OpenStack Summit May 2015 Vancouver has ended
Back To Schedule
Monday, May 18 • 4:40pm - 5:20pm
How to make Ironic bare-metal provisioning more secure and reliable?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Today Ironic PXE boot has several security and reliability issues.  PXE boot lacks any form of security. There is no mechanism to establish mutual trust between a PXE client and a server or secure the TFTP protocols.  Moreover, PXE boot uses DHCP broadcast which causes security and scalability concerns from some cloud deployers.  TFTP also encounters packet loss and timeout issues in a larger scale deployment environment. 

  IronMan is an Ironic plug-in driver that uses UEFI secure boot, virtual media PXE-less deployment, and secure disk erase to enhance security and reliability for Ironic bare-metal provisioning.   UEFI secure boot secures the boot process by only loading each piece of boot software including boot loader, firmware drivers and kernel with the correct digital signatures.  Virtual media PXE-less deploy driver addresses PXE boot security and reliability issues by sending Ironic management data and Keystone authentication token in a reliable encrypted management channel.  Secure disk erase and firmware settings can be used as part of the node cleaning process to prepare a node for a clean start of deployment or re-deployment.


  In this session, we will give an overview of these security features and also provide a demo of secure boot with virtual media PXE-less bare-metal provisioning.  You will learn how to use these features to enhance security and reliability for Ironic bare-metal deployment.


Wan-yen Hsu

HP Distinguished Technologist

Shivanand Tendulker

HP R&D Expert engineer

Monday May 18, 2015 4:40pm - 5:20pm PDT
Room 121/122

Attendees (1)