Add trusted certs to feature support matrix docs
Even though the feature is technically virt driver agnostic, the plumbing happens through the virt drivers, so the feature is only supported by certain virt drivers (libvirt only at the time of this patch). So this adds a section to the feature support matrix about the trusted certs validation feature. Also updates the certificate validation user docs based on the nova boot --trusted-image-certificate-id option name in the dependent python-novaclient change. Depends-On: https://review.openstack.org/500396/ Related to blueprint nova-validate-certificates Change-Id: Ic5cb4a98c73cc404c7033cf183f25a97aba3c994
This commit is contained in:
parent
dc9fb5842c
commit
df57c50b2d
@ -70,7 +70,7 @@ Limitations
|
|||||||
``os_compute_api:servers:create:trusted_certs`` and
|
``os_compute_api:servers:create:trusted_certs`` and
|
||||||
``os_compute_api:servers:rebuild:trusted_certs`` policy rules.
|
``os_compute_api:servers:rebuild:trusted_certs`` policy rules.
|
||||||
|
|
||||||
.. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html
|
.. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html#operation_trusted_certs
|
||||||
.. _policy configuration: https://docs.openstack.org/nova/latest/configuration/policy.html
|
.. _policy configuration: https://docs.openstack.org/nova/latest/configuration/policy.html
|
||||||
|
|
||||||
Configuration
|
Configuration
|
||||||
@ -152,15 +152,17 @@ Certificate validation is triggered by one of two ways:
|
|||||||
|
|
||||||
Command-Line Flag
|
Command-Line Flag
|
||||||
If booting or rebuilding an instance using the :command:`nova` commands,
|
If booting or rebuilding an instance using the :command:`nova` commands,
|
||||||
use the ``--trusted-image-certificate-ids`` flag to define a comma-delimited
|
use the ``--trusted-image-certificate-id`` flag to define a single trusted
|
||||||
list of trusted certificate IDs. For example:
|
certificate ID. The flag may be used multiple times to specify multiple trusted
|
||||||
|
certificate IDs. For example:
|
||||||
|
|
||||||
.. code-block:: console
|
.. code-block:: console
|
||||||
|
|
||||||
$ nova boot myInstanceName \
|
$ nova boot myInstanceName \
|
||||||
--flavor 1 \
|
--flavor 1 \
|
||||||
--image myImageId \
|
--image myImageId \
|
||||||
--trusted-image-certificate-ids 79a6ad17-3298-4e55-8b3a-1672dd93c40f,b20f5600-3c9d-4af5-8f37-3110df3533a0
|
--trusted-image-certificate-id 79a6ad17-3298-4e55-8b3a-1672dd93c40f \
|
||||||
|
--trusted-image-certificate-id b20f5600-3c9d-4af5-8f37-3110df3533a0
|
||||||
|
|
||||||
If booting or rebuilding an instance using the :command:`openstack server` commands,
|
If booting or rebuilding an instance using the :command:`openstack server` commands,
|
||||||
use the ``--trusted-image-certificate-id`` flag to define a single trusted
|
use the ``--trusted-image-certificate-id`` flag to define a single trusted
|
||||||
@ -651,7 +653,8 @@ Boot the signed image with trusted certificate IDs:
|
|||||||
$ nova boot myInstance \
|
$ nova boot myInstance \
|
||||||
--flavor m1.tiny \
|
--flavor m1.tiny \
|
||||||
--image cirros_client_signedImage \
|
--image cirros_client_signedImage \
|
||||||
--trusted-image-certificate-ids "$cert_ca_uuid,$cert_intermediate_a_uuid,$cert_intermediate_b_uuid"
|
--trusted-image-certificate-id $cert_ca_uuid,$cert_intermediate_a_uuid \
|
||||||
|
--trusted-image-certificate-id $cert_intermediate_b_uuid
|
||||||
|
|
||||||
.. note:: The instance should successfully boot and certificate validation
|
.. note:: The instance should successfully boot and certificate validation
|
||||||
should succeed. The Nova log output should indicate that "Image
|
should succeed. The Nova log output should indicate that "Image
|
||||||
|
@ -1452,3 +1452,27 @@ driver-impl-ironic=missing
|
|||||||
driver-impl-libvirt-vz-vm=complete
|
driver-impl-libvirt-vz-vm=complete
|
||||||
driver-impl-libvirt-vz-ct=missing
|
driver-impl-libvirt-vz-ct=missing
|
||||||
driver-impl-powervm=missing
|
driver-impl-powervm=missing
|
||||||
|
|
||||||
|
[operation.trusted-certs]
|
||||||
|
title=Validate image with trusted certificates
|
||||||
|
status=optional
|
||||||
|
notes=Since trusted image certification validation is configurable
|
||||||
|
by the cloud deployer it is considered optional. However, it is
|
||||||
|
a virt-agnostic feature so there is no good reason that all virt
|
||||||
|
drivers cannot support the feature since it is mostly just plumbing
|
||||||
|
user requests through the virt driver when downloading images.
|
||||||
|
cli=nova boot --trusted-image-certificate-id ...
|
||||||
|
driver-impl-xenserver=missing
|
||||||
|
driver-impl-libvirt-kvm-x86=complete
|
||||||
|
driver-impl-libvirt-kvm-aarch64=complete
|
||||||
|
driver-impl-libvirt-kvm-ppc64=complete
|
||||||
|
driver-impl-libvirt-kvm-s390x=complete
|
||||||
|
driver-impl-libvirt-qemu-x86=complete
|
||||||
|
driver-impl-libvirt-lxc=complete
|
||||||
|
driver-impl-libvirt-xen=complete
|
||||||
|
driver-impl-vmware=missing
|
||||||
|
driver-impl-hyperv=missing
|
||||||
|
driver-impl-ironic=missing
|
||||||
|
driver-impl-libvirt-vz-vm=complete
|
||||||
|
driver-impl-libvirt-vz-ct=complete
|
||||||
|
driver-impl-powervm=missing
|
||||||
|
Loading…
x
Reference in New Issue
Block a user