)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f9b1dfe3_59ef0f1c","updated":"2025-12-05 15:28:28.000000000","message":"This looks good to me, requests for some clarifications and formatting changes noted inline.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"09b36ab6e5186de8cc677b7b27bb1906588bc0e6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"7c68572a_10f34d1b","updated":"2025-12-05 15:49:26.000000000","message":"One more comment.","commit_id":"48f88c6b736be3e897f100b0268ce3c1500b8efa"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"5e07317f2e9d4b0f135bba7f8b6240757b58f667","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"23fd7bfb_8ee80e3c","updated":"2025-12-05 16:23:05.000000000","message":"This may not need to be something we need to figure out right now, but should cinder worry about disk_format \u0027raw\u0027 vs \u0027gpt\u0027 on the image, when cinder is creating a volume from an image?","commit_id":"48f88c6b736be3e897f100b0268ce3c1500b8efa"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"c292ab28b4512581521e76844fe7299716f79d25","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ddb6f30d_3f3fcc82","in_reply_to":"23fd7bfb_8ee80e3c","updated":"2025-12-09 08:44:00.000000000","message":"The potential problem with unverified \u0027raw\u0027 images is that a user could attempt to craft malicious image contents that are interpreted at some point like in OSSA-2024-001. For encrypted images, this would be slightly different as the *decrypted* payload would need to be interpreted.\n\nFor the record, in the last PTG session we discussed this corner case and at the time concluded the following: Cinder will always create encrypted images with disk_format\u003draw to ensure that upload-to-image always succeeds (see below). Nova will only accept encrypted images with disk_format\u003dgpt or \u003dqcow2 as \"bootable\" and will not directly interpret or boot images with disk_format\u003draw, which includes cinder-created ones.\nThis way, raw images cannot cause any damage in Nova. That leaves us with one corner case in Cinder: encrypted image with disk_format\u003draw (i.e. unchecked) to encrypted bootable volume.\n\nAn encrypted + disk_format\u003draw image can only cause problems once it is being decrypted and the decrypted payload is being read and interpreted.\nAs far as I can tell, there are only two ways Cinder LUKS volumes are being attached to an instance in Nova: 1) via native QEMU/KVM LUKS handling or 2) via a detour using \"cryptsetup luksOpen\" and mounting the /dev/mapper/... endpoint into the VM as the root disk for non-KVM hypervisors or specific storage backends.\nI think that in both cases the block storage device is directly passed into the guest VM in a decrypted manner. As such, I don\u0027t see any kind of interpretation of the decrypted payload happening in Nova outside of the guest VM.\n\nAnd since we would always be directly transferring raw LUKS-encrypted images into volumes and keep their encryption as-is in Cinder (as implemented in this patchset), there is no conversion or interpretation happening in Cinder either. Conversion will only happen for qcow2+LUKS images but those are an entirely different story and in contrast can be verified via Glance defender beforehand.\n\nIn conclusion I think that although \u0027gpt\u0027 vs \u0027raw\u0027 disk_formats of encrypted images will matter to Nova, it should not matter for Cinder even for bootable volumes.\n\n---\n\nThere is one case I can think of where a potential restriction of \u0027raw\u0027 in Cinder might cause issues in the future: when Cinder uploads an image from a volume that has arbitrary user-generated contents\\*.\n\nIn this case, if Glance would ever introduce validation of the encrypted payload to verify the \u0027gpt\u0027 disk_format claim, it might reject an image coming from Cinder at any time, failing the `os-volume_upload_image` action in Cinder and leaving the user puzzled as to why certain volumes can be uploaded as images and others can\u0027t.\nAdmittedly, this may be an unusual and rare use case but I could see it happen.\n\nAs such, in order to freely transition between image and volume for its own volumes, Cinder would need to accept disk_format\u003draw as a valid source, even for bootable volumes.\n\n\\* what I mean by arbitrary contents:\nImagine the following use case. A user creates an empty encrypted volume and attaches this as an additional/non-primary volume to a Nova instance. They then write application-specific arbitrary binary data to it without initializing any kind of partition table (e.g. GPT) or filesystem on it. The resulting LUKS-encrypted block data will only contain unrecognizable payload that cannot be verified by the Glance defender mechanism checking for a GPT header or anything similar even if it would inspect the first blocks of decrypted data.","commit_id":"48f88c6b736be3e897f100b0268ce3c1500b8efa"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"23d0a101_8cf131cd","updated":"2026-01-08 15:26:36.000000000","message":"Bit of a linting review here...","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"8f6be9cc5027377b2128909bcb674877df0fb384","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"64bf2277_677d9ef3","updated":"2025-12-12 21:45:11.000000000","message":"Merge conflict will need to be resolved, but the content is fine.","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"f5718c75ed61a339f8e2a94a12db6809036fc949","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"3afd9c3b_6a75fcc9","updated":"2026-01-08 15:26:51.000000000","message":"You need to fix the merge conflict","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"7aaf5864_6220f9fb","updated":"2026-01-14 15:26:51.000000000","message":"Looks good from my side now","commit_id":"fc5bec987e5145f787d99c6daffcf1a052b51c41"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"ee6d0b85753be2c01cc1854d0e70ff542b1e9f0f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"2e99bb4f_bb06966f","updated":"2026-01-14 15:24:49.000000000","message":"Hi Simon, I think I addressed all your comments. Could you check again?","commit_id":"1c9928f13f8b791ff1a3e95136feb4973aa45d87"}],"specs/2026.1/LUKS-image-encryption.rst":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Use Cases"},{"line_number":57,"context_line":"---------"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"}],"source_content_type":"text/x-rst","patch_set":3,"id":"06760a25_14e2d3a2","line":58,"updated":"2025-12-05 15:28:28.000000000","message":"If you look at the rendered html, the text in this section all runs together and you lose the list structure.  We want to be able to read this easily in either raw text or html, so that kind of limits the options.  Anyway, it\u0027s difficult to explain because indentation is Very Important, so i just slapped the text into an etherpad for you to look at:\n\nhttps://etherpad.opendev.org/p/cinder-spec-list-example","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"ea64ca47af7643406c58e19c868852fe24c2be2a","unresolved":true,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Use Cases"},{"line_number":57,"context_line":"---------"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1ef91736_89ac7f54","line":58,"in_reply_to":"06760a25_14e2d3a2","updated":"2025-12-05 15:53:28.000000000","message":"Thanks for pointing that out. I\u0027ll try to mimic the rst to html pipeline locally and resolve all errors.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d79384f029a824779e3f08c6ea24378ef6aff96b","unresolved":true,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Use Cases"},{"line_number":57,"context_line":"---------"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d4c9d328_f71117ef","line":58,"in_reply_to":"1ef91736_89ac7f54","updated":"2025-12-05 16:21:14.000000000","message":"Locally, \u0027tox -d docs\u0027 and then open doc/build/html/index.html in a web browser.\n\nYou can also look at the results of the openstack-tox-docs job on your patch: click the \"Artifacts\u0027 tab and then take the \"Docs preview site\" link.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"cf6288ef5ebb4b5693f6ef0173435a8a25dcffca","unresolved":false,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Use Cases"},{"line_number":57,"context_line":"---------"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"}],"source_content_type":"text/x-rst","patch_set":3,"id":"01e7053f_bf0cff9f","line":58,"in_reply_to":"d4c9d328_f71117ef","updated":"2025-12-08 17:09:38.000000000","message":"Reformatted the whole section now.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":131,"context_line":"encryption type. If that is not the case the volume create will be aborted in"},{"line_number":132,"context_line":"the API still. Otherwise there will be an unusable volume created."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"The flattening of a qcow2 image should be handled when uploading the image to"},{"line_number":135,"context_line":"the volume. The volume size should be resulting from the \u0027os_decrypt_size\u0027"},{"line_number":136,"context_line":"parameter. If compression is enabled through Cinder\u0027s"},{"line_number":137,"context_line":"allow_compression_on_image_upload option Cinders implementation to handle this"},{"line_number":138,"context_line":"should be re-used."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"The key management for creating an encrypted volume from an encrypted image"},{"line_number":141,"context_line":"must include the copying of the secret in Barbican. On this way Cinder always"}],"source_content_type":"text/x-rst","patch_set":3,"id":"f0547990_df0db670","line":138,"range":{"start_line":134,"start_character":0,"end_line":138,"end_character":18},"updated":"2025-12-05 15:28:28.000000000","message":"I think this is left over from a previous version of the spec?  I thought we were *not* going to allow end-user supplied encrypted qcow2 images?","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d79384f029a824779e3f08c6ea24378ef6aff96b","unresolved":false,"context_lines":[{"line_number":131,"context_line":"encryption type. If that is not the case the volume create will be aborted in"},{"line_number":132,"context_line":"the API still. Otherwise there will be an unusable volume created."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"The flattening of a qcow2 image should be handled when uploading the image to"},{"line_number":135,"context_line":"the volume. The volume size should be resulting from the \u0027os_decrypt_size\u0027"},{"line_number":136,"context_line":"parameter. If compression is enabled through Cinder\u0027s"},{"line_number":137,"context_line":"allow_compression_on_image_upload option Cinders implementation to handle this"},{"line_number":138,"context_line":"should be re-used."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"The key management for creating an encrypted volume from an encrypted image"},{"line_number":141,"context_line":"must include the copying of the secret in Barbican. On this way Cinder always"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f1510b8_8641922b","line":138,"range":{"start_line":134,"start_character":0,"end_line":138,"end_character":18},"in_reply_to":"e96dc6c9_4a2dc73e","updated":"2025-12-05 16:21:14.000000000","message":"OK, apologies for misunderstanding.  This sounds fine.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"ea64ca47af7643406c58e19c868852fe24c2be2a","unresolved":true,"context_lines":[{"line_number":131,"context_line":"encryption type. If that is not the case the volume create will be aborted in"},{"line_number":132,"context_line":"the API still. Otherwise there will be an unusable volume created."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"The flattening of a qcow2 image should be handled when uploading the image to"},{"line_number":135,"context_line":"the volume. The volume size should be resulting from the \u0027os_decrypt_size\u0027"},{"line_number":136,"context_line":"parameter. If compression is enabled through Cinder\u0027s"},{"line_number":137,"context_line":"allow_compression_on_image_upload option Cinders implementation to handle this"},{"line_number":138,"context_line":"should be re-used."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"The key management for creating an encrypted volume from an encrypted image"},{"line_number":141,"context_line":"must include the copying of the secret in Barbican. On this way Cinder always"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e96dc6c9_4a2dc73e","line":138,"range":{"start_line":134,"start_character":0,"end_line":138,"end_character":18},"in_reply_to":"f0547990_df0db670","updated":"2025-12-05 15:53:28.000000000","message":"But we are. As discussed during the last PTG, we will have 2 supported formats: 1) raw LUKS and 2) qcow2+LUKS.\n\nRaw LUKS is effectively the same as Cinder\u0027s current encryption and encrypted-volume-to-image upload format, just more standardized.\n\nQcow2+LUKS is something more relevant to Nova (in the future) and an alternative format. We want to make sure Cinder is at least able consume it (i.e. convert to raw LUKS) when creating volumes from it. Cinder won\u0027t be able to produce qcow2+LUKS images though but it has its raw LUKS format for that.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":146,"context_line":"additional check for the type of the secret. And a different handling, if the"},{"line_number":147,"context_line":"secret is a \"passphrase\", because the way Cinder treats keys to create a"},{"line_number":148,"context_line":"passphrase for the LUKS header of a volume is quite unique and differs from"},{"line_number":149,"context_line":"Nova\u0027s handling of images, that have passphrases only."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"The creation of an image from an volume just need to be adjusted to use the new"},{"line_number":152,"context_line":"parameters."}],"source_content_type":"text/x-rst","patch_set":3,"id":"53e94479_1f2d52b3","line":149,"updated":"2025-12-05 15:28:28.000000000","message":"I think this has already been implemented in cinder?  If so, you can just add\n\"(This has already been implemented in cinder.)\"","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"ea64ca47af7643406c58e19c868852fe24c2be2a","unresolved":false,"context_lines":[{"line_number":146,"context_line":"additional check for the type of the secret. And a different handling, if the"},{"line_number":147,"context_line":"secret is a \"passphrase\", because the way Cinder treats keys to create a"},{"line_number":148,"context_line":"passphrase for the LUKS header of a volume is quite unique and differs from"},{"line_number":149,"context_line":"Nova\u0027s handling of images, that have passphrases only."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"The creation of an image from an volume just need to be adjusted to use the new"},{"line_number":152,"context_line":"parameters."}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff487342_5952d2cc","line":149,"in_reply_to":"53e94479_1f2d52b3","updated":"2025-12-05 15:53:28.000000000","message":"This has been outsourced to os-brick and this is mentioned in the latest spec version.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"When creating a volume from an encrypted image there might occure a new ERROR"},{"line_number":177,"context_line":"that is triggered, when an image is encrypted but no encrypted volume type is"},{"line_number":178,"context_line":"given."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":3,"id":"636cb8fe_7d040e40","line":178,"updated":"2025-12-05 15:28:28.000000000","message":"I\u0027m trying to think if there\u0027s a use case for being able to write an unencrypted LUKS container into a raw volume?  But I guess if you really wanted to do that, you could attach a raw volume and then just download the image into it like you could with any other glance image.  So I think this response change is fine.  You may need to check to make sure it doesn\u0027t break an existing tempest test (though I guess you\u0027ll find out soon enough when you submit the code!).","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"d106ff6c37c08dd548a5be638dd0e9608fe88116","unresolved":true,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"When creating a volume from an encrypted image there might occure a new ERROR"},{"line_number":177,"context_line":"that is triggered, when an image is encrypted but no encrypted volume type is"},{"line_number":178,"context_line":"given."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5e388fbb_b6bc859d","line":178,"in_reply_to":"636cb8fe_7d040e40","updated":"2025-12-05 16:03:45.000000000","message":"In this spec \"encrypted image\" refers to the standardized form as described in the Glance spec in more detail, i.e., images with `os_encrypt_key_id` metadata. If the encryption key is specified, I\u0027m expecting OpenStack to handle the encryption.\nThis also means that the encryption is not removed in an unintended fashion without the user knowing, so we prevent conversion (decryption) to an unencrypted volume type.\n\nIf you don\u0027t want Cinder/Nova to be aware of the encryption and handle it like raw data (I think this is what you mean by \"unencrypted LUKS container\"?), I think you can simply avoid adding `os_encrypt_*` metadata and set the container_format to bare.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"* Users should be able to use encrypted images to create volumes in a"},{"line_number":208,"context_line":"  consistant way"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"Performance Impact"},{"line_number":212,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff696aee_6a8a04a4","line":209,"updated":"2025-12-05 15:28:28.000000000","message":"Also, something like:\n\n* Users will no longer be able to have an encrypted volume uploaded as a compressed image to glance.  However, image compression on upload is an operator setting that is not directly accessible to end users, so end users never had a choice in this matter anyway.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"cf6288ef5ebb4b5693f6ef0173435a8a25dcffca","unresolved":true,"context_lines":[{"line_number":206,"context_line":""},{"line_number":207,"context_line":"* Users should be able to use encrypted images to create volumes in a"},{"line_number":208,"context_line":"  consistant way"},{"line_number":209,"context_line":""},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"Performance Impact"},{"line_number":212,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bd8863a0_d8e4cecc","line":209,"in_reply_to":"ff696aee_6a8a04a4","updated":"2025-12-08 17:09:38.000000000","message":"I have not found any indication of having encrypted volume uploaded as a compressed image to glance with the current codebase.\n\nThe upload-to-image function [1] triggers compression when either `container_format` is set to `compressed` or the `compress` flag is being passed to `convert_image()` when the source volume and target image disk format mismatch and conversion happens.\nHowever, in case of encrypted volumes, the container format must always be \"bare\" and the disk format must always be \"raw\" [2] (an encrypted volume is also always \"raw\"), so neither of those two cases apply I think.\n\n[1] https://opendev.org/openstack/cinder/src/commit/f38c2950b13a2cde2ae9f146cf525a9d54c8b830/cinder/image/image_utils.py#L1121-L1199\n\n[2] https://opendev.org/openstack/cinder/src/commit/f38c2950b13a2cde2ae9f146cf525a9d54c8b830/cinder/api/contrib/volume_actions.py#L221-L228","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":214,"context_line":"The proposed checks for the Cinder API may have minimal impact on performance."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"When creating a volume or server from an encrypted image the only operation"},{"line_number":217,"context_line":"that may be triggerd is the conversion between qcow-LUKS and raw LUKS blocks."},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"Thus, any performance impact is only applicable to the newly introduced"},{"line_number":220,"context_line":"encrypted image type where the processing of the image will have increased"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b8eadc6b_82d37025","line":217,"range":{"start_line":217,"start_character":12,"end_line":217,"end_character":20},"updated":"2025-12-05 15:28:28.000000000","message":"\"triggered\", though more to the point, I thought we weren\u0027t going to do this?","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"2156d69f81c2f7040cd0b6f0fbfbf7cebb028609","unresolved":false,"context_lines":[{"line_number":214,"context_line":"The proposed checks for the Cinder API may have minimal impact on performance."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"When creating a volume or server from an encrypted image the only operation"},{"line_number":217,"context_line":"that may be triggerd is the conversion between qcow-LUKS and raw LUKS blocks."},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"Thus, any performance impact is only applicable to the newly introduced"},{"line_number":220,"context_line":"encrypted image type where the processing of the image will have increased"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bd9911b3_537e6378","line":217,"range":{"start_line":217,"start_character":12,"end_line":217,"end_character":20},"in_reply_to":"b8eadc6b_82d37025","updated":"2025-12-05 16:07:26.000000000","message":"Will fix this typo in the next revision.\nAs elaborated on in my other comments, we still intend to keep this functionality.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":256,"context_line":""},{"line_number":257,"context_line":"* Add copying the secret and registering as a consumer in Barbican"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"* Add flattening of qcow2 to raw encrypted images"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"* In the image create from volume: change the"},{"line_number":262,"context_line":"  \u0027cinder_encryption_key_deletion_policy\u0027 to \u0027os_encrypt_key_deletion_policy\u0027"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b0116e14_40b16bb4","line":259,"range":{"start_line":259,"start_character":2,"end_line":259,"end_character":49},"updated":"2025-12-05 15:28:28.000000000","message":"remove (unless I\u0027m incorrect on what we\u0027ve agreed on here)","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d79384f029a824779e3f08c6ea24378ef6aff96b","unresolved":false,"context_lines":[{"line_number":256,"context_line":""},{"line_number":257,"context_line":"* Add copying the secret and registering as a consumer in Barbican"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"* Add flattening of qcow2 to raw encrypted images"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"* In the image create from volume: change the"},{"line_number":262,"context_line":"  \u0027cinder_encryption_key_deletion_policy\u0027 to \u0027os_encrypt_key_deletion_policy\u0027"}],"source_content_type":"text/x-rst","patch_set":3,"id":"79ae4bb6_f7ff9862","line":259,"range":{"start_line":259,"start_character":2,"end_line":259,"end_character":49},"in_reply_to":"4ab2e48c_e1d51210","updated":"2025-12-05 16:21:14.000000000","message":"I was confused about this, thanks for the correction.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"ea64ca47af7643406c58e19c868852fe24c2be2a","unresolved":true,"context_lines":[{"line_number":256,"context_line":""},{"line_number":257,"context_line":"* Add copying the secret and registering as a consumer in Barbican"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"* Add flattening of qcow2 to raw encrypted images"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"* In the image create from volume: change the"},{"line_number":262,"context_line":"  \u0027cinder_encryption_key_deletion_policy\u0027 to \u0027os_encrypt_key_deletion_policy\u0027"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4ab2e48c_e1d51210","line":259,"range":{"start_line":259,"start_character":2,"end_line":259,"end_character":49},"in_reply_to":"b0116e14_40b16bb4","updated":"2025-12-05 15:53:28.000000000","message":"I rephrased this to call it \u0027conversion\u0027 but the point remains. We want Cinder to at least be able to consume those images.\n\nThe implementation patchset for this [1] already includes a working implementation for qcow2+LUKS to raw LUKS for Cinder reusing the same encryption key. The Tempest scenario tests added to barbican-tempest-plugin [2] also cover serving qcow2+LUKS to Cinder in their permutations.\n\n[1] https://review.opendev.org/c/openstack/cinder/+/926298\n\n[2] https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/952699","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"e8cf9be50b2c1b04092929b9c015be0c7f2d7e4d","unresolved":true,"context_lines":[{"line_number":261,"context_line":"* In the image create from volume: change the"},{"line_number":262,"context_line":"  \u0027cinder_encryption_key_deletion_policy\u0027 to \u0027os_encrypt_key_deletion_policy\u0027"},{"line_number":263,"context_line":"  and \u0027cinder_encryption_key_id\u0027 to \u0027os_encrypt_key_id\u0027"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"Dependencies"},{"line_number":267,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"841bc9f1_a4f0699d","line":264,"updated":"2025-12-05 15:28:28.000000000","message":"I think we need an item here for handling \u0027legacy\u0027 compressed container_format images (and maybe mention that an encrypted volume will not longer be uploaded to glance as a compressed payload, even if the allow_ option is set)","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"cf6288ef5ebb4b5693f6ef0173435a8a25dcffca","unresolved":true,"context_lines":[{"line_number":261,"context_line":"* In the image create from volume: change the"},{"line_number":262,"context_line":"  \u0027cinder_encryption_key_deletion_policy\u0027 to \u0027os_encrypt_key_deletion_policy\u0027"},{"line_number":263,"context_line":"  and \u0027cinder_encryption_key_id\u0027 to \u0027os_encrypt_key_id\u0027"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"Dependencies"},{"line_number":267,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c40527be_0550e617","line":264,"in_reply_to":"841bc9f1_a4f0699d","updated":"2025-12-08 17:09:38.000000000","message":"See my other comment about the compression, I don\u0027t think it is technically possible that Cinder would have allowed the creation of such image.","commit_id":"3d65e963869372fed4e9d6e7c0631d526f1d4bc8"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"09b36ab6e5186de8cc677b7b27bb1906588bc0e6","unresolved":true,"context_lines":[{"line_number":273,"context_line":""},{"line_number":274,"context_line":"* Add setting the \u0027os_encrypt_format\u0027 property when creating images from"},{"line_number":275,"context_line":"  encrypted volumes"},{"line_number":276,"context_line":""},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"Dependencies"},{"line_number":279,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"e6ae7ef2_35a85b49","line":276,"updated":"2025-12-05 15:49:26.000000000","message":"Also, how are we handling the disk_format \u0027raw\u0027 vs. \u0027gpt\u0027 for upload? I guess if the volume has the \u0027bootable\u0027 property set, we use \u0027gpt\u0027 otherwise \u0027raw\u0027, or if the user has specified a disk_format in the request, we honor that?\n\nWe\u0027ll also need a work item to update the api-ref:\n\nhttps://docs.openstack.org/api-ref/block-storage/v3/#upload-volume-to-image","commit_id":"48f88c6b736be3e897f100b0268ce3c1500b8efa"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"d106ff6c37c08dd548a5be638dd0e9608fe88116","unresolved":true,"context_lines":[{"line_number":273,"context_line":""},{"line_number":274,"context_line":"* Add setting the \u0027os_encrypt_format\u0027 property when creating images from"},{"line_number":275,"context_line":"  encrypted volumes"},{"line_number":276,"context_line":""},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"Dependencies"},{"line_number":279,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dc8e257a_629dbc8d","line":276,"in_reply_to":"e6ae7ef2_35a85b49","updated":"2025-12-05 16:03:45.000000000","message":"I think the foundation for this to work properly and be accepted by Glance does not fully exist yet[1][2] (at the time of writing).\nAs such, I\u0027m not sure if we can correctly specify that yet.\n\n[1] https://review.opendev.org/c/openstack/glance/+/933601\n\n[2] https://review.opendev.org/c/openstack/cinder/+/934261","commit_id":"48f88c6b736be3e897f100b0268ce3c1500b8efa"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Standardize Image Encryption and Decryption"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"OpenStack already has the ability to create encrypted volumes and ephemeral"},{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is only indirectly usable by Nova (a user"},{"line_number":15,"context_line":"must create a volume from the image first), and thus users don\u0027t have an"}],"source_content_type":"text/x-rst","patch_set":6,"id":"b1224080_b162f014","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":7},"updated":"2026-01-08 15:26:36.000000000","message":"reads better as \"OpenStack already supports encrypted volumes and ephemeral storage\"","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Standardize Image Encryption and Decryption"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"OpenStack already has the ability to create encrypted volumes and ephemeral"},{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is only indirectly usable by Nova (a user"},{"line_number":15,"context_line":"must create a volume from the image first), and thus users don\u0027t have an"}],"source_content_type":"text/x-rst","patch_set":6,"id":"208d465b_d7a04889","line":12,"range":{"start_line":11,"start_character":0,"end_line":12,"end_character":7},"in_reply_to":"b1224080_b162f014","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"OpenStack already has the ability to create encrypted volumes and ephemeral"},{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is only indirectly usable by Nova (a user"},{"line_number":15,"context_line":"must create a volume from the image first), and thus users don\u0027t have an"},{"line_number":16,"context_line":"intuitive way to create and upload encrypted images. In addition, all metadata"}],"source_content_type":"text/x-rst","patch_set":6,"id":"428f31eb_ae60bb59","line":13,"range":{"start_line":12,"start_character":53,"end_line":13,"end_character":42},"updated":"2026-01-08 15:26:36.000000000","message":"avoid repetition witht\"Even though it is already possible to store encrypted images\"","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"OpenStack already has the ability to create encrypted volumes and ephemeral"},{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is only indirectly usable by Nova (a user"},{"line_number":15,"context_line":"must create a volume from the image first), and thus users don\u0027t have an"},{"line_number":16,"context_line":"intuitive way to create and upload encrypted images. In addition, all metadata"}],"source_content_type":"text/x-rst","patch_set":6,"id":"56643117_1fa8b286","line":13,"range":{"start_line":12,"start_character":53,"end_line":13,"end_character":42},"in_reply_to":"428f31eb_ae60bb59","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is only indirectly usable by Nova (a user"},{"line_number":15,"context_line":"must create a volume from the image first), and thus users don\u0027t have an"},{"line_number":16,"context_line":"intuitive way to create and upload encrypted images. In addition, all metadata"},{"line_number":17,"context_line":"needed to detect and use encrypted images is either not present or specifically"},{"line_number":18,"context_line":"scoped for Cinder right now. In conclusion, support for encrypted images does"}],"source_content_type":"text/x-rst","patch_set":6,"id":"861fb193_240819e5","line":15,"range":{"start_line":15,"start_character":59,"end_line":15,"end_character":65},"updated":"2026-01-08 15:26:36.000000000","message":"nit: do not","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is only indirectly usable by Nova (a user"},{"line_number":15,"context_line":"must create a volume from the image first), and thus users don\u0027t have an"},{"line_number":16,"context_line":"intuitive way to create and upload encrypted images. In addition, all metadata"},{"line_number":17,"context_line":"needed to detect and use encrypted images is either not present or specifically"},{"line_number":18,"context_line":"scoped for Cinder right now. In conclusion, support for encrypted images does"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fd40ae98_371200f8","line":15,"range":{"start_line":15,"start_character":59,"end_line":15,"end_character":65},"in_reply_to":"861fb193_240819e5","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":18,"context_line":"scoped for Cinder right now. In conclusion, support for encrypted images does"},{"line_number":19,"context_line":"exist to some extent but only in a non-explicit and non-standardized way. To"},{"line_number":20,"context_line":"establish a consistent approach to image encryption for all OpenStack services"},{"line_number":21,"context_line":"as well as users, several adjustments need to be implemented in Glance, Cinder"},{"line_number":22,"context_line":"and OSC."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"84794c26_cd13d07a","line":21,"range":{"start_line":21,"start_character":72,"end_line":21,"end_character":78},"updated":"2026-01-08 15:26:36.000000000","message":"for correct grammar add a comma after Cinder","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":18,"context_line":"scoped for Cinder right now. In conclusion, support for encrypted images does"},{"line_number":19,"context_line":"exist to some extent but only in a non-explicit and non-standardized way. To"},{"line_number":20,"context_line":"establish a consistent approach to image encryption for all OpenStack services"},{"line_number":21,"context_line":"as well as users, several adjustments need to be implemented in Glance, Cinder"},{"line_number":22,"context_line":"and OSC."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"e7897541_26b5aa0e","line":21,"range":{"start_line":21,"start_character":72,"end_line":21,"end_character":78},"in_reply_to":"84794c26_cd13d07a","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":25,"context_line":"Problem description"},{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"An image, when uploaded to Glance or being created through Nova from an"},{"line_number":29,"context_line":"existing server (VM), may contain sensitive information. The already provided"},{"line_number":30,"context_line":"signature functionality only protects images against alteration. Images may be"},{"line_number":31,"context_line":"stored on several hosts over long periods of time. First and foremost this"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e120e2bf_7ea3344a","line":28,"range":{"start_line":28,"start_character":37,"end_line":28,"end_character":43},"updated":"2026-01-08 15:26:36.000000000","message":"unnecessary word","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Problem description"},{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"An image, when uploaded to Glance or being created through Nova from an"},{"line_number":29,"context_line":"existing server (VM), may contain sensitive information. The already provided"},{"line_number":30,"context_line":"signature functionality only protects images against alteration. Images may be"},{"line_number":31,"context_line":"stored on several hosts over long periods of time. First and foremost this"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fcc5d400_f7b68acf","line":28,"range":{"start_line":28,"start_character":37,"end_line":28,"end_character":43},"in_reply_to":"e120e2bf_7ea3344a","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":30,"context_line":"signature functionality only protects images against alteration. Images may be"},{"line_number":31,"context_line":"stored on several hosts over long periods of time. First and foremost this"},{"line_number":32,"context_line":"includes the image storage hosts of Glance itself. Furthermore it might also"},{"line_number":33,"context_line":"involve caches on systems like compute hosts. In conclusion they are exposed to"},{"line_number":34,"context_line":"a multitude of potential scenarios involving different hosts with different"},{"line_number":35,"context_line":"access patterns and attack surfaces. The OpenStack components involved in those"},{"line_number":36,"context_line":"scenarios do not protect the confidentiality of image data."}],"source_content_type":"text/x-rst","patch_set":6,"id":"ec6d0f60_cc171931","line":33,"range":{"start_line":33,"start_character":49,"end_line":33,"end_character":64},"updated":"2026-01-08 15:26:36.000000000","message":"be clearer: \"conclusion, the images\"","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":30,"context_line":"signature functionality only protects images against alteration. Images may be"},{"line_number":31,"context_line":"stored on several hosts over long periods of time. First and foremost this"},{"line_number":32,"context_line":"includes the image storage hosts of Glance itself. Furthermore it might also"},{"line_number":33,"context_line":"involve caches on systems like compute hosts. In conclusion they are exposed to"},{"line_number":34,"context_line":"a multitude of potential scenarios involving different hosts with different"},{"line_number":35,"context_line":"access patterns and attack surfaces. The OpenStack components involved in those"},{"line_number":36,"context_line":"scenarios do not protect the confidentiality of image data."}],"source_content_type":"text/x-rst","patch_set":6,"id":"04ead0b2_6f0aa4c9","line":33,"range":{"start_line":33,"start_character":49,"end_line":33,"end_character":64},"in_reply_to":"ec6d0f60_cc171931","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":57,"context_line":"---------"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"},{"line_number":62,"context_line":"volumes to avoid decryption."},{"line_number":63,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"6935c75f_bfcca0ee","line":60,"range":{"start_line":60,"start_character":53,"end_line":60,"end_character":55},"updated":"2026-01-08 15:26:36.000000000","message":"remove comma","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":57,"context_line":"---------"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"},{"line_number":62,"context_line":"volumes to avoid decryption."},{"line_number":63,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"e3f751d3_2a91fdf7","line":60,"range":{"start_line":60,"start_character":53,"end_line":60,"end_character":55},"in_reply_to":"6935c75f_bfcca0ee","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"},{"line_number":62,"context_line":"volumes to avoid decryption."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"   a. If an encrypted image is the base for a new volume the used volume type"},{"line_number":65,"context_line":"      should always have an encryption type. If the given volume type or"}],"source_content_type":"text/x-rst","patch_set":6,"id":"b4223fb6_5492e32a","line":62,"range":{"start_line":61,"start_character":23,"end_line":62,"end_character":27},"updated":"2026-01-08 15:26:36.000000000","message":"you leter rely on this statement as a rule, so maybe harden this statement as a requirement","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"1. A user wants to create a new volume based on an encrypted image. The"},{"line_number":60,"context_line":"corresponding volume host has to be enabled to detect, that the image is"},{"line_number":61,"context_line":"encrypted. Additionally encrypted images should always result in encrypted"},{"line_number":62,"context_line":"volumes to avoid decryption."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"   a. If an encrypted image is the base for a new volume the used volume type"},{"line_number":65,"context_line":"      should always have an encryption type. If the given volume type or"}],"source_content_type":"text/x-rst","patch_set":6,"id":"73552327_294ffdb4","line":62,"range":{"start_line":61,"start_character":23,"end_line":62,"end_character":27},"in_reply_to":"b4223fb6_5492e32a","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":72,"context_line":"      converted to raw LUKS before transforming them into volumes."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"2. Whenever an encrypted image is converted to an encrypted volume the secret"},{"line_number":75,"context_line":"should be copied to give Cinder full control over the life-cycle of the secret."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"   a. The secret can be a key or a passphrase. The secret type classification"},{"line_number":78,"context_line":"      in the Key Manager will determine the key handling"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c0a3d48f_44335f28","line":75,"range":{"start_line":75,"start_character":54,"end_line":75,"end_character":64},"updated":"2026-01-08 15:26:36.000000000","message":"nit: lifecycle","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":72,"context_line":"      converted to raw LUKS before transforming them into volumes."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"2. Whenever an encrypted image is converted to an encrypted volume the secret"},{"line_number":75,"context_line":"should be copied to give Cinder full control over the life-cycle of the secret."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"   a. The secret can be a key or a passphrase. The secret type classification"},{"line_number":78,"context_line":"      in the Key Manager will determine the key handling"}],"source_content_type":"text/x-rst","patch_set":6,"id":"8437225e_134c7c65","line":75,"range":{"start_line":75,"start_character":54,"end_line":75,"end_character":64},"in_reply_to":"c0a3d48f_44335f28","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":74,"context_line":"2. Whenever an encrypted image is converted to an encrypted volume the secret"},{"line_number":75,"context_line":"should be copied to give Cinder full control over the life-cycle of the secret."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"   a. The secret can be a key or a passphrase. The secret type classification"},{"line_number":78,"context_line":"      in the Key Manager will determine the key handling"},{"line_number":79,"context_line":"      (\"symmetric\" vs \"passphrase\"). In case of \"passphrase\", the secret is"},{"line_number":80,"context_line":"      passed directly as the passphrase to the encryption layer. In any other"}],"source_content_type":"text/x-rst","patch_set":6,"id":"567f72c5_8a039fd5","line":77,"range":{"start_line":77,"start_character":6,"end_line":77,"end_character":45},"updated":"2026-01-08 15:26:36.000000000","message":"Is there only one secret per image - might be worth explicitly stating.","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":74,"context_line":"2. Whenever an encrypted image is converted to an encrypted volume the secret"},{"line_number":75,"context_line":"should be copied to give Cinder full control over the life-cycle of the secret."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"   a. The secret can be a key or a passphrase. The secret type classification"},{"line_number":78,"context_line":"      in the Key Manager will determine the key handling"},{"line_number":79,"context_line":"      (\"symmetric\" vs \"passphrase\"). In case of \"passphrase\", the secret is"},{"line_number":80,"context_line":"      passed directly as the passphrase to the encryption layer. In any other"}],"source_content_type":"text/x-rst","patch_set":6,"id":"873f6400_e8922967","line":77,"range":{"start_line":77,"start_character":6,"end_line":77,"end_character":45},"in_reply_to":"567f72c5_8a039fd5","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":103,"context_line":"In Glance we propose the following additional metadata properties that should be"},{"line_number":104,"context_line":"carried by encrypted images:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"* \u0027os_encrypt_format\u0027 - the specific mechanism used, e.g. \u0027LUKSv1\u0027"},{"line_number":107,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":108,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the"},{"line_number":109,"context_line":"  key should be deleted too"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5fbf925c_d1df9f09","line":106,"range":{"start_line":106,"start_character":59,"end_line":106,"end_character":65},"updated":"2026-01-08 15:26:36.000000000","message":"Does the versioning matter? This is the only time you mention a version. Do we support both v1 and v2?","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":103,"context_line":"In Glance we propose the following additional metadata properties that should be"},{"line_number":104,"context_line":"carried by encrypted images:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"* \u0027os_encrypt_format\u0027 - the specific mechanism used, e.g. \u0027LUKSv1\u0027"},{"line_number":107,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":108,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the"},{"line_number":109,"context_line":"  key should be deleted too"}],"source_content_type":"text/x-rst","patch_set":6,"id":"259e82f7_635099c2","line":106,"range":{"start_line":106,"start_character":59,"end_line":106,"end_character":65},"in_reply_to":"5fbf925c_d1df9f09","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"ee6d0b85753be2c01cc1854d0e70ff542b1e9f0f","unresolved":true,"context_lines":[{"line_number":103,"context_line":"In Glance we propose the following additional metadata properties that should be"},{"line_number":104,"context_line":"carried by encrypted images:"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"* \u0027os_encrypt_format\u0027 - the specific mechanism used, e.g. \u0027LUKSv1\u0027"},{"line_number":107,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":108,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the"},{"line_number":109,"context_line":"  key should be deleted too"}],"source_content_type":"text/x-rst","patch_set":6,"id":"8e6a70c1_53265776","line":106,"range":{"start_line":106,"start_character":59,"end_line":106,"end_character":65},"in_reply_to":"5fbf925c_d1df9f09","updated":"2026-01-14 15:24:49.000000000","message":"Yes Cinder already supports both versions and we set the metadata accordingly: https://review.opendev.org/c/openstack/cinder/+/926298/21/cinder/api/contrib/volume_actions.py","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":125,"context_line":"   directly to volumes again. This behavior is already implemented and requires"},{"line_number":126,"context_line":"   no format conversion as the LUKS encryption is native to Cinder."},{"line_number":127,"context_line":"   The intention is to keep this functionality and make the format usable"},{"line_number":128,"context_line":"   outside of Cinder and provide interoperability or it."},{"line_number":129,"context_line":"   To better identify such an image, we propose the new \u0027container_format\u0027"},{"line_number":130,"context_line":"   \u0027luks\u0027 to be set for these images."},{"line_number":131,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3b955f7a_3712b59a","line":128,"range":{"start_line":128,"start_character":50,"end_line":128,"end_character":53},"updated":"2026-01-08 15:26:36.000000000","message":"nit: for","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":125,"context_line":"   directly to volumes again. This behavior is already implemented and requires"},{"line_number":126,"context_line":"   no format conversion as the LUKS encryption is native to Cinder."},{"line_number":127,"context_line":"   The intention is to keep this functionality and make the format usable"},{"line_number":128,"context_line":"   outside of Cinder and provide interoperability or it."},{"line_number":129,"context_line":"   To better identify such an image, we propose the new \u0027container_format\u0027"},{"line_number":130,"context_line":"   \u0027luks\u0027 to be set for these images."},{"line_number":131,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"42caa3e3_e0e8bda2","line":128,"range":{"start_line":128,"start_character":50,"end_line":128,"end_character":53},"in_reply_to":"3b955f7a_3712b59a","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":130,"context_line":"   \u0027luks\u0027 to be set for these images."},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"In the latter case it is already possible to upload such an encrypted image to"},{"line_number":133,"context_line":"another OpenStack infrastructure, upload the key as well and set the"},{"line_number":134,"context_line":"corresponding metadata. After doing so the image can be used in the second"},{"line_number":135,"context_line":"infrastructure to create an encrypted volume."},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"4c83c48f_cace9e3e","line":133,"range":{"start_line":133,"start_character":18,"end_line":133,"end_character":32},"updated":"2026-01-08 15:26:36.000000000","message":"is \u0027deployment\u0027 better?","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":130,"context_line":"   \u0027luks\u0027 to be set for these images."},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"In the latter case it is already possible to upload such an encrypted image to"},{"line_number":133,"context_line":"another OpenStack infrastructure, upload the key as well and set the"},{"line_number":134,"context_line":"corresponding metadata. After doing so the image can be used in the second"},{"line_number":135,"context_line":"infrastructure to create an encrypted volume."},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"d602fec7_d198a5c4","line":133,"range":{"start_line":133,"start_character":18,"end_line":133,"end_character":32},"in_reply_to":"4c83c48f_cace9e3e","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":143,"context_line":"- \u0027cinder_encryption_key_id\u0027 to \u0027os_encrypt_key_id\u0027"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"A check in the volume creation flow will be added to look for encrypted"},{"line_number":146,"context_line":"images proposed as a volume source. If an image is encrypted another check is"},{"line_number":147,"context_line":"added to determine, whether the volume type to create the volume has an"},{"line_number":148,"context_line":"encryption type. If that is not the case the volume creation will be aborted in"},{"line_number":149,"context_line":"the API early. Since the encrypted data is always directly transferred over,"}],"source_content_type":"text/x-rst","patch_set":6,"id":"8310e88b_431930b5","line":146,"range":{"start_line":146,"start_character":60,"end_line":146,"end_character":61},"updated":"2026-01-08 15:26:36.000000000","message":"nit: insert comma","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":143,"context_line":"- \u0027cinder_encryption_key_id\u0027 to \u0027os_encrypt_key_id\u0027"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"A check in the volume creation flow will be added to look for encrypted"},{"line_number":146,"context_line":"images proposed as a volume source. If an image is encrypted another check is"},{"line_number":147,"context_line":"added to determine, whether the volume type to create the volume has an"},{"line_number":148,"context_line":"encryption type. If that is not the case the volume creation will be aborted in"},{"line_number":149,"context_line":"the API early. Since the encrypted data is always directly transferred over,"}],"source_content_type":"text/x-rst","patch_set":6,"id":"cb78e754_18c7a18d","line":146,"range":{"start_line":146,"start_character":60,"end_line":146,"end_character":61},"in_reply_to":"8310e88b_431930b5","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":144,"context_line":""},{"line_number":145,"context_line":"A check in the volume creation flow will be added to look for encrypted"},{"line_number":146,"context_line":"images proposed as a volume source. If an image is encrypted another check is"},{"line_number":147,"context_line":"added to determine, whether the volume type to create the volume has an"},{"line_number":148,"context_line":"encryption type. If that is not the case the volume creation will be aborted in"},{"line_number":149,"context_line":"the API early. Since the encrypted data is always directly transferred over,"},{"line_number":150,"context_line":"the volume would end up as unusable otherwise."}],"source_content_type":"text/x-rst","patch_set":6,"id":"dca57cbe_ad7b50d4","line":147,"range":{"start_line":147,"start_character":44,"end_line":147,"end_character":47},"updated":"2026-01-08 15:26:36.000000000","message":"nit: used to","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":144,"context_line":""},{"line_number":145,"context_line":"A check in the volume creation flow will be added to look for encrypted"},{"line_number":146,"context_line":"images proposed as a volume source. If an image is encrypted another check is"},{"line_number":147,"context_line":"added to determine, whether the volume type to create the volume has an"},{"line_number":148,"context_line":"encryption type. If that is not the case the volume creation will be aborted in"},{"line_number":149,"context_line":"the API early. Since the encrypted data is always directly transferred over,"},{"line_number":150,"context_line":"the volume would end up as unusable otherwise."}],"source_content_type":"text/x-rst","patch_set":6,"id":"60682316_bbbff5b1","line":147,"range":{"start_line":147,"start_character":44,"end_line":147,"end_character":47},"in_reply_to":"dca57cbe_ad7b50d4","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":145,"context_line":"A check in the volume creation flow will be added to look for encrypted"},{"line_number":146,"context_line":"images proposed as a volume source. If an image is encrypted another check is"},{"line_number":147,"context_line":"added to determine, whether the volume type to create the volume has an"},{"line_number":148,"context_line":"encryption type. If that is not the case the volume creation will be aborted in"},{"line_number":149,"context_line":"the API early. Since the encrypted data is always directly transferred over,"},{"line_number":150,"context_line":"the volume would end up as unusable otherwise."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"The conversion of a qcow2+LUKS image should be handled when downloading the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"0b9d1c8d_51f41bc8","line":149,"range":{"start_line":148,"start_character":69,"end_line":149,"end_character":13},"updated":"2026-01-08 15:26:36.000000000","message":"reads better as \"will be aborted early in the API\"","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":145,"context_line":"A check in the volume creation flow will be added to look for encrypted"},{"line_number":146,"context_line":"images proposed as a volume source. If an image is encrypted another check is"},{"line_number":147,"context_line":"added to determine, whether the volume type to create the volume has an"},{"line_number":148,"context_line":"encryption type. If that is not the case the volume creation will be aborted in"},{"line_number":149,"context_line":"the API early. Since the encrypted data is always directly transferred over,"},{"line_number":150,"context_line":"the volume would end up as unusable otherwise."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"The conversion of a qcow2+LUKS image should be handled when downloading the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3befb19e_99aae750","line":149,"range":{"start_line":148,"start_character":69,"end_line":149,"end_character":13},"in_reply_to":"0b9d1c8d_51f41bc8","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":168,"context_line":"and differs from Nova\u0027s handling of images, that directly passes passphrases"},{"line_number":169,"context_line":"only."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"The creation of an image from an volume just need to be adjusted to use the new"},{"line_number":172,"context_line":"properties."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3ac97baf_03c9cc2e","line":171,"range":{"start_line":171,"start_character":30,"end_line":171,"end_character":33},"updated":"2026-01-08 15:26:36.000000000","message":"nit: a","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":168,"context_line":"and differs from Nova\u0027s handling of images, that directly passes passphrases"},{"line_number":169,"context_line":"only."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"The creation of an image from an volume just need to be adjusted to use the new"},{"line_number":172,"context_line":"properties."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"d44c011e_036362aa","line":171,"range":{"start_line":171,"start_character":45,"end_line":171,"end_character":50},"updated":"2026-01-08 15:26:36.000000000","message":"nit: needs","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":168,"context_line":"and differs from Nova\u0027s handling of images, that directly passes passphrases"},{"line_number":169,"context_line":"only."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"The creation of an image from an volume just need to be adjusted to use the new"},{"line_number":172,"context_line":"properties."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"dfed7848_172b9c33","line":171,"range":{"start_line":171,"start_character":30,"end_line":171,"end_character":33},"in_reply_to":"3ac97baf_03c9cc2e","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":168,"context_line":"and differs from Nova\u0027s handling of images, that directly passes passphrases"},{"line_number":169,"context_line":"only."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"The creation of an image from an volume just need to be adjusted to use the new"},{"line_number":172,"context_line":"properties."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"150d5f06_cc0d7e0c","line":171,"range":{"start_line":171,"start_character":45,"end_line":171,"end_character":50},"in_reply_to":"d44c011e_036362aa","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":176,"context_line":"------------"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"We also evaluated an image encryption implementation based on GPG. The downside"},{"line_number":179,"context_line":"with such an implementation is, that everytime such an image is used to create"},{"line_number":180,"context_line":"a server or a volume the image has to be decrypted and maybe re-encrypted for"},{"line_number":181,"context_line":"another encryption format as both Nova and Cinder use LUKS as an encryption"},{"line_number":182,"context_line":"mechanism. This would not only have impact on the performance of the operation"}],"source_content_type":"text/x-rst","patch_set":6,"id":"d84e9098_abfd5237","line":179,"range":{"start_line":179,"start_character":37,"end_line":179,"end_character":47},"updated":"2026-01-08 15:26:36.000000000","message":"nit: every time","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":176,"context_line":"------------"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"We also evaluated an image encryption implementation based on GPG. The downside"},{"line_number":179,"context_line":"with such an implementation is, that everytime such an image is used to create"},{"line_number":180,"context_line":"a server or a volume the image has to be decrypted and maybe re-encrypted for"},{"line_number":181,"context_line":"another encryption format as both Nova and Cinder use LUKS as an encryption"},{"line_number":182,"context_line":"mechanism. This would not only have impact on the performance of the operation"}],"source_content_type":"text/x-rst","patch_set":6,"id":"22a44cf6_bae6cae3","line":179,"range":{"start_line":179,"start_character":37,"end_line":179,"end_character":47},"in_reply_to":"d84e9098_abfd5237","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":179,"context_line":"with such an implementation is, that everytime such an image is used to create"},{"line_number":180,"context_line":"a server or a volume the image has to be decrypted and maybe re-encrypted for"},{"line_number":181,"context_line":"another encryption format as both Nova and Cinder use LUKS as an encryption"},{"line_number":182,"context_line":"mechanism. This would not only have impact on the performance of the operation"},{"line_number":183,"context_line":"but it also would need free space for the encrypted image file, the decrypted"},{"line_number":184,"context_line":"parts and the encrypted volume or server that is created."},{"line_number":185,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7c53fbdf_bc63bf18","line":182,"range":{"start_line":182,"start_character":31,"end_line":182,"end_character":49},"updated":"2026-01-08 15:26:36.000000000","message":"nit: have an impact on","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":179,"context_line":"with such an implementation is, that everytime such an image is used to create"},{"line_number":180,"context_line":"a server or a volume the image has to be decrypted and maybe re-encrypted for"},{"line_number":181,"context_line":"another encryption format as both Nova and Cinder use LUKS as an encryption"},{"line_number":182,"context_line":"mechanism. This would not only have impact on the performance of the operation"},{"line_number":183,"context_line":"but it also would need free space for the encrypted image file, the decrypted"},{"line_number":184,"context_line":"parts and the encrypted volume or server that is created."},{"line_number":185,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"aa386673_fb92baa4","line":182,"range":{"start_line":182,"start_character":31,"end_line":182,"end_character":49},"in_reply_to":"7c53fbdf_bc63bf18","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":193,"context_line":"REST API impact"},{"line_number":194,"context_line":"---------------"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"When creating a volume from an encrypted image there might occure a new ERROR"},{"line_number":197,"context_line":"that is triggered, when an image is encrypted but no encrypted volume type is"},{"line_number":198,"context_line":"given."},{"line_number":199,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"74ba8632_80a52bd4","line":196,"range":{"start_line":196,"start_character":59,"end_line":196,"end_character":66},"updated":"2026-01-08 15:26:36.000000000","message":"nit: occur","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":193,"context_line":"REST API impact"},{"line_number":194,"context_line":"---------------"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"When creating a volume from an encrypted image there might occure a new ERROR"},{"line_number":197,"context_line":"that is triggered, when an image is encrypted but no encrypted volume type is"},{"line_number":198,"context_line":"given."},{"line_number":199,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"1c9e99ee_a09e2f6a","line":196,"range":{"start_line":196,"start_character":59,"end_line":196,"end_character":66},"in_reply_to":"74ba8632_80a52bd4","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":194,"context_line":"---------------"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"When creating a volume from an encrypted image there might occure a new ERROR"},{"line_number":197,"context_line":"that is triggered, when an image is encrypted but no encrypted volume type is"},{"line_number":198,"context_line":"given."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"40e196f1_60819e53","line":197,"range":{"start_line":197,"start_character":17,"end_line":197,"end_character":19},"updated":"2026-01-08 15:26:36.000000000","message":"nit: remove comma","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":194,"context_line":"---------------"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"When creating a volume from an encrypted image there might occure a new ERROR"},{"line_number":197,"context_line":"that is triggered, when an image is encrypted but no encrypted volume type is"},{"line_number":198,"context_line":"given."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5edcf460_3a96b10c","line":197,"range":{"start_line":197,"start_character":17,"end_line":197,"end_character":19},"in_reply_to":"40e196f1_60819e53","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":205,"context_line":""},{"line_number":206,"context_line":"* confidentiality of data in images will be addressed in this spec"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"* image encryption is introduced formally, thus cryptographic algorithms will"},{"line_number":209,"context_line":"  be used in all involved components (Nova, Cinder, OSC)"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Active/Active HA impact"},{"line_number":213,"context_line":"-----------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"203d6536_32e6c100","line":210,"range":{"start_line":208,"start_character":2,"end_line":210,"end_character":0},"updated":"2026-01-08 15:26:36.000000000","message":"mixing bullet point fragments and full sentences isn\u0027t great. Make all bullets, or all fragments.","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":205,"context_line":""},{"line_number":206,"context_line":"* confidentiality of data in images will be addressed in this spec"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"* image encryption is introduced formally, thus cryptographic algorithms will"},{"line_number":209,"context_line":"  be used in all involved components (Nova, Cinder, OSC)"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Active/Active HA impact"},{"line_number":213,"context_line":"-----------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e9b5c4a0_e8eccbe6","line":210,"range":{"start_line":208,"start_character":2,"end_line":210,"end_character":0},"in_reply_to":"203d6536_32e6c100","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"* Users should be able to use encrypted images to create volumes in a"},{"line_number":228,"context_line":"  consistant way"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Performance Impact"}],"source_content_type":"text/x-rst","patch_set":6,"id":"1fc77438_f4cefaa8","line":228,"range":{"start_line":228,"start_character":2,"end_line":228,"end_character":13},"updated":"2026-01-08 15:26:36.000000000","message":"nit: consistent","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"* Users should be able to use encrypted images to create volumes in a"},{"line_number":228,"context_line":"  consistant way"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Performance Impact"}],"source_content_type":"text/x-rst","patch_set":6,"id":"fc64aa95_43315fc2","line":228,"range":{"start_line":228,"start_character":2,"end_line":228,"end_character":13},"in_reply_to":"1fc77438_f4cefaa8","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":304,"context_line":"Tempest tests will be added to the barbican-tempest-plugin in addition to its"},{"line_number":305,"context_line":"existing scenario tests revolving around usage of secrets. These scenario"},{"line_number":306,"context_line":"tests will create encrypted images in various permutations, including the"},{"line_number":307,"context_line":"different image formats (qcow+LUKS, raw LUKS) as well as the different secret"},{"line_number":308,"context_line":"types influencing the key conversion. Each of the created images will be used"},{"line_number":309,"context_line":"to create a volumes from which a Nova instance will be booted and"},{"line_number":310,"context_line":"health-checked."}],"source_content_type":"text/x-rst","patch_set":6,"id":"ada0985a_3d190bca","line":307,"range":{"start_line":307,"start_character":25,"end_line":307,"end_character":29},"updated":"2026-01-08 15:26:36.000000000","message":"nit: qcow2","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":304,"context_line":"Tempest tests will be added to the barbican-tempest-plugin in addition to its"},{"line_number":305,"context_line":"existing scenario tests revolving around usage of secrets. These scenario"},{"line_number":306,"context_line":"tests will create encrypted images in various permutations, including the"},{"line_number":307,"context_line":"different image formats (qcow+LUKS, raw LUKS) as well as the different secret"},{"line_number":308,"context_line":"types influencing the key conversion. Each of the created images will be used"},{"line_number":309,"context_line":"to create a volumes from which a Nova instance will be booted and"},{"line_number":310,"context_line":"health-checked."}],"source_content_type":"text/x-rst","patch_set":6,"id":"c31e63f0_13509295","line":307,"range":{"start_line":307,"start_character":25,"end_line":307,"end_character":29},"in_reply_to":"ada0985a_3d190bca","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2bf3f6a841144e5d33df80c2d493f8316d7dcf4c","unresolved":true,"context_lines":[{"line_number":306,"context_line":"tests will create encrypted images in various permutations, including the"},{"line_number":307,"context_line":"different image formats (qcow+LUKS, raw LUKS) as well as the different secret"},{"line_number":308,"context_line":"types influencing the key conversion. Each of the created images will be used"},{"line_number":309,"context_line":"to create a volumes from which a Nova instance will be booted and"},{"line_number":310,"context_line":"health-checked."},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"Another scenario will be added that specifically tests the creation of"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9bb96267_daca655d","line":309,"range":{"start_line":309,"start_character":10,"end_line":309,"end_character":12},"updated":"2026-01-08 15:26:36.000000000","message":"nit: remove \u0027a\u0027","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"e1df51f65a515acdf1054d985ee8b561758f7aea","unresolved":false,"context_lines":[{"line_number":306,"context_line":"tests will create encrypted images in various permutations, including the"},{"line_number":307,"context_line":"different image formats (qcow+LUKS, raw LUKS) as well as the different secret"},{"line_number":308,"context_line":"types influencing the key conversion. Each of the created images will be used"},{"line_number":309,"context_line":"to create a volumes from which a Nova instance will be booted and"},{"line_number":310,"context_line":"health-checked."},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"Another scenario will be added that specifically tests the creation of"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9d442670_91708020","line":309,"range":{"start_line":309,"start_character":10,"end_line":309,"end_character":12},"in_reply_to":"9bb96267_daca655d","updated":"2026-01-14 15:26:51.000000000","message":"Done","commit_id":"edae01e979c6d6b6eae0eb9868f19b845c9f4d57"}]}