Fix "signature_verified" metadata propagation to images

The property "signature_verified" is added by cinder to volumes created from images. That property is propagated to glance when images are created from such volumes. Later, when creating volumes from such images again, the image property conflicts with cinder trying to add the property again. The solution is to never propagate such cinder property in the first place. Closes-bug: #1823445 Change-Id: Id46877e490b17c00ba1cf8cf312dd2f456760a23 (cherry picked from commit c65f43cb989f7e1ad5a8b999e6f3e266cddb36ee)
2024-10-23 12:51:19 -03:00 · 2024-10-23 12:51:19 -03:00 · 9dbf2967be
commit 9dbf2967be
parent 7801086b91
3 changed files with 17 additions and 6 deletions
--- a/cinder/image/image_utils.py
+++ b/cinder/image/image_utils.py
@ -102,9 +102,9 @@ image_opts = [
                     'an operator has configured glance property protections '
                     'to make some image properties read-only. Cinder will '
                     '*always* filter out image metadata in the namespaces '
-                     '`os_glance` and `img_signature`; this configuration '
-                     'option allows operators to specify *additional* '
-                     'namespaces to be excluded.',
+                     '`os_glance`, `img_signature` and `signature_verified`; '
+                     'this configuration option allows operators to specify '
+                     '*additional* namespaces to be excluded.',
                default=[]),
 ]

@ -128,7 +128,8 @@ QEMU_IMG_VERSION = None

 COMPRESSIBLE_IMAGE_FORMATS = ('qcow2',)

-GLANCE_RESERVED_NAMESPACES = ["os_glance", "img_signature"]
+GLANCE_RESERVED_NAMESPACES = ["os_glance", "img_signature",
+                              "signature_verified"]


 def validate_stores_id(context: context.RequestContext,
--- a/cinder/tests/unit/test_image_utils.py
+++ b/cinder/tests/unit/test_image_utils.py
@ -2765,7 +2765,7 @@ class TestFilterReservedNamespaces(test.TestCase):
    @ddt.unpack
    def test_filter_out_reserved_namespaces_metadata(
            self, metadata_for_test, config, keys_to_pop):
-        hardcoded_keys = ['os_glance', "img_signature"]
+        hardcoded_keys = image_utils.GLANCE_RESERVED_NAMESPACES

        keys_to_pop = hardcoded_keys + keys_to_pop

@ -2825,7 +2825,7 @@ class TestFilterReservedNamespaces(test.TestCase):
    @ddt.unpack
    def test_filter_out_reserved_namespaces_metadata_properties(
            self, metadata_for_test, config, keys_to_pop):
-        hardcoded_keys = ['os_glance', "img_signature"]
+        hardcoded_keys = image_utils.GLANCE_RESERVED_NAMESPACES

        keys_to_pop = hardcoded_keys + keys_to_pop

--- a/releasenotes/notes/bug-1823445-c47c25870a98335a.yaml
+++ b/releasenotes/notes/bug-1823445-c47c25870a98335a.yaml
@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    Fixed the volume property `signature_verified` propagating to images created
+    from volumes. That property could later conflict with the same property being
+    added again when creating a new volume from such image, preventing the volume
+    from being created successfully. This volume property is created whenever a
+    volume is created from an image for the purpose of indicating that the image
+    signature was verified on creation, and was not intended to be propagated
+    further if a new image is created from such volume.