[openstack-dev] [nova] Concern about trusted certificates API change
Chris Friesen
chris.friesen at windriver.com
Wed Apr 18 17:09:54 UTC 2018
On 04/18/2018 10:57 AM, Jay Pipes wrote:
> On 04/18/2018 12:41 PM, Matt Riedemann wrote:
>> There is a compute REST API change proposed [1] which will allow users to pass
>> trusted certificate IDs to be used with validation of images when creating or
>> rebuilding a server. The trusted cert IDs are based on certificates stored in
>> some key manager, e.g. Barbican.
>>
>> The full nova spec is here [2].
>>
>> The main concern I have is that trusted certs will not be supported for
>> volume-backed instances, and some clouds only support volume-backed instances.
>
> Yes. And some clouds only support VMWare vCenter virt driver. And some only
> support Hyper-V. I don't believe we should delay adding good functionality to
> (large percentage of) clouds because it doesn't yet work with one virt driver or
> one piece of (badly-designed) functionality.
>
> > The way the patch is written is that if the user attempts to
>> boot from volume with trusted certs, it will fail.
>
> And... I think that's perfectly fine.
If this happens, is it clear to the end-user that the reason the boot failed is
that the cloud doesn't support trusted cert IDs for boot-from-vol? If so, then
I think that's totally fine.
If the error message is unclear, then maybe we should just improve it.
Chris
More information about the OpenStack-dev
mailing list