openstack/nova
Code Issues Proposed changes

conf: Do not inherit image signature props with snapshots

Browse Source 
All image signature properties should not be inherited from the metadata
of the original image when creating a snapshot of an instance. Otherwise
Glance will attempt to verify the signature of the snapshot image and
fail as this has changed from that of the original.

Closes-bug: #1737513
Change-Id: Ia3d80bf2f81c7317fec117aecbc3c560d51a7d4e
This commit is contained in:
Lee Yarwood 2017-12-11 10:08:34 +00:00
parent e66fc365c8
commit 82c823bcec
3 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nova/conf/compute.py
View File

@ -54,7 +54,9 @@ the same host to the destination options. Also set to true
if you allow the ServerGroupAffinityFilter and need to resize. if you allow the ServerGroupAffinityFilter and need to resize.
"""), """),
cfg.ListOpt('non_inheritable_image_properties', cfg.ListOpt('non_inheritable_image_properties',
default=['cache_in_nova', 'bittorrent'], default=['cache_in_nova', 'bittorrent',
'img_signature_hash_method', 'img_signature',
'img_signature_key_type', 'img_signature_certificate_uuid'],
help=""" help="""
Image properties that should not be inherited from the instance Image properties that should not be inherited from the instance
when taking a snapshot. when taking a snapshot.
@ -68,7 +70,10 @@ Possible values:
the image properties that are only needed by base images can be included the image properties that are only needed by base images can be included
here, since the snapshots that are created from the base images don't here, since the snapshots that are created from the base images don't
need them. need them.
* Default list: cache_in_nova, bittorrent * Default list: cache_in_nova, bittorrent, img_signature_hash_method,
img_signature, img_signature_key_type,
img_signature_certificate_uuid
"""), """),
cfg.StrOpt('multi_instance_display_name_template', cfg.StrOpt('multi_instance_display_name_template',
default='%(name)s-%(count)d', default='%(name)s-%(count)d',

12
nova/tests/unit/compute/test_compute_api.py
View File

@ -2661,10 +2661,9 @@ class _ComputeAPIUnitTestMixIn(object):
instance = self._create_instance_obj(params=params) instance = self._create_instance_obj(params=params)
instance.vm_state = instance_vm_state instance.vm_state = instance_vm_state
# 'cache_in_nova' is for testing non-inheritable properties # Test non-inheritable properties, 'user_id' should also not be
# 'user_id' should also not be carried from sys_meta into # carried from sys_meta into image property...since it should be set
# image property...since it should be set explicitly by # explicitly by _create_image() in compute api.
# _create_image() in compute api.
fake_image_meta = { fake_image_meta = {
'is_public': True, 'is_public': True,
'name': 'base-name', 'name': 'base-name',
@ -2675,6 +2674,11 @@ class _ComputeAPIUnitTestMixIn(object):
'foo': 'bar', 'foo': 'bar',
'blah': 'bug?', 'blah': 'bug?',
'cache_in_nova': 'dropped', 'cache_in_nova': 'dropped',
'bittorrent': 'dropped',
'img_signature_hash_method': 'dropped',
'img_signature': 'dropped',
'img_signature_key_type': 'dropped',
'img_signature_certificate_uuid': 'dropped'
}, },
} }
image_type = is_snapshot and 'snapshot' or 'backup' image_type = is_snapshot and 'snapshot' or 'backup'

10
releasenotes/notes/default-non-inheritable-image-properties-dfd13ba3b09278dd.yaml Normal file
View File

@ -0,0 +1,10 @@
---
upgrade:
- |
The default list of non-inherited image properties to pop when creating a
snapshot has been extended to include image signature properties. The
properties ``img_signature_hash_method``, ``img_signature``,
``img_signature_key_type`` and ``img_signature_certificate_uuid`` are no
longer inherited by the snapshot image as they would otherwise result in
a Glance attempting to verify the snapshot image with the signature of the
original.