when image properties contain "signature_verified" field,create volume from image wil fail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Wishlist
|
Unassigned |
Bug Description
If cinder enable image signature verification, image properties contain "signature_
image info:
()[root@
+------
| Property | Value |
+------
| checksum | d0f846e407a2f32
| container_format | bare |
| created_at | 2022-04-
| description | |
| disk_format | raw |
| hw_architecture | aarch64 |
| hw_live_resize | no |
| hw_qemu_guest_agent | no |
| id | ec3e1627-
| img_hv_type | qemu |
| locations | [{"url": "rbd://
| | a2a1-cca34cf119
| min_disk | 10 |
| min_ram | 1024 |
| name | harbor |
| os_distro | CentOS |
| owner | e984347370664db
| protected | False |
| signature_verified | False |
| size | 10737418240 |
| status | active |
| tags | [] |
| updated_at | 2022-04-
| virtual_size | None |
| visibility | private |
+------
cinder create volume from image fail log:
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
2022-04-15 15:25:53.475 134 ERROR oslo_messaging.
Changed in cinder: | |
status: | Invalid → New |
Greetings zhuyuhao,
This is the expected behavior from cinder.
You could disable image signature verification on cinder.conf. However, be careful of the security impact of that decision because Cinder currently lacks a mechanism to validate images prior to creating volumes from them[1].
Cheers,
[1]https:/ /specs. openstack. org/openstack/ cinder- specs/specs/ rocky/support- image-signature -verification. html