Bug 1523263

Summary: [RFE] Make image verification optional per boot request
Product: Red Hat OpenStack Reporter: Lee Yarwood <lyarwood>
Component: openstack-novaAssignee: OSP DFG:Compute <osp-dfg-compute>
Status: CLOSED DEFERRED QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 14.0 (Rocky)CC: alee, dasmith, eglynn, kchamart, mbooth, sbauza, sgordon, srevivo, stephenfin, vromanso
Target Milestone: Upstream M2Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-30 16:46:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1374375    
Bug Blocks:    

Description Lee Yarwood 2017-12-07 14:38:48 UTC 
Description of problem:

The initial Nova implementation for image signature verification introduced a single configurable of `verify_glance_signatures` to either enable or disable the feature across _all_ instance boot requests.

https://bugzilla.redhat.com/show_bug.cgi?id=1374375

https://review.openstack.org/#/q/topic:bp/nova-support-image-signing+(status:open+OR+status:merged)

While a useful starting point it would be much more useful if this could be controlled per boot request. A spec was drafted in Pike to allow this but not implemented:

https://review.openstack.org/#/q/topic:bp/nova-api-option-signatures+(status:open+OR+status:merged)
Comment 3 Stephen Finucane 2019-09-30 16:46:39 UTC 
While this is valid request, it's been around for some time with no attached customer case. At this point, I think it's best that we close as DEFERRED. If a customer comes forward with a request for this feature, we can reopen.