openstack/nova
Code Issues Proposed changes

Absolutely-non-inheritable image properties

Browse Source 
Inheritance of image properties from the image an instance was booted
from to an image created from that instance is governed by the
non_inheritable_image_properties configuration option.  However, there
are some image properties (for example, those used for image signature
validation or to reference a cinder encryption key id) which it makes
no sense to inherit under any circumstances.  Additionally,
misconfiguration of the non-inheritable properties can lead to data
loss under the circumstances described in Bug #1852106.  So it would
be better if these properties were not subject to configuration.

The initial set of absolutely non-inheritable image properties
consists of those associated with cinder encryption keys and image
signature validation.

Change-Id: I4332b9c343b6c2b50226baa8f78396c2012dabd1
Closes-bug: #1852106
This commit is contained in:
Brian Rosmaita
2020-02-13 11:09:08 -05:00
parent 1fcd74730d
commit bc29084012
4 changed files with 103 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
nova/conf/compute.py
View File

@@ -55,9 +55,7 @@ the same host to the destination options. Also set to true
if you allow the ServerGroupAffinityFilter and need to resize.
"""),
cfg.ListOpt('non_inheritable_image_properties',
default=['cache_in_nova', 'bittorrent',
'img_signature_hash_method', 'img_signature',
'img_signature_key_type', 'img_signature_certificate_uuid'],
default=['cache_in_nova', 'bittorrent'],
help="""
Image properties that should not be inherited from the instance
when taking a snapshot.
@@ -65,15 +63,25 @@ when taking a snapshot.
This option gives an opportunity to select which image-properties
should not be inherited by newly created snapshots.
.. note::
The following image properties are *never* inherited regardless of
whether they are listed in this configuration option or not:
* cinder_encryption_key_id
* cinder_encryption_key_deletion_policy
* img_signature
* img_signature_hash_method
* img_signature_key_type
* img_signature_certificate_uuid
Possible values:
* A comma-separated list whose item is an image property. Usually only
the image properties that are only needed by base images can be included
here, since the snapshots that are created from the base images don't
need them.
* Default list: cache_in_nova, bittorrent, img_signature_hash_method,
img_signature, img_signature_key_type,
img_signature_certificate_uuid
* Default list: cache_in_nova, bittorrent
"""),
cfg.IntOpt('max_local_block_devices',