Bug 1523263 - [RFE] Make image verification optional per boot request
Summary: [RFE] Make image verification optional per boot request
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 14.0 (Rocky)
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: Upstream M2
: ---
Assignee: OSP DFG:Compute
QA Contact: OSP DFG:Compute
URL:
Whiteboard:
Depends On: 1374375
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-07 14:38 UTC by Lee Yarwood
Modified: 2023-03-21 18:43 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-30 16:46:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 312225 0 None None None 2017-12-07 14:38:47 UTC

Description Lee Yarwood 2017-12-07 14:38:48 UTC 
Description of problem:

The initial Nova implementation for image signature verification introduced a single configurable of `verify_glance_signatures` to either enable or disable the feature across _all_ instance boot requests.

https://bugzilla.redhat.com/show_bug.cgi?id=1374375

https://review.openstack.org/#/q/topic:bp/nova-support-image-signing+(status:open+OR+status:merged)

While a useful starting point it would be much more useful if this could be controlled per boot request. A spec was drafted in Pike to allow this but not implemented:

https://review.openstack.org/#/q/topic:bp/nova-api-option-signatures+(status:open+OR+status:merged)
Comment 3 Stephen Finucane 2019-09-30 16:46:39 UTC 
While this is valid request, it's been around for some time with no attached customer case. At this point, I think it's best that we close as DEFERRED. If a customer comes forward with a request for this feature, we can reopen.
Note You need to log in before you can comment on or make changes to this bug.