VM unshelve failed if verify_glance_signatures enabled

Bug #1875287 reported by Andrey Volkov
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Andrey Volkov

Bug Description


If CONF.glance.verify_glance_signatures = True, then it's required
image to have properties related to signature. `nova shelve` command
creates an image without those properties. Thus, `nova unshelve` fails.

Steps to reproduce

1. Set

  verify_glance_signatures = True

and restart Nova compute.

3. nova shelve vm1; nova unshelve vm1

Expected result

vm1 status ACTIVE.

Actual result

vm1 status SHELVED_OFFLOADED and error in log:
ERROR oslo_messaging.rpc.server
cursive.exception.SignatureVerificationError: Signature verification
for the image failed: Required image properties for signature
verification do not exist. Cannot verify signature. Missing property:


Environment: master

Tags: shelve
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/723320

Changed in nova:
assignee: nobody → Andrey Volkov (avolkov)
status: New → In Progress
Revision history for this message
Andrey Volkov (avolkov) wrote :

The following options are available:
1. Add image auto signature for any image Nova puts to Glance.
2. Disable image signature validation for specific operations like unshelve.
3. Make signature for images created by nova manually or e.g. cron script (there could be a race).

For 1. there is a PoC: https://review.opendev.org/723320

Andrey Volkov (avolkov)
Changed in nova:
status: In Progress → New
Revision history for this message
Balazs Gibizer (balazs-gibizer) wrote :

Could you please fix the reproduction steps in your report. What I see there as "[glance]/enable_image_auto_signature = True" is not a valid nova config option.

Changed in nova:
status: New → Incomplete
Revision history for this message
Andrey Volkov (avolkov) wrote :

Yeah, bad copy-paste.


description: updated
Changed in nova:
status: Incomplete → New
tags: added: shelve
Revision history for this message
Balazs Gibizer (balazs-gibizer) wrote :

Thanks. Now I can reproduce the bug locally.

Changed in nova:
status: New → Confirmed
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.