On 2025-09-02 09:36:15, Thomas Goirand wrote:
Hi,
Hi Zigo
Under "normal" circumstances, anyone has access to a VM's metadata. It'd be nice to restrict access to it for only the VM (ie: do not accept forwarding) and only from root. This could be done this way:
From my experience not only root need access to metadata, there is potentially whole host of scripts and automation user side using it as well. I think that changing this behaviour is going to cause lots of headache for people.
iptables -A FORWARD -d 169.254.169.254/32 \ -j REJECT --reject-with icmp-port-unreachable iptables -A OUTPUT -d 169.254.169.254/32 \ -m owner ! --uid-owner 0 -j REJECT \ --reject-with icmp-port-unreachable Would the team agree to add this by default?
I see the point but I have mixed feelings about it.
Also, we need to check if only root has access to the config drive.
From my PoV this is less disputable and I wouldn't object to that one. -- |_|0|_| | |_|_|0| "Panta rei" | |0|0|0| -------- kuLa -------- | gpg --keyserver pgp.mit.edu --recv-keys 0x686930DD58C338B3 3DF1 A4DF C732 4688 38BC F121 6869 30DD 58C3 38B3
Attachment:
signature.asc
Description: PGP signature