conf: Do not inherit image signature props with snapshots

All image signature properties should not be inherited from the metadata
of the original image when creating a snapshot of an instance. Otherwise
Glance will attempt to verify the signature of the snapshot image and
fail as this has changed from that of the original.

Closes-bug: #1737513
Change-Id: Ia3d80bf2f81c7317fec117aecbc3c560d51a7d4e
This commit is contained in:
Lee Yarwood 2017-12-11 10:08:34 +00:00
parent e66fc365c8
commit 82c823bcec
3 changed files with 25 additions and 6 deletions

View File

@ -54,7 +54,9 @@ the same host to the destination options. Also set to true
if you allow the ServerGroupAffinityFilter and need to resize.
"""),
cfg.ListOpt('non_inheritable_image_properties',
default=['cache_in_nova', 'bittorrent'],
default=['cache_in_nova', 'bittorrent',
'img_signature_hash_method', 'img_signature',
'img_signature_key_type', 'img_signature_certificate_uuid'],
help="""
Image properties that should not be inherited from the instance
when taking a snapshot.
@ -68,7 +70,10 @@ Possible values:
the image properties that are only needed by base images can be included
here, since the snapshots that are created from the base images don't
need them.
* Default list: cache_in_nova, bittorrent
* Default list: cache_in_nova, bittorrent, img_signature_hash_method,
img_signature, img_signature_key_type,
img_signature_certificate_uuid
"""),
cfg.StrOpt('multi_instance_display_name_template',
default='%(name)s-%(count)d',

View File

@ -2661,10 +2661,9 @@ class _ComputeAPIUnitTestMixIn(object):
instance = self._create_instance_obj(params=params)
instance.vm_state = instance_vm_state
# 'cache_in_nova' is for testing non-inheritable properties
# 'user_id' should also not be carried from sys_meta into
# image property...since it should be set explicitly by
# _create_image() in compute api.
# Test non-inheritable properties, 'user_id' should also not be
# carried from sys_meta into image property...since it should be set
# explicitly by _create_image() in compute api.
fake_image_meta = {
'is_public': True,
'name': 'base-name',
@ -2675,6 +2674,11 @@ class _ComputeAPIUnitTestMixIn(object):
'foo': 'bar',
'blah': 'bug?',
'cache_in_nova': 'dropped',
'bittorrent': 'dropped',
'img_signature_hash_method': 'dropped',
'img_signature': 'dropped',
'img_signature_key_type': 'dropped',
'img_signature_certificate_uuid': 'dropped'
},
}
image_type = is_snapshot and 'snapshot' or 'backup'

View File

@ -0,0 +1,10 @@
---
upgrade:
- |
The default list of non-inherited image properties to pop when creating a
snapshot has been extended to include image signature properties. The
properties ``img_signature_hash_method``, ``img_signature``,
``img_signature_key_type`` and ``img_signature_certificate_uuid`` are no
longer inherited by the snapshot image as they would otherwise result in
a Glance attempting to verify the snapshot image with the signature of the
original.