Merge "conf: Do not inherit image signature props with snapshots" into stable/pike

nova/conf/compute.py

@@ -53,7 +53,9 @@ the same host to the destination options. Also set to true
 if you allow the ServerGroupAffinityFilter and need to resize.
 """),
     cfg.ListOpt('non_inheritable_image_properties',
-        default=['cache_in_nova', 'bittorrent'],
+        default=['cache_in_nova', 'bittorrent',
+                 'img_signature_hash_method', 'img_signature',
+                 'img_signature_key_type', 'img_signature_certificate_uuid'],
         help="""
 Image properties that should not be inherited from the instance
 when taking a snapshot.
@@ -67,7 +69,9 @@ Possible values:
   properties that are only needed by base images can be included
   here, since the snapshots that are created from the base images
   doesn't need them.
-* Default list: ['cache_in_nova', 'bittorrent']
+* Default list: cache_in_nova, bittorrent, img_signature_hash_method,
+                img_signature, img_signature_key_type,
+                img_signature_certificate_uuid
 """),
     cfg.StrOpt('null_kernel',
         default='nokernel',

nova/tests/unit/compute/test_compute_api.py

@@ -2498,10 +2498,9 @@ class _ComputeAPIUnitTestMixIn(object):
         instance = self._create_instance_obj(params=params)
         instance.vm_state = instance_vm_state
 
-        # 'cache_in_nova' is for testing non-inheritable properties
-        # 'user_id' should also not be carried from sys_meta into
-        # image property...since it should be set explicitly by
-        # _create_image() in compute api.
+        # Test non-inheritable properties, 'user_id' should also not be
+        # carried from sys_meta into image property...since it should be set
+        # explicitly by _create_image() in compute api.
         fake_image_meta = {
             'is_public': True,
             'name': 'base-name',
@@ -2512,6 +2511,11 @@ class _ComputeAPIUnitTestMixIn(object):
                 'foo': 'bar',
                 'blah': 'bug?',
                 'cache_in_nova': 'dropped',
+                'bittorrent': 'dropped',
+                'img_signature_hash_method': 'dropped',
+                'img_signature': 'dropped',
+                'img_signature_key_type': 'dropped',
+                'img_signature_certificate_uuid': 'dropped'
             },
         }
         image_type = is_snapshot and 'snapshot' or 'backup'

releasenotes/notes/default-non-inheritable-image-properties-dfd13ba3b09278dd.yaml

@@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    The default list of non-inherited image properties to pop when creating a
+    snapshot has been extended to include image signature properties. The
+    properties ``img_signature_hash_method``, ``img_signature``,
+    ``img_signature_key_type`` and ``img_signature_certificate_uuid`` are no
+    longer inherited by the snapshot image as they would otherwise result in
+    a Glance attempting to verify the snapshot image with the signature of the
+    original.