[openstack-dev] [glance] [nova] Verification of glance images before boot
Maish Saidel-Keesing
maishsk at maishsk.com
Wed Sep 9 14:56:31 UTC 2015
How can I know that the image that a new instance is spawned from - is
actually the image that was originally registered in glance - and has
not been maliciously tampered with in some way?
Is there some kind of verification that is performed against the md5sum
of the registered image in glance before a new instance is spawned?
Is that done by Nova?
Glance?
Both? Neither?
The reason I ask is some 'paranoid' security (that is their job I
suppose) people have raised these questions.
I know there is a glance BP already merged for L [1] - but I would like
to understand the actual flow in a bit more detail.
Thanks.
[1]
https://blueprints.launchpad.net/glance/+spec/image-signing-and-verification-support
--
Best Regards,
Maish Saidel-Keesing
More information about the OpenStack-dev
mailing list