Openstack Glance image signature and validation for upload and boot controls?

S Andronic sandronic888 at
Wed Oct 20 12:24:26 UTC 2021


I have a question in regards to Openstack Glance and if I got it right
this can be a place to ask, if I am wrong please kindly point me in the
 right direction.

 When you enable Image Signing and Certificate Validation in nova.conf:
 verify_glance_signatures = True
 enable_certificate_validation = True

 Will this stop users from uploading unsigned images or using unsigned
  images to spin up instances?

 Intuitively I feel that it will enforce checks only if the signature
 property exists, but what if it doesn't?

 Does it control in any way unsigned images?
 Does it stop users from uploading or using anything unsigned?
 Would an image without the signing properties just be rejected?

 If this feature doesn't stop the use of unsigned images as a security
 control what is the logic behind it then?

 Is this meant not to stop users from using unsigned images but such
 that people who do use signed images have verification for their code?

 So if the goal is to stop people from using random images and image
 signing and validation is not the answer what would be?

 Kind Regards,
 S. Andronic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openstack-discuss mailing list