On 2018-12-13 22:21:54 +0100 (+0100), Thomas Goirand wrote: > On 12/13/18 11:28 AM, Bastian Blank wrote: > > On Mon, Dec 10, 2018 at 09:13:59AM -0500, Jonathan D. Proulx wrote: > >> As a private cloud operator it may be useful for me to have privileged > >> console access to all my users' VMs but it's not a good line to break by > >> default. > > > > As operator you have by definition all access. > > A customer could setup hard drive encryption, in which case I would have > zero access. How are they supplying the decryption key if not through channels under your control to sniff/MitM and then reuse to decrypt it yourself? Not to mention the key has to be in kernel memory, which you can dump from the hypervisor you manage. I can understand, as a long-time systems administrator myself, that there is a guttural knee-jerk reaction to having root access on a serial line or local console with no authentication, but in the case of virtual machines I just remind myself that if you can't trust the operators of the environment then you can't trust the workloads you put there either (much like unmonitored physical access to colocated machines). -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature