Bug 1374375 - [RFE][nova]: Nova Support for Glance Image Signing
Summary: [RFE][nova]: Nova Support for Glance Image Signing
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: Upstream M2
: 13.0 (Queens)
Assignee: Lee Yarwood
QA Contact: Joe H. Rahme
URL: https://blueprints.launchpad.net/nova...
Whiteboard: upstream_milestone_none upstream_defi...
Depends On: 1558058
Blocks: 1365571 1523263
TreeView+ depends on / blocked
Reported: 2016-09-08 14:03 UTC by Stephen Gordon
Modified: 2019-09-09 13:10 UTC (History)
19 users (show)

Fixed In Version: openstack-nova-17.0.0-0.20180123163703.27eadbc.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1631290 (view as bug list)
Last Closed: 2018-06-27 13:26:39 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 177948 None master: MERGED glance-specs: Image Signing and Verification Support (I305b2ae86415c8d256c641abb2795af663bee56a) 2018-02-07 14:29:37 UTC
OpenStack gerrit 188874 None master: MERGED nova-specs: Nova Support of Glance Image Signing (Ia8e7fcc21d7c15e480facbe30af88cdce2d73159) 2018-02-07 14:29:29 UTC
OpenStack gerrit 189843 None master: MERGED nova: Add image signature verification (Iec8561136af7053e9b88eb258d94d1b440c0688a) 2018-02-07 14:29:22 UTC
OpenStack gerrit 256069 None master: MERGED nova: Add signature_utils module (I904a7489c8759951daa6c9ffb1cf444822132258) 2018-02-07 14:29:07 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:28:35 UTC

Description Stephen Gordon 2016-09-08 14:03:57 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/nova-support-image-signing.


In order to support Glance's image signing feature, we need to add accompanying functionality to Nova. This will allow Nova to verify signed images before booting and create signed images.

This accompanies the functionality described in the spec here:  https://review.openstack.org/#/c/177948/

Specification URL (additional information):


Comment 2 Stephen Gordon 2016-11-25 14:42:49 UTC
Specification as not approved for Ocata, moving to Pike.

Comment 5 Stephen Gordon 2017-04-20 13:41:57 UTC
Specification moved to Pike based on Barbican dependency for end to end delivery of feature.

Comment 12 Lee Yarwood 2018-03-29 09:22:58 UTC
As discussed, we should also validate the deployment aspect of this RFE by ensuring we use the VerifyGlanceSignatures [1] parameter to enable this on the compute nodes.

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/nova-compute.yaml#L127

Comment 19 errata-xmlrpc 2018-06-27 13:26:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.