1374375 – [RFE][nova]: Nova Support for Glance Image Signing

Bug 1374375 - [RFE][nova]: Nova Support for Glance Image Signing

Summary: [RFE][nova]: Nova Support for Glance Image Signing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Upstream M2
Target Release:	13.0 (Queens)
Assignee:	Lee Yarwood
QA Contact:	Joe H. Rahme
Docs Contact:
URL:	https://blueprints.launchpad.net/nova...
Whiteboard:	upstream_milestone_none upstream_defi...
Depends On:	1558058
Blocks:	1365571 1523263
TreeView+	depends on / blocked

Reported:	2016-09-08 14:03 UTC by Stephen Gordon
Modified:	2019-09-09 13:10 UTC (History)
CC List:	19 users (show)
Fixed In Version:	openstack-nova-17.0.0-0.20180123163703.27eadbc.el7ost
Doc Type:	Enhancement
Doc Text:
Clone Of:
Clones:	1631290 (view as bug list)
Environment:
Last Closed:	2018-06-27 13:26:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	177948	None	master: MERGED	glance-specs: Image Signing and Verification Support (I305b2ae86415c8d256c641abb2795af663bee56a)	2018-02-07 14:29:37 UTC
OpenStack gerrit	188874	None	master: MERGED	nova-specs: Nova Support of Glance Image Signing (Ia8e7fcc21d7c15e480facbe30af88cdce2d73159)	2018-02-07 14:29:29 UTC
OpenStack gerrit	189843	None	master: MERGED	nova: Add image signature verification (Iec8561136af7053e9b88eb258d94d1b440c0688a)	2018-02-07 14:29:22 UTC
OpenStack gerrit	256069	None	master: MERGED	nova: Add signature_utils module (I904a7489c8759951daa6c9ffb1cf444822132258)	2018-02-07 14:29:07 UTC
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 13:28:35 UTC

Description Stephen Gordon 2016-09-08 14:03:57 UTC

Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/nova-support-image-signing.

Description:

In order to support Glance's image signing feature, we need to add accompanying functionality to Nova. This will allow Nova to verify signed images before booting and create signed images.

This accompanies the functionality described in the spec here:  https://review.openstack.org/#/c/177948/

Specification URL (additional information):

http://specs.openstack.org/openstack/nova-specs/specs/mitaka/approved/image-verification.html

Comment 2 Stephen Gordon 2016-11-25 14:42:49 UTC

Specification as not approved for Ocata, moving to Pike.

Comment 5 Stephen Gordon 2017-04-20 13:41:57 UTC

Specification moved to Pike based on Barbican dependency for end to end delivery of feature.

Comment 12 Lee Yarwood 2018-03-29 09:22:58 UTC

As discussed, we should also validate the deployment aspect of this RFE by ensuring we use the VerifyGlanceSignatures [1] parameter to enable this on the compute nodes.

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/nova-compute.yaml#L127

Comment 19 errata-xmlrpc 2018-06-27 13:26:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.