[openstack-dev] [nova] Concern about trusted certificates API change

Matt Riedemann mriedemos at gmail.com
Wed Apr 18 17:14:56 UTC 2018


On 4/18/2018 12:09 PM, Chris Friesen wrote:
> If this happens, is it clear to the end-user that the reason the boot 
> failed is that the cloud doesn't support trusted cert IDs for 
> boot-from-vol?  If so, then I think that's totally fine.

If you're creating an image-backed server and requesting specific 
trusted certs, you'll get by the API but could land on a compute host 
that doesn't support image validation, like any non-libvirt driver, and 
at that point the trusted certs request is ignored.

We could fix that the same way I've proposed we fix it for boot from 
volume with multiattach volumes in that the compute node resource 
provider would have a trait on it for the capability, and we'd add a 
placement request filter that detects, from the RequestSpec, that you're 
trying to do this specific thing that requires a compute that supports 
that capability, otherwise you get NoValidHost.

-- 

Thanks,

Matt



More information about the OpenStack-dev mailing list