Fix "signature_verified" metadata propagation to images

rodrigogansobarbieri · priteau · commit 1c2e2f902add · 2024-12-12T08:20:47.000Z
The property "signature_verified" is added by cinder to volumes created from images. That property is propagated to glance when images are created from such volumes. Later, when creating volumes from such images again, the image property conflicts with cinder trying to add the property again. The solution is to never propagate such cinder property in the first place. Closes-bug: #1823445 Change-Id: Id46877e490b17c00ba1cf8cf312dd2f456760a23 (cherry picked from commit c65f43c) (cherry picked from commit 9dbf296) (cherry picked from commit 9d1b6b8) (cherry picked from commit a770f72) (cherry picked from commit ae2d250) (cherry picked from commit 9871cfe)
diff --git a/cinder/image/image_utils.py b/cinder/image/image_utils.py
@@ -97,9 +97,9 @@
                      'an operator has configured glance property protections '
                      'to make some image properties read-only. Cinder will '
                      '*always* filter out image metadata in the namespaces '
-                     '`os_glance` and `img_signature`; this configuration '
-                     'option allows operators to specify *additional* '
-                     'namespaces to be excluded.',
+                     '`os_glance`, `img_signature` and `signature_verified`; '
+                     'this configuration option allows operators to specify '
+                     '*additional* namespaces to be excluded.',
                 default=[]),
 ]
 
@@ -125,7 +125,8 @@
 
 COMPRESSIBLE_IMAGE_FORMATS = ('qcow2',)
 
-GLANCE_RESERVED_NAMESPACES = ["os_glance", "img_signature"]
+GLANCE_RESERVED_NAMESPACES = ["os_glance", "img_signature",
+                              "signature_verified"]
 
 
 def validate_stores_id(context: context.RequestContext,
diff --git a/cinder/tests/unit/test_image_utils.py b/cinder/tests/unit/test_image_utils.py
@@ -2753,7 +2753,7 @@ def test_filter_out_reserved_namespaces_metadata_with_empty_metadata(self):
     @ddt.unpack
     def test_filter_out_reserved_namespaces_metadata(
             self, metadata_for_test, config, keys_to_pop):
-        hardcoded_keys = ['os_glance', "img_signature"]
+        hardcoded_keys = image_utils.GLANCE_RESERVED_NAMESPACES
 
         keys_to_pop = hardcoded_keys + keys_to_pop
 
@@ -2813,7 +2813,7 @@ def test_filter_out_reserved_namespaces_metadata(
     @ddt.unpack
     def test_filter_out_reserved_namespaces_metadata_properties(
             self, metadata_for_test, config, keys_to_pop):
-        hardcoded_keys = ['os_glance', "img_signature"]
+        hardcoded_keys = image_utils.GLANCE_RESERVED_NAMESPACES
 
         keys_to_pop = hardcoded_keys + keys_to_pop
 
diff --git a/releasenotes/notes/bug-1823445-c47c25870a98335a.yaml b/releasenotes/notes/bug-1823445-c47c25870a98335a.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    Fixed the volume property `signature_verified` propagating to images created
+    from volumes. That property could later conflict with the same property being
+    added again when creating a new volume from such image, preventing the volume
+    from being created successfully. This volume property is created whenever a
+    volume is created from an image for the purpose of indicating that the image
+    signature was verified on creation, and was not intended to be propagated
+    further if a new image is created from such volume. 
