conf: Do not inherit image signature props with snapshots

All image signature properties should not be inherited from the metadata
of the original image when creating a snapshot of an instance. Otherwise
Glance will attempt to verify the signature of the snapshot image and
fail as this has changed from that of the original.

Closes-bug: #1737513
Change-Id: Ia3d80bf2f81c7317fec117aecbc3c560d51a7d4e

nova/conf/compute.py

@@ -54,7 +54,9 @@ the same host to the destination options. Also set to true
 if you allow the ServerGroupAffinityFilter and need to resize.
 """),
     cfg.ListOpt('non_inheritable_image_properties',
-        default=['cache_in_nova', 'bittorrent'],
+        default=['cache_in_nova', 'bittorrent',
+                 'img_signature_hash_method', 'img_signature',
+                 'img_signature_key_type', 'img_signature_certificate_uuid'],
         help="""
 Image properties that should not be inherited from the instance
 when taking a snapshot.
@@ -68,7 +70,10 @@ Possible values:
   the image properties that are only needed by base images can be included
   here, since the snapshots that are created from the base images don't
   need them.
-* Default list: cache_in_nova, bittorrent
+* Default list: cache_in_nova, bittorrent, img_signature_hash_method,
+                img_signature, img_signature_key_type,
+                img_signature_certificate_uuid
+
 """),
     cfg.StrOpt('multi_instance_display_name_template',
         default='%(name)s-%(count)d',

nova/tests/unit/compute/test_compute_api.py

@@ -2661,10 +2661,9 @@ class _ComputeAPIUnitTestMixIn(object):
         instance = self._create_instance_obj(params=params)
         instance.vm_state = instance_vm_state
 
-        # 'cache_in_nova' is for testing non-inheritable properties
-        # 'user_id' should also not be carried from sys_meta into
-        # image property...since it should be set explicitly by
-        # _create_image() in compute api.
+        # Test non-inheritable properties, 'user_id' should also not be
+        # carried from sys_meta into image property...since it should be set
+        # explicitly by _create_image() in compute api.
         fake_image_meta = {
             'is_public': True,
             'name': 'base-name',
@@ -2675,6 +2674,11 @@ class _ComputeAPIUnitTestMixIn(object):
                 'foo': 'bar',
                 'blah': 'bug?',
                 'cache_in_nova': 'dropped',
+                'bittorrent': 'dropped',
+                'img_signature_hash_method': 'dropped',
+                'img_signature': 'dropped',
+                'img_signature_key_type': 'dropped',
+                'img_signature_certificate_uuid': 'dropped'
             },
         }
         image_type = is_snapshot and 'snapshot' or 'backup'

releasenotes/notes/default-non-inheritable-image-properties-dfd13ba3b09278dd.yaml

@@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    The default list of non-inherited image properties to pop when creating a
+    snapshot has been extended to include image signature properties. The
+    properties ``img_signature_hash_method``, ``img_signature``,
+    ``img_signature_key_type`` and ``img_signature_certificate_uuid`` are no
+    longer inherited by the snapshot image as they would otherwise result in
+    a Glance attempting to verify the snapshot image with the signature of the
+    original.