Public bug reported: Description =========== nova-compute doesn't verify image signature/certificate in barbican component if local imagecache exists for this image on compute node.
Steps to reproduce ================== Preconditions: Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case). * Create signed glance image. Please follow https://docs.openstack.org/glance/pike/user/signature.html * Create separate project and user with "member" role in it. * Login as member user and try to boot VM from your signed image. Actual and expected result: VM is not booted. Error: Server <ID> failed to build and is in ERROR status Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-07-18T15:53:15Z'} * Login as admin. Boot VM from the image. Actual and expected result: VM is Active. * Login as member user again. Boot VM from the image. Actual result: VM is Active. Expected result: User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM. On compute node: ls -la /var/lib/nova/instances/_base/ total 38424 drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 . drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 .. -rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac68ff5d442fed2564adbaa4149 Environment =========== Openstack Pike, nova 2:16.1.3-1~u16.04 python-novaclient 2:9.1.1-1~u16.04 qemu-kvm 1:2.11+dfsg-1.4~u16.04 libvirt 4.0.0-1.7~u16.04 python-libvirt 3.5.0-1.1~u16.04 ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1785668 Title: nova-compute doesn't check image signature if imagecache exists Status in OpenStack Compute (nova): New Bug description: Description =========== nova-compute doesn't verify image signature/certificate in barbican component if local imagecache exists for this image on compute node. Steps to reproduce ================== Preconditions: Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case). * Create signed glance image. Please follow https://docs.openstack.org/glance/pike/user/signature.html * Create separate project and user with "member" role in it. * Login as member user and try to boot VM from your signed image. Actual and expected result: VM is not booted. Error: Server <ID> failed to build and is in ERROR status Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-07-18T15:53:15Z'} * Login as admin. Boot VM from the image. Actual and expected result: VM is Active. * Login as member user again. Boot VM from the image. Actual result: VM is Active. Expected result: User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM. On compute node: ls -la /var/lib/nova/instances/_base/ total 38424 drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 . drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 .. -rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac68ff5d442fed2564adbaa4149 Environment =========== Openstack Pike, nova 2:16.1.3-1~u16.04 python-novaclient 2:9.1.1-1~u16.04 qemu-kvm 1:2.11+dfsg-1.4~u16.04 libvirt 4.0.0-1.7~u16.04 python-libvirt 3.5.0-1.1~u16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1785668/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
