Bug 1964919 - [RFE] Create signed image snaphost of VM created from a signed image using barbican
Summary: [RFE] Create signed image snaphost of VM created from a signed image using ba...
Keywords:
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 16.1 (Train)
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: OSP DFG:Compute
QA Contact: OSP DFG:Compute
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-26 10:53 UTC by Rohini Diwakar
Modified: 2023-03-21 19:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-4164 0 None None None 2022-08-02 14:16:35 UTC

Description Rohini Diwakar 2021-05-26 10:53:28 UTC 
Description of problem:
With Barbican enabled for openstack as image signing Service, at the moment it is not possible to create a signed image snapshot from a VM which was originally created from a signed image. 

This is because of the config option "non_inheritable_image_properties" which doesn't propagate signature related metadata of original image to a snapshot image of the virtual machine.
Comment 4 Cyril Roelandt 2021-08-04 16:07:49 UTC 
> So, in order to create a VM, this snapshot has to be downloaded, signed and then uploaded to glance which is not a straight-forward approach. 


Yes, this seems like the current approach, see also https://bugzilla.redhat.com/show_bug.cgi?id=1969888#c30 .


This involves nova, glance, barbican and cursive. I'm not sure how hard it would be to improve the process. I am going to retarget this to Nova because everything starts with the user creating a snapshot, but this might involve changes in multiple components.
Note You need to log in before you can comment on or make changes to this bug.