Image data stays in backend if image signature verification fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Abhishek Kekane | ||
Queens |
Fix Released
|
High
|
Abhishek Kekane |
Bug Description
If image signature verification is enabled then while creating the image if verfication fails then it returns vaild error, deletes image from the database but image data stays in the bakend forever.
Ideally if image verfication fails then it should delete the data from the backend as well.
Pre-requisites:
1. Ensure Barbican is enabled
2. Create Keys and Certificate (Reference https:/
3. Create Signature (Reference https:/
4. Create context and upload certificate using context (Reference https:/
Steps to reproduce:
1. Upload Image to Glance, with Signature Metadata
img_
img_
img_
img_signature = 'ezccBYtJEdj2gO
$ glance image-create --property name=cirrosSign
Note:
'img_signature' starts with 'ezcc...' but in create command I have passed as 'abcd..'
Actual Output:
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2017-12-
| disk_format | qcow2 |
| id | 6e8bec71-
| img_signature | abcdBYtJEdj2gOr
| | BKeYqK0+
| | bsqW6d/obgM= |
| img_signature_
| img_signature_
| img_signature_
| is-public | true |
| min_disk | 0 |
| min_ram | 0 |
| name | cirrosSignedIma
| owner | 4f186fe25c934ee
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-12-
| virtual_size | None |
| visibility | shared |
+------
$ 400 Bad Request: Signature verification failed for image 6e8bec71-
Expected Output:
$ 400 Bad Request: Signature verification failed for image 6e8bec71-
NOTE: Image data stays in backend
$ ls -lah /opt/stack/
total 15M
drwxr-xr-x. 2 centos centos 270 Dec 5 07:04 .
drwxr-xr-x. 5 centos centos 46 Dec 5 04:42 ..
-rw-r--r--. 1 centos centos 420K Dec 5 07:04 6e8bec71-
Glance-api logs:
Dec 05 07:04:38 signature-
Changed in glance: | |
assignee: | nobody → Abhishek Kekane (abhishek-kekane) |
Changed in glance: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → queens-3 |
tags: | added: queens-backport-potential |
Changed in glance: | |
milestone: | queens-3 → rocky-1 |
tags: | removed: queens-backport-potential |
Change proposed to master: https:/ /review. openstack. org/#/c/ 529083/