That's correct. The size and the checksum are to be verified outside of Glance, in this case Nova. However, you may want to note that it's not necessary that all Nova virt drivers would use py-glanceclient so you would want to check the download specific code in the virt driver your Nova deployment is using.
Having said that, essentially the flow seems appropriate. Error must be raise on mismatch. The signing BP was to help prevent the compromised Glance from changing the checksum and image blob at the same time. Using a digital signature, you can prevent download of compromised data. However, the feature has just been implemented in Glance; Glance users may take time to adopt. On 9/9/15 11:15 AM, stuart.mcla...@hp.com wrote: > > The glance client (running 'inside' the Nova server) will re-calculate > the checksum as it downloads the image and then compare it against the > expected value. If they don't match an error will be raised. > >> How can I know that the image that a new instance is spawned from - is >> actually the image that was originally registered in glance - and has >> not been maliciously tampered with in some way? >> >> Is there some kind of verification that is performed against the md5sum >> of the registered image in glance before a new instance is spawned? >> >> Is that done by Nova? >> Glance? >> Both? Neither? >> >> The reason I ask is some 'paranoid' security (that is their job I >> suppose) people have raised these questions. >> >> I know there is a glance BP already merged for L [1] - but I would like >> to understand the actual flow in a bit more detail. >> >> Thanks. >> >> [1] >> https://blueprints.launchpad.net/glance/+spec/image-signing-and-verification-support >> >> >> -- >> Best Regards, >> Maish Saidel-Keesing >> >> >> >> ------------------------------ >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> End of OpenStack-dev Digest, Vol 41, Issue 22 >> ********************************************* >> > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Thanks, Nikhil __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
