I was already writing the use case summary (comment #8) when you responded in the mean time, so it isn't an answer to your post directly. Let me catch up on that:
I agree that the access to the dmcrypt endpoint is a serious issue. Cinder mitigated this by introducing native LUKS support for LibVirt/QEMU. Similar mechanisms could be evaluated for Nova's LUKS-based ephemeral storage as well, but this is out of scope of this topic and requires a separate discussion I think.
From reading your post, our defined scenario seems most similar to point number 3 of comment #7. I'm curious about your related statement:
> This is trivial to implement: document that operators should not configure NFS storage.
What shared storage method should operators configure for migration scenarios instead that would make the signature check unnecessary?
Thanks for your input Matthew!
I was already writing the use case summary (comment #8) when you responded in the mean time, so it isn't an answer to your post directly. Let me catch up on that:
I agree that the access to the dmcrypt endpoint is a serious issue. Cinder mitigated this by introducing native LUKS support for LibVirt/QEMU. Similar mechanisms could be evaluated for Nova's LUKS-based ephemeral storage as well, but this is out of scope of this topic and requires a separate discussion I think.
From reading your post, our defined scenario seems most similar to point number 3 of comment #7. I'm curious about your related statement:
> This is trivial to implement: document that operators should not configure NFS storage.
What shared storage method should operators configure for migration scenarios instead that would make the signature check unnecessary?