[pve-devel] Create template from CT
Dietmar Maurer
dietmar at proxmox.com
Thu Mar 6 10:47:48 CET 2014
> > secret keys, passwords, unique ids, IPs, logs, ....
>
> Obviously, anything you leave on the machine will be replicated to the next
> CT created from the template. This is a feature, and not a problem.
No, IMHO this is a big security risk!
> Creating a
> template will require a couple of IQ points - and for the scenario you mention
> they should use backup and not create a template. This is the same if you do
> it manually - they will need to be removed if you do not wish them to be in
> the Template.
No, this is really not the same for me.
> > > I'd really like to get this feature available in Proxmox as every
> > > time I create a new template I have to SSH to the box and tar the CT
> > > folder. It's such a simple process and it drives me crazy every time I have
> to SSH to the box.
> > >
> > > Is there any way of getting this feature into Proxmox - even if it
> > > means completely changing how it's implemented, or is this just a
> > > no-go from the start?
> >
> > I see the following problems with this approach:
> >
> > 1.) Our security model assumes the OpenVZ templates do not contain
> > secrets (templates are readable by all storage users). So a simply
> > copy of existing VMs is likely to leak passwords and other secret data!
>
> I agree - I didn't realise that template storage was not protected. Perhaps we
> could create a new storage role which would be used for templates?
I have no plans to change that model.
> > 2.) Many software packages (and admins) copy IP addresses or hostname
> > into configuration files. This will lead to non-functional templates.
>
> This would be a problem whichever way you look at it. Your 'supported' way
> of creating a backup and restoring it would have the same trouble.
The difference is that this is already implemented.
> > 3.) Containers can contain custom network configs (veth, ...). . This
> > will also lead to non-functional templates.
>
> Again, this would be an issue with your supported method.
see above.
I suggest you simple use restore, and then apply a script
to do the changes you want?
More information about the pve-devel
mailing list