XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Home
    2. siemba
    3. Posts
    S
    • Profile
    • Following 0
    • Followers 0
    • Topics 2
    • Posts 4
    • Best 0
    • Controversial 0
    • Groups 0

    Posts made by siemba

    • RE: Connecting xen to vault

      @olivierlambert its custom config, not any bug. Ill point it out what i mean below.

      1. I have standard ubuntu template ->
      2. I would like my vm to be already customize, when its created, because its faster and easier when everything is in one place ->
      3. So for that i have created cloud-init for eg.->
      #cloud-config

hostname: <hostname>

package_update: true
package_upgrade: true

write_files:
  - path: /etc/ssl/certs/mydomain.crt
    content: |
      <certificate data>
  - path: /etc/ssl/private/mydomain.key
    content: |
      <private key data>

runcmd:
  - apt-get update
  - DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
      1. So my main problem is that this, particular cloud-init has fixed <certificate data> and <private key data>, that i would like to not be passed as a plain text, because it is a secret. To me its not done (for now) with best practices, but its very comfortable.

      So finally, i am wondering what is the best solution, for not putting secrets as a plain text, but rather keep them as a secret. I could create templates and later delete cloud-config with those data, but it would be more flexible, if there would be any chance to connect it to Hashicorp Vault or something that will dynamically fetch secrets.

      posted in Xen Orchestra
      S
      siemba
    • RE: Connecting xen to vault

      @olivierlambert yes you are right, i meant hashicorp vault. Okay so basically there are 2 things that make me think.

      First is that lets say i have couple secrets in vault for example: private keys, certs, passwords etc. that i would like to pass to my vm.
      For now i have one standard template and couple cloud-inits for different types of machines, but those "secrets" are visible in xen and i am wondering if it is safe from security point of view, if i put secrets as a plain text. (I think that is the most important thing)

      Next things is that, if it isnt safe then is there a way to fetch secrets from vault instead of passing them as a plain text. So when secret "x" will change on vault, it will be automatically changed in template.

      I hope now it is clearer than it was. Thanks in advance.

      posted in Xen Orchestra
      S
      siemba
    • Connecting xen to vault

      Hey guys, im wondering if it is possible to connect somehow xen to vault? So during creating vm it will fetch secrets from there?
      Or do you create vm and then you paste some secrets/values and then you delete it, so it is not visible anywhere as a plain text?

      posted in Xen Orchestra
      S
      siemba
    • getting all ip's from every xen's virtual machines

      hey guys, i didnt find answers anywhere so im here to ask you how to get all ips of vms from xen

      i need it for work where we have around 100 virtual machines
      i have a playbook that changes password on vm, and i want to reach all machines so in case of changing password, instead of changing it manually, i will run playbook that gets password from vault and it will update password on all vms

      i assume that i can get list of vms
      then write some script that will get ips and then inject it to ansible

      posted in Xen Orchestra
      S
      siemba