[barbican][nova] booting instance from snapshot or unshelve with image signature verification enabled
Pavlo Shchelokovskyy
pshchelokovskyy at mirantis.com
Thu Dec 6 18:02:25 UTC 2018
Hi all,
I am looking at how Nova is integrated with Barbican and am wondering how
the user workflow when booting instance from snapshot should work
(including unshelving a shelved instance) when Nova is set to strictly
verify Glance images' signatures.
Currently Nova strips by default all signature-related image metadata of
original image when creating snapshot and for good reason - as the hash of
the snapshot is definitely not the same as that of the image it was booted
from, the signature of the original image is no longer valid for snapshot.
Effectively that means that when strict image signature validation is
enabled in Nova, the user can no longer simply boot from that snapshot, and
even less obvious, can not unshelve instances the same way as without
signature validation enabled.
So is it expected that user manually signs her instance snapshots or is
there some automagic way to do it?
Or is it a known issue / limitation? Unfortunately I couldn't find any
existing bugs or mentions in docs on that.
Best regards,
--
Dr. Pavlo Shchelokovskyy
Principal Software Engineer
Mirantis Inc
www.mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20181206/b70ce9c2/attachment-0001.html>
More information about the openstack-discuss
mailing list