On 04/18/2018 10:57 AM, Jay Pipes wrote:
On 04/18/2018 12:41 PM, Matt Riedemann wrote:
There is a compute REST API change proposed [1] which will allow users to pass
trusted certificate IDs to be used with validation of images when creating or
rebuilding a server. The trusted cert IDs are based on certificates stored in
some key manager, e.g. Barbican.
The full nova spec is here [2].
The main concern I have is that trusted certs will not be supported for
volume-backed instances, and some clouds only support volume-backed instances.
Yes. And some clouds only support VMWare vCenter virt driver. And some only
support Hyper-V. I don't believe we should delay adding good functionality to
(large percentage of) clouds because it doesn't yet work with one virt driver or
one piece of (badly-designed) functionality.
> The way the patch is written is that if the user attempts to
boot from volume with trusted certs, it will fail.
And... I think that's perfectly fine.
If this happens, is it clear to the end-user that the reason the boot failed is
that the cloud doesn't support trusted cert IDs for boot-from-vol? If so, then
I think that's totally fine.
If the error message is unclear, then maybe we should just improve it.
Chris
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
