Bug 1374375

Summary: [RFE][nova]: Nova Support for Glance Image Signing
Product: Red Hat OpenStack Reporter: Stephen Gordon <sgordon>
Component: openstack-novaAssignee: Lee Yarwood <lyarwood>
Status: CLOSED ERRATA QA Contact: Joe H. Rahme <jhakimra>
Severity: medium Docs Contact:
Priority: medium    
Version: 12.0 (Pike)CC: acanan, berrange, dasmith, egallen, eglynn, gcharot, jhakimra, jschluet, kchamart, lyarwood, mwitt, pgrist, sbauza, scohen, sferdjao, sgordon, srevivo, tshefi, vromanso
Target Milestone: Upstream M2Keywords: FutureFeature, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/nova/+spec/nova-support-image-signing
Whiteboard: upstream_milestone_none upstream_definition_pending-approval upstream_status_good-progress
Fixed In Version: openstack-nova-17.0.0-0.20180123163703.27eadbc.el7ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1631290 (view as bug list) Environment:
Last Closed: 2018-06-27 13:26:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1558058    
Bug Blocks: 1365571, 1523263    

Description Stephen Gordon 2016-09-08 14:03:57 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/nova-support-image-signing.

Description:

In order to support Glance's image signing feature, we need to add accompanying functionality to Nova. This will allow Nova to verify signed images before booting and create signed images.

This accompanies the functionality described in the spec here:  https://review.openstack.org/#/c/177948/

Specification URL (additional information):

http://specs.openstack.org/openstack/nova-specs/specs/mitaka/approved/image-verification.html

Comment 2 Stephen Gordon 2016-11-25 14:42:49 UTC
Specification as not approved for Ocata, moving to Pike.

Comment 5 Stephen Gordon 2017-04-20 13:41:57 UTC
Specification moved to Pike based on Barbican dependency for end to end delivery of feature.

Comment 12 Lee Yarwood 2018-03-29 09:22:58 UTC
As discussed, we should also validate the deployment aspect of this RFE by ensuring we use the VerifyGlanceSignatures [1] parameter to enable this on the compute nodes.

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/nova-compute.yaml#L127

Comment 19 errata-xmlrpc 2018-06-27 13:26:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086