[openstack-dev] [nova] Concern about trusted certificates API change
Jay Pipes
jaypipes at gmail.com
Wed Apr 18 16:57:43 UTC 2018
On 04/18/2018 12:41 PM, Matt Riedemann wrote:
> There is a compute REST API change proposed [1] which will allow users
> to pass trusted certificate IDs to be used with validation of images
> when creating or rebuilding a server. The trusted cert IDs are based on
> certificates stored in some key manager, e.g. Barbican.
>
> The full nova spec is here [2].
>
> The main concern I have is that trusted certs will not be supported for
> volume-backed instances, and some clouds only support volume-backed
> instances.
Yes. And some clouds only support VMWare vCenter virt driver. And some
only support Hyper-V. I don't believe we should delay adding good
functionality to (large percentage of) clouds because it doesn't yet
work with one virt driver or one piece of (badly-designed) functionality.
> The way the patch is written is that if the user attempts to
> boot from volume with trusted certs, it will fail.
And... I think that's perfectly fine.
> In thinking about a semi-discoverable/configurable solution, I'm
> thinking we should add a policy rule around trusted certs to indicate if
> they can be used or not. Beyond the boot from volume issue, the only
> virt driver that supports trusted cert image validation is the libvirt
> driver, so any cloud that's not using the libvirt driver simply cannot
> support this feature, regardless of boot from volume. We have added
> similar policy rules in the past for backend-dependent features like
> volume extend and volume multi-attach, so I don't think this is a new
> issue.
>
> Alternatively we can block the change in nova until it supports boot
> from volume, but that would mean needing to add trusted cert image
> validation support into cinder along with API changes, effectively
> killing the chance of this getting done in nova in Rocky, and this
> blueprint has been around since at least Ocata so it would be good to
> make progress if possible.
As mentioned above, I don't want to derail progress until (if ever?)
trusted certs achieves this magical
works-for-every-driver-and-functionality state. It's not realistic to
expect this to be done, IMHO, and just keeps good functionality out of
the hands of many cloud users.
Just my 2 cents.
-jay
> [1] https://review.openstack.org/#/c/486204/
> [2]
> https://specs.openstack.org/openstack/nova-specs/specs/rocky/approved/nova-validate-certificates.html
>
>
More information about the OpenStack-dev
mailing list