Comment 22 for bug 1990157

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote : Re: Malicious image data modification can happen when using COW

About the Recommended Actions change: It's a bit more specific, but doesn't mention using the Keystone public/internal endpoint type for this purpose because the keystone docs [0] describe the 'internal' type as accessible to end users, and operators may already be using it in that way. I think the way to go is to use the Nova [glance]/endpoint_override setting to point directly to the "internal-only" API; the corresponding cinder config would be glance_api_servers (Nova also has that option, but it's been deprecated since Queens). So I just said "use the appropriate configuration options for each service", which operators can find in the config help for each service.

[0] https://docs.openstack.org/keystone/latest/contributor/service-catalog.html#endpoints