Bug 1964919

Summary: [RFE] Create signed image snaphost of VM created from a signed image using barbican
Product: Red Hat OpenStack Reporter: Rohini Diwakar <rdiwakar>
Component: openstack-novaAssignee: OSP DFG:Compute <osp-dfg-compute>
Status: NEW --- QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: astillma, athomas, dasmith, eglynn, jhakimra, kchamart, pgrist, sbauza, sgordon, udesale, vromanso
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rohini Diwakar 2021-05-26 10:53:28 UTC 
Description of problem:
With Barbican enabled for openstack as image signing Service, at the moment it is not possible to create a signed image snapshot from a VM which was originally created from a signed image. 

This is because of the config option "non_inheritable_image_properties" which doesn't propagate signature related metadata of original image to a snapshot image of the virtual machine.
Comment 4 Cyril Roelandt 2021-08-04 16:07:49 UTC 
> So, in order to create a VM, this snapshot has to be downloaded, signed and then uploaded to glance which is not a straight-forward approach. 


Yes, this seems like the current approach, see also https://bugzilla.redhat.com/show_bug.cgi?id=1969888#c30 .


This involves nova, glance, barbican and cursive. I'm not sure how hard it would be to improve the process. I am going to retarget this to Nova because everything starts with the user creating a snapshot, but this might involve changes in multiple components.