfigDrive and requires HTTP POST access from the guest, with all the security, deployment, scalability and management issues involved.

In order to support this feature in scenarios in which metadata HTTP access from the guest instances is not allowed, the Nova driver can take care of the metadata POST on behalf of the guest instance. The guest instance will still be in charge of generating and encrypting the password with the SSH public key, passing the encrypted data to the Hypervisor using a specific guest / host channel available on the hypervisor.

KVP is The guest / host communication channel available on Hyper-V. An implementation can be added in the Nova Hyper-V driver, considering a common interface that each hypervisor driver can implement (e.g. XenServer, KVM, etc). The same interface can be implemented on the client side in Cloud-Init and/or Cloudbase-Init.

Blueprint information

Not started
Russell Bryant
Alessandro Pilotti
Needs approval
Alessandro Pilotti
Series goal:
Not started
Milestone target:

Related branches



I'd like to see a discussion about this one on the mailing list. --russellbI'd like to see a discussion about this one on the mailing list. --russellb

Marking this blueprint as definition: Drafting. If you are still working on this, please re-submit via nova-specs. If not, please mark as obsolete, and add a quick comment to describe why. --johnthetubaguy (20th April 2014)


Work Items

This blueprint contains Public information 
Everyone can see this information.