)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c483dff6d46e293d2ff447549f6401b14a8fc7f3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"fff29dd0_ed1da8f5","updated":"2024-04-29 14:07:49.000000000","message":"A few things noted inline.  My main concern is whether \u0027encrypted\u0027 should be a container_format (I\u0027m thinking not, though I may have been the person who suggested using container_format).  The problem is that there are situations where it\u0027s important to know the \"real\" container format (cinder and nova both support a \u0027compressed\u0027 container_format).  With cinder, at least, it\u0027s currently possible to have a LUKS image compressed before it\u0027s uploaded to glance, and on the download side, it needs to be decompressed before any of the encryption stuff is applied.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"7d69d766cefb9b2791caec80e5b06c42e6baff2e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"dd74e9a5_2813c283","updated":"2024-05-16 10:11:12.000000000","message":"I hope we were able to answer questions, and i would like to discuss this and the Cinder spec in the next Cinder meeting. (Unfortunately I don\u0027t have much time on Thursday.)","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"cd1e8fbe_7ff14734","updated":"2024-05-08 15:30:40.000000000","message":"few comments inline, most of them are just queries to understand the feature and impact better.\nThe major concern i have is the encryption/decryption happening at the OSC layer. maybe it\u0027s just fine but it seems really strange to have a major part of the feature done in the client instead of the targeted service (i.e. glance or glance_store)","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"752b46e2abf133ce8aee37c5e70ea9ed4cc640e3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"6bc43de2_00bd1ddf","updated":"2024-05-21 13:58:06.000000000","message":"I\u0027d really like a stronger callout about the plan for image_conversion. Either say \"we don\u0027t do that on encrypted images\" (probably fine) or \"we will reject encrypted images when format conversion is enabled and we don\u0027t have access to the key\".\n\nIf the latter, then we need to make those conversion paths work, and we definitely need some testing to confirm.","commit_id":"b3eedc420122e3d4fb24d2f0e2ffa4281fd18cb4"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"1b32091d9013e35f6d08e825ccfda7994dc51c53","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ac871565_2c3acf20","in_reply_to":"6bc43de2_00bd1ddf","updated":"2024-05-28 12:49:15.000000000","message":"I added a paragraph at the end of the Proposed Change section to clarify, that we will not allow image conversion with encrypted images.\n\nThis could be added after the spec is implemented. But this would need some careful eyes from the Glance team and by then they should have all infromation they need, if they want to implement it.","commit_id":"b3eedc420122e3d4fb24d2f0e2ffa4281fd18cb4"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"89f3327926b047e8467838f03216f2ea6c485d50","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"a10e1b8b_7adc0c0f","updated":"2024-06-08 17:08:00.000000000","message":"A few things noted inline, but on the whole, this LGTM.\n\nThere seems to be some controversy around the role of the openstackclient in encryption (i.e., whether it should be able to do the encryption or decryption of the payload).  I suggest for this spec, you should just commit to extending the OSC to allow specification of the necessary image metadata for encrypted images, and then you can fight it out with the OSC team on a different spec as to whether it will support doing the encryption or just support uploading an already encrypted payload.","commit_id":"ca223f0c702423c2d4c357ad90868b9466f9c3b7"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"76f599596514a53d14c8cf71ca5a241682799839","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"2d3ac919_ce872b96","updated":"2024-06-13 14:17:09.000000000","message":"hi Josephine, could you please mark resolved existing comments which are answered, it will help reviewer to understand what is addressed and what is pending.\n\nThank you!","commit_id":"032fba75251bc704269e3ce973f217ffd8a171b9"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e2ce7ee883448cf5fe1d73bdda16614b390c91a0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"5e987b39_4beb819b","updated":"2024-06-19 17:19:50.000000000","message":"Thank you for restructuring it, looks better. Noted couple of questions inline.","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"a2332749b319ec1459d8c4bd353d7a0ea91be6dd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"92785a2e_87dcf942","updated":"2024-06-26 05:25:46.000000000","message":"I do not have any further objections, thank you for proposing this!!","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":33765,"name":"Mridula Joshi","email":"mrjoshi@redhat.com","username":"mrjoshi"},"change_message_id":"2b991d2ec90e55c39931659e0ca65e07a28131b2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"590cfa38_c0a8423a","updated":"2024-06-27 08:38:55.000000000","message":"LGTM, Thank you!","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"469b5d792104cbca2a96c76b1bbe7e67a7150666","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"599e8330_d40ca371","updated":"2024-06-25 10:30:30.000000000","message":"Minor nits: noted inline incase new ps needed, otherwise LGTM !\nThank you !!","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"ec6b444fb81888c305ec54b305ea35f5e285ff16","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"45311fec_6caf1852","updated":"2024-07-12 12:29:59.000000000","message":"As discussed in last weekly meeting [1], I don\u0027t see any objection on this, so approving the spec.\n\nThanks all !!\n\n[1]: https://meetings.opendev.org/irclogs/%23openstack-meeting/%23openstack-meeting.2024-07-11.log.html#t2024-07-11T14:10:04","commit_id":"a05de852785c5a5e78951a2ed263ed68714f8d1a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"22c1169615cc7ccc25daa5217320a43aa80c4a4f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"eb252289_aa3f3918","updated":"2024-07-01 07:51:19.000000000","message":"I updated the spec and fixed the typos.","commit_id":"a05de852785c5a5e78951a2ed263ed68714f8d1a"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"b894c74003083f30c681d77d129f64a36c13bb58","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"618573b8_9503ba61","updated":"2024-07-01 13:03:43.000000000","message":"Thank you !!","commit_id":"a05de852785c5a5e78951a2ed263ed68714f8d1a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"3bf2bc606de99e5e6a76e9b979bb51ce22ea4767","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"9fa05de6_80500cf6","updated":"2024-07-01 08:16:59.000000000","message":"Thank you!","commit_id":"a05de852785c5a5e78951a2ed263ed68714f8d1a"},{"author":{"_account_id":33765,"name":"Mridula Joshi","email":"mrjoshi@redhat.com","username":"mrjoshi"},"change_message_id":"4a457423557a98f618db70b25061b39906d58e1d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"5b677fb5_d805d2be","updated":"2024-07-02 04:48:21.000000000","message":"Thanks!","commit_id":"a05de852785c5a5e78951a2ed263ed68714f8d1a"}],"specs/2024.2/approved/glance/standardized_image_encryption.rst":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c483dff6d46e293d2ff447549f6401b14a8fc7f3","unresolved":true,"context_lines":[{"line_number":11,"context_line":"OpenStack already has the ability to create encrypted volumes and ephemeral"},{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is not usable by Nova and users don\u0027t have"},{"line_number":15,"context_line":"an intuitive way to create and upload encrypted images. In addition, all"},{"line_number":16,"context_line":"metadata needed to detect and use encrypted images is either not present or"},{"line_number":17,"context_line":"specifically scoped for Cinder right now. In conclusion, support for encrypted"}],"source_content_type":"text/x-rst","patch_set":1,"id":"f6c0bfbb_ca9fc2cb","line":14,"range":{"start_line":14,"start_character":31,"end_line":14,"end_character":65},"updated":"2024-04-29 14:07:49.000000000","message":"nit: \"it is only indirectly usable by Nova (a user must create a volume from the image first), and thus users\"","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"d0fc8abb8ec05de0e148ff9cd81d9884155604cf","unresolved":false,"context_lines":[{"line_number":11,"context_line":"OpenStack already has the ability to create encrypted volumes and ephemeral"},{"line_number":12,"context_line":"storage to ensure the confidentiality of block data. Even though it is also"},{"line_number":13,"context_line":"already possible to store encrypted images, there is only one service (Cinder)"},{"line_number":14,"context_line":"that utilizes this option, but it is not usable by Nova and users don\u0027t have"},{"line_number":15,"context_line":"an intuitive way to create and upload encrypted images. In addition, all"},{"line_number":16,"context_line":"metadata needed to detect and use encrypted images is either not present or"},{"line_number":17,"context_line":"specifically scoped for Cinder right now. In conclusion, support for encrypted"}],"source_content_type":"text/x-rst","patch_set":1,"id":"f867bfa4_abf18441","line":14,"range":{"start_line":14,"start_character":31,"end_line":14,"end_character":65},"in_reply_to":"f6c0bfbb_ca9fc2cb","updated":"2024-04-30 08:24:16.000000000","message":"Done","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c483dff6d46e293d2ff447549f6401b14a8fc7f3","unresolved":true,"context_lines":[{"line_number":69,"context_line":"   compute or volume host has to be able to directly use the encrypted image or"},{"line_number":70,"context_line":"   (if incompatible) transfer its encryption from e.g. qcow2-LUKS to raw"},{"line_number":71,"context_line":"   LUKS-encrypted blocks to be used for volumes. For this the OpenStack"},{"line_number":72,"context_line":"   services need access to the key in the key manager and a few metadata"},{"line_number":73,"context_line":"   information about the encrypted image."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"3. A user wants to download and directly decrypt an encrypted image to be used"},{"line_number":76,"context_line":"   privately or in another deployment. Therefore the download mechanism should"}],"source_content_type":"text/x-rst","patch_set":1,"id":"86788b8c_a4524115","line":73,"range":{"start_line":72,"start_character":58,"end_line":73,"end_character":14},"updated":"2024-04-29 14:07:49.000000000","message":"nit: maybe, \"a few image properties\"","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"d0fc8abb8ec05de0e148ff9cd81d9884155604cf","unresolved":false,"context_lines":[{"line_number":69,"context_line":"   compute or volume host has to be able to directly use the encrypted image or"},{"line_number":70,"context_line":"   (if incompatible) transfer its encryption from e.g. qcow2-LUKS to raw"},{"line_number":71,"context_line":"   LUKS-encrypted blocks to be used for volumes. For this the OpenStack"},{"line_number":72,"context_line":"   services need access to the key in the key manager and a few metadata"},{"line_number":73,"context_line":"   information about the encrypted image."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"3. A user wants to download and directly decrypt an encrypted image to be used"},{"line_number":76,"context_line":"   privately or in another deployment. Therefore the download mechanism should"}],"source_content_type":"text/x-rst","patch_set":1,"id":"156dc8e3_ef364cd1","line":73,"range":{"start_line":72,"start_character":58,"end_line":73,"end_character":14},"in_reply_to":"86788b8c_a4524115","updated":"2024-04-30 08:24:16.000000000","message":"Done","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c483dff6d46e293d2ff447549f6401b14a8fc7f3","unresolved":true,"context_lines":[{"line_number":89,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":91,"context_line":"  should be deleted too"},{"line_number":92,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":93,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"To upload an encrypted image to Glance we want to add support for encrypting"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3930b7c9_629f20f5","line":92,"range":{"start_line":92,"start_character":34,"end_line":92,"end_character":65},"updated":"2024-04-29 14:07:49.000000000","message":"I think this description is left over from the GPG proposal?  We have disk_format to tell us \u0027qcow2\u0027 or \u0027raw\u0027 (what Cinder uses for luks; glance doesn\u0027t currently have a \u0027luks\u0027 disk_format).  We still need this property, however, because Cinder has an option where images can be stored in \u0027compressed\u0027 container_format in Glance, and so cinder would need to know to decompress the image before writing it to a volume.  This makes me wonder whether it makes sense to have \u0027encrypted\u0027 be a container_format.  Maybe the way to detect an encrypted image is by the presence of the os_encrypt* properties?  (That\u0027s the way the image-signature-verification works.)","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":89,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":91,"context_line":"  should be deleted too"},{"line_number":92,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":93,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"To upload an encrypted image to Glance we want to add support for encrypting"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bb67c772_04853254","line":92,"range":{"start_line":92,"start_character":34,"end_line":92,"end_character":65},"in_reply_to":"1eb7432a_c8594305","updated":"2024-06-17 11:59:11.000000000","message":"Done","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"d0fc8abb8ec05de0e148ff9cd81d9884155604cf","unresolved":true,"context_lines":[{"line_number":89,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":91,"context_line":"  should be deleted too"},{"line_number":92,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":93,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"To upload an encrypted image to Glance we want to add support for encrypting"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1eb7432a_c8594305","line":92,"range":{"start_line":92,"start_character":34,"end_line":92,"end_character":65},"in_reply_to":"3930b7c9_629f20f5","updated":"2024-04-30 08:24:16.000000000","message":"I think we should discuss this in the Glance meeting - We do have the concern that people might upload images with other container formats than qcow or raw and set all the encryption parameters. In this case there has to be checks in Cinder and Nova to not use these images. But allowing the upload of a not usable image would be a bad user experience imho.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c483dff6d46e293d2ff447549f6401b14a8fc7f3","unresolved":true,"context_lines":[{"line_number":111,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":112,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":113,"context_line":"   directly to volumes again."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":116,"context_line":"another OpenStack infrastructure, upload the key as well and set the"},{"line_number":117,"context_line":"corresponding metadata. After doing so the image can be used in the second"}],"source_content_type":"text/x-rst","patch_set":1,"id":"4f341210_275577a9","line":114,"updated":"2024-04-29 14:07:49.000000000","message":"I think you need to say somewhere that the disk_format for Nova-style qcow2+luks will be \u0027qcow2\u0027, and the disk_format for Cinder-style LUKS container is \u0027raw\u0027.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"1b32091d9013e35f6d08e825ccfda7994dc51c53","unresolved":true,"context_lines":[{"line_number":111,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":112,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":113,"context_line":"   directly to volumes again."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":116,"context_line":"another OpenStack infrastructure, upload the key as well and set the"},{"line_number":117,"context_line":"corresponding metadata. After doing so the image can be used in the second"}],"source_content_type":"text/x-rst","patch_set":1,"id":"be3ad2f0_b78f62ef","line":114,"in_reply_to":"0a959c09_a89e968d","updated":"2024-05-28 12:49:15.000000000","message":"So the used formats will be the same for Cinder and Nova. Should I still add this?","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":111,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":112,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":113,"context_line":"   directly to volumes again."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":116,"context_line":"another OpenStack infrastructure, upload the key as well and set the"},{"line_number":117,"context_line":"corresponding metadata. After doing so the image can be used in the second"}],"source_content_type":"text/x-rst","patch_set":1,"id":"635bb665_9b139f67","line":114,"in_reply_to":"44273ded_52fd8b50","updated":"2024-06-17 11:59:11.000000000","message":"Done","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"41f7de8d6d3b7dc4062a8d085a466209dfdc516e","unresolved":true,"context_lines":[{"line_number":111,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":112,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":113,"context_line":"   directly to volumes again."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":116,"context_line":"another OpenStack infrastructure, upload the key as well and set the"},{"line_number":117,"context_line":"corresponding metadata. After doing so the image can be used in the second"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0a959c09_a89e968d","line":114,"in_reply_to":"4f341210_275577a9","updated":"2024-05-15 01:34:04.000000000","message":"FWIW we will use both of them for Nova depending on whether the Nova image backend is qcow2 or raw or rbd.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"89f3327926b047e8467838f03216f2ea6c485d50","unresolved":true,"context_lines":[{"line_number":111,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":112,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":113,"context_line":"   directly to volumes again."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":116,"context_line":"another OpenStack infrastructure, upload the key as well and set the"},{"line_number":117,"context_line":"corresponding metadata. After doing so the image can be used in the second"}],"source_content_type":"text/x-rst","patch_set":1,"id":"44273ded_52fd8b50","line":114,"in_reply_to":"be3ad2f0_b78f62ef","updated":"2024-06-08 17:08:00.000000000","message":"Yes, at least the Cinder part, because qemu-img recognizes \u0027luks\u0027 as a format, and cinder considers a luks container as \u0027raw\u0027.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c483dff6d46e293d2ff447549f6401b14a8fc7f3","unresolved":true,"context_lines":[{"line_number":134,"context_line":"a special metadata parameter. To not accidently delete a key, which is used to"},{"line_number":135,"context_line":"encrypt an image, we will let Glance register as a consumer of that key (secret"},{"line_number":136,"context_line":"in Barbican [1]) when the corresponding encrypted image is uploaded and"},{"line_number":137,"context_line":"unregister as a consumer when the image is deleted in Glance."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2896c473_8e9c1a13","line":137,"updated":"2024-04-29 14:07:49.000000000","message":"We have to be really careful about key management, because cinder at least, expects that there is *always* a 1-1 relation between a cinder resource and a secret in Barbican.  This is what allows cinder to delete secrets in barbican when cinder resources are deleted (and what makes the glance cinder_encryption_key_deletion_policy possible).\n\nI don\u0027t know what Nova\u0027s key management is like.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"d0fc8abb8ec05de0e148ff9cd81d9884155604cf","unresolved":false,"context_lines":[{"line_number":134,"context_line":"a special metadata parameter. To not accidently delete a key, which is used to"},{"line_number":135,"context_line":"encrypt an image, we will let Glance register as a consumer of that key (secret"},{"line_number":136,"context_line":"in Barbican [1]) when the corresponding encrypted image is uploaded and"},{"line_number":137,"context_line":"unregister as a consumer when the image is deleted in Glance."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":1,"id":"362fec5d_5681c1e2","line":137,"in_reply_to":"2896c473_8e9c1a13","updated":"2024-04-30 08:24:16.000000000","message":"I wrote it up in more detail, we do not want to change Cinders workflow, rather want Nova to use the same. So we want to rename the cinder_encryption_key_deletion_policy. And have a combination with the check through the secret consumers.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c483dff6d46e293d2ff447549f6401b14a8fc7f3","unresolved":true,"context_lines":[{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"* Deployers MUST allow the usage of encrypted images by adding \u0027encrypted\u0027 in"},{"line_number":228,"context_line":"  \u0027container_formats\u0027. For interoperability between the OpenStack services only"},{"line_number":229,"context_line":"  the presence of a key manager should decide, whether encryption can be used"},{"line_number":230,"context_line":"  or not."},{"line_number":231,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"46957d42_aa4b870b","line":228,"range":{"start_line":228,"start_character":21,"end_line":228,"end_character":22},"updated":"2024-04-29 14:07:49.000000000","message":"in the Glance configuration file.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"d0fc8abb8ec05de0e148ff9cd81d9884155604cf","unresolved":false,"context_lines":[{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"* Deployers MUST allow the usage of encrypted images by adding \u0027encrypted\u0027 in"},{"line_number":228,"context_line":"  \u0027container_formats\u0027. For interoperability between the OpenStack services only"},{"line_number":229,"context_line":"  the presence of a key manager should decide, whether encryption can be used"},{"line_number":230,"context_line":"  or not."},{"line_number":231,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"980e4c15_9f14e2ff","line":228,"range":{"start_line":228,"start_character":21,"end_line":228,"end_character":22},"in_reply_to":"46957d42_aa4b870b","updated":"2024-04-30 08:24:16.000000000","message":"Done","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"68ff6ec0ec5d2f9852d956ba750b268c9e9edd36","unresolved":true,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"* The secret consumer API in Barbican is required for Glance to be able to"},{"line_number":293,"context_line":"  register and unregister as a consumer of a secret"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"Testing"},{"line_number":297,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bc7b65ae_9ac072cc","line":294,"updated":"2024-04-25 09:32:18.000000000","message":"A comment for the reviewers from Nova and Cinder:\n\nNova uses passphrases while Cinder uses keys and hexlifies them. In Glance we will only store the reference of the secret (id of key or passphrase). When retrieving the secret from Barbican in Cinder or Nova, there needs to be a different handling implemented for passphrases and keys.\n\nThis will and cannot be part of the Glance implementation.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"* The secret consumer API in Barbican is required for Glance to be able to"},{"line_number":293,"context_line":"  register and unregister as a consumer of a secret"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"Testing"},{"line_number":297,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1bfc4a46_0c5b6291","line":294,"in_reply_to":"1f885304_a9c95e83","updated":"2024-06-17 11:59:11.000000000","message":"Acknowledged","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"41f7de8d6d3b7dc4062a8d085a466209dfdc516e","unresolved":true,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"* The secret consumer API in Barbican is required for Glance to be able to"},{"line_number":293,"context_line":"  register and unregister as a consumer of a secret"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"Testing"},{"line_number":297,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a86e0587_6575ca78","line":294,"in_reply_to":"9f3b0daf_93b1618c","updated":"2024-05-15 01:34:04.000000000","message":"\u003e Nova uses passphrases while Cinder uses keys and hexlifies them. In Glance we will only store the reference of the secret (id of key or passphrase). When retrieving the secret from Barbican in Cinder or Nova, there needs to be a different handling implemented for passphrases and keys.\n\n\u003e This will and cannot be part of the Glance implementation.\n\n+1 this is how I understand it as well.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"df3801ec6cef9bfaa5b28f68ef42f3d1976bb527","unresolved":true,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"* The secret consumer API in Barbican is required for Glance to be able to"},{"line_number":293,"context_line":"  register and unregister as a consumer of a secret"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"Testing"},{"line_number":297,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f885304_a9c95e83","line":294,"in_reply_to":"9f3b0daf_93b1618c","updated":"2024-05-15 14:45:15.000000000","message":"Yep, glance only needs to store the key id. The interpretation of the key itself is not glance\u0027s problem.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"* The secret consumer API in Barbican is required for Glance to be able to"},{"line_number":293,"context_line":"  register and unregister as a consumer of a secret"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"Testing"},{"line_number":297,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f3b0daf_93b1618c","line":294,"in_reply_to":"bc7b65ae_9ac072cc","updated":"2024-05-08 15:30:40.000000000","message":"since we agreed to do a cinder spec, this seems like a very good point to mention there.","commit_id":"fc0e4cd737cf50ffcfb4cac02e000bad544d847a"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":60,"context_line":"   ensure the integrity of the image, a signature can be generated and used"},{"line_number":61,"context_line":"   for verification. Additionally, the user wants to protect the"},{"line_number":62,"context_line":"   confidentiality of the image data through encryption. The user generates or"},{"line_number":63,"context_line":"   uploads a key in the key manager (e.g. Barbican) and uses it to encrypt the"},{"line_number":64,"context_line":"   image locally using the OpenStack client (osc) when uploading it."},{"line_number":65,"context_line":"   Consequently, the image stored on the Glance host is encrypted."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"2. A user wants to create a new server or volume based on a) an encrypted image"}],"source_content_type":"text/x-rst","patch_set":2,"id":"487eb1a9_dcc39aee","line":64,"range":{"start_line":63,"start_character":52,"end_line":64,"end_character":68},"updated":"2024-05-08 15:30:40.000000000","message":"I\u0027m unsure if we want to have this capability in OSC since I only see OSC as a tool to provide CLI interface to users and not actually perform functionality for any API or resource.\nStephen can comment better on it so i think it\u0027s good to have him included in the discussion.\n\nAlso why are we not doing it in the glance or glance_store codebase? glance_store does the actual upload of the image into the backend in chunks so it should be feasible to encrypt it at that time right?","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"7d69d766cefb9b2791caec80e5b06c42e6baff2e","unresolved":true,"context_lines":[{"line_number":60,"context_line":"   ensure the integrity of the image, a signature can be generated and used"},{"line_number":61,"context_line":"   for verification. Additionally, the user wants to protect the"},{"line_number":62,"context_line":"   confidentiality of the image data through encryption. The user generates or"},{"line_number":63,"context_line":"   uploads a key in the key manager (e.g. Barbican) and uses it to encrypt the"},{"line_number":64,"context_line":"   image locally using the OpenStack client (osc) when uploading it."},{"line_number":65,"context_line":"   Consequently, the image stored on the Glance host is encrypted."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"2. A user wants to create a new server or volume based on a) an encrypted image"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2af76d8d_0aaad7fb","line":64,"range":{"start_line":63,"start_character":52,"end_line":64,"end_character":68},"in_reply_to":"23db09ab_c17191cb","updated":"2024-05-16 10:11:12.000000000","message":"Glance will never encrypt or decrypt images, but will only store them. This means, images have to be uploaded to Glance already encrypted.\n\nFor Nova (and Cinder and other possible Image uploading services) this means, they have to do encryption (and decryption if necessary).\n\nFor user that upload images to Glance this is also the way to go. Now we might (pretty sure will) have users asking about not only uploading already encrypted image, but to also encrypt those images for them. In that case we could add this functionality to OSC. So the encryption will happen on the client side, before we even talk to Glance.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5094f3177629d80418b249e3628621088bc812e1","unresolved":true,"context_lines":[{"line_number":60,"context_line":"   ensure the integrity of the image, a signature can be generated and used"},{"line_number":61,"context_line":"   for verification. Additionally, the user wants to protect the"},{"line_number":62,"context_line":"   confidentiality of the image data through encryption. The user generates or"},{"line_number":63,"context_line":"   uploads a key in the key manager (e.g. Barbican) and uses it to encrypt the"},{"line_number":64,"context_line":"   image locally using the OpenStack client (osc) when uploading it."},{"line_number":65,"context_line":"   Consequently, the image stored on the Glance host is encrypted."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"2. A user wants to create a new server or volume based on a) an encrypted image"}],"source_content_type":"text/x-rst","patch_set":2,"id":"80e212ce_84e61e30","line":64,"range":{"start_line":63,"start_character":52,"end_line":64,"end_character":68},"in_reply_to":"2af76d8d_0aaad7fb","updated":"2024-05-16 13:40:48.000000000","message":"Note that glance needs to read the image in cases where it does image conversion or format detection. Saying glance won\u0027t decrypt an image means image conversion can never be used on an encrypted image. Whether or not that\u0027s a good rule to have is debatable I think.\n\nNot being able to inspect the image for backing-file safety and metadata like virtual_size detection, will be unfortunate, but also not really practical to work around I think.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"df3801ec6cef9bfaa5b28f68ef42f3d1976bb527","unresolved":true,"context_lines":[{"line_number":60,"context_line":"   ensure the integrity of the image, a signature can be generated and used"},{"line_number":61,"context_line":"   for verification. Additionally, the user wants to protect the"},{"line_number":62,"context_line":"   confidentiality of the image data through encryption. The user generates or"},{"line_number":63,"context_line":"   uploads a key in the key manager (e.g. Barbican) and uses it to encrypt the"},{"line_number":64,"context_line":"   image locally using the OpenStack client (osc) when uploading it."},{"line_number":65,"context_line":"   Consequently, the image stored on the Glance host is encrypted."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"2. A user wants to create a new server or volume based on a) an encrypted image"}],"source_content_type":"text/x-rst","patch_set":2,"id":"23db09ab_c17191cb","line":64,"range":{"start_line":63,"start_character":52,"end_line":64,"end_character":68},"in_reply_to":"487eb1a9_dcc39aee","updated":"2024-05-15 14:45:15.000000000","message":"IMHO, the image should be encrypted as end-to-end as possible. That means if I am creating my image locally, I should be able to encrypt it, upload it as such and not have it decrypted except as needed when my guest reads blocks from it.\n\nSimilarly, if I create a guest with encrypted disk in cloud A, I should be able to shut down that instance, have its disk encrypted at rest, download my image, upload it to another cloud, and continue working without needing to de- or re- encrypt it.\n\nFor nova\u0027s use case, we don\u0027t want the client to decrypt the image, since we read it as encrypted during use.\n\nI read this text not as that OSC is doing the encryption (perhaps the signing though). To me, this reads as \"the user creates the encrypted image, uploads they key to barbican, then uploads the image *using* the client, setting the appropriate properties.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":60,"context_line":"   ensure the integrity of the image, a signature can be generated and used"},{"line_number":61,"context_line":"   for verification. Additionally, the user wants to protect the"},{"line_number":62,"context_line":"   confidentiality of the image data through encryption. The user generates or"},{"line_number":63,"context_line":"   uploads a key in the key manager (e.g. Barbican) and uses it to encrypt the"},{"line_number":64,"context_line":"   image locally using the OpenStack client (osc) when uploading it."},{"line_number":65,"context_line":"   Consequently, the image stored on the Glance host is encrypted."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"2. A user wants to create a new server or volume based on a) an encrypted image"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d24780a6_fdbdcfa1","line":64,"range":{"start_line":63,"start_character":52,"end_line":64,"end_character":68},"in_reply_to":"80e212ce_84e61e30","updated":"2024-06-17 11:59:11.000000000","message":"Acknowledged","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":74,"context_line":"   properties about the encrypted image."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"3. A user wants to download and directly decrypt an encrypted image to be used"},{"line_number":77,"context_line":"   privately or in another deployment. Therefore the download mechanism should"},{"line_number":78,"context_line":"   be adjusted on client side to directly decrypt such an image."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"73db1257_df734752","line":78,"range":{"start_line":77,"start_character":39,"end_line":78,"end_character":64},"updated":"2024-05-08 15:30:40.000000000","message":"again I\u0027m unsure if we want to delegate the decryption task to the client ...","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":74,"context_line":"   properties about the encrypted image."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"3. A user wants to download and directly decrypt an encrypted image to be used"},{"line_number":77,"context_line":"   privately or in another deployment. Therefore the download mechanism should"},{"line_number":78,"context_line":"   be adjusted on client side to directly decrypt such an image."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2ba1a3b8_81239b79","line":78,"range":{"start_line":77,"start_character":39,"end_line":78,"end_character":64},"in_reply_to":"73db1257_df734752","updated":"2024-06-17 11:59:11.000000000","message":"I changed the wording here to only suggest that it might be possible to add encryption / decryption to OSC later on.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":88,"context_line":"* \u0027os_encrypt_format\u0027 - the main mechanism used, e.g. \u0027LUKS\u0027"},{"line_number":89,"context_line":"* \u0027os_encrypt_cipher\u0027 - the cipher algorithm, e.g. \u0027AES256\u0027"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":91,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":92,"context_line":"  should be deleted too"},{"line_number":93,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":94,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3398bc4d_612aab3b","line":92,"range":{"start_line":91,"start_character":65,"end_line":92,"end_character":23},"updated":"2024-05-08 15:30:40.000000000","message":"what is the use case of keeping the key after the image is deleted?\nedit: after reading L#140, looks like we are delegating the task from cinder/nova to glance for deleting the key but I still don\u0027t understand the case where this parameter is set to NO and we delete the image and the key remains in barbican, then how will nova/cinder delete the key? or if there is another use case for that key after the image is gone","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"4052870da4fe7725f14d1c46ff93ea7999869860","unresolved":true,"context_lines":[{"line_number":88,"context_line":"* \u0027os_encrypt_format\u0027 - the main mechanism used, e.g. \u0027LUKS\u0027"},{"line_number":89,"context_line":"* \u0027os_encrypt_cipher\u0027 - the cipher algorithm, e.g. \u0027AES256\u0027"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":91,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":92,"context_line":"  should be deleted too"},{"line_number":93,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":94,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5d0b396a_b2f8947c","line":92,"range":{"start_line":91,"start_character":65,"end_line":92,"end_character":23},"in_reply_to":"0657503b_0bb01c49","updated":"2024-06-03 09:05:37.000000000","message":"I clarified the part of the key management and added a few sentences.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"41f7de8d6d3b7dc4062a8d085a466209dfdc516e","unresolved":true,"context_lines":[{"line_number":88,"context_line":"* \u0027os_encrypt_format\u0027 - the main mechanism used, e.g. \u0027LUKS\u0027"},{"line_number":89,"context_line":"* \u0027os_encrypt_cipher\u0027 - the cipher algorithm, e.g. \u0027AES256\u0027"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":91,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":92,"context_line":"  should be deleted too"},{"line_number":93,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":94,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"412955d3_79102d56","line":92,"range":{"start_line":91,"start_character":65,"end_line":92,"end_character":23},"in_reply_to":"12d09202_dd5a09b9","updated":"2024-05-15 01:34:04.000000000","message":"Being able to say `os_encrypt_key_deletion_policy\u003dtrue` assumes that the `os_encrypt_key_id` is unique to the image and that deleting the key would not affect other images or volumes or instances that are also using it.\n\nIt is possible for Nova or Cinder or whoever to use the same `os_encrypt_key_id` to encrypt multiple things and if they did that, they would either use `os_encrypt_key_deletion_policy\u003dfalse` or use the Barbican consumers API to prevent Glance from deleting the key if anything is still using it. If Glance deletes the image but fails to delete the key because of existing consumers, then deletion of the key would have to be handled by the consuming service or user (not Glance) after that.\n\nIn Nova I\u0027m planning to use a unique key UUID per image and `os_encrypt_key_deletion_policy\u003dtrue`.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"df3801ec6cef9bfaa5b28f68ef42f3d1976bb527","unresolved":true,"context_lines":[{"line_number":88,"context_line":"* \u0027os_encrypt_format\u0027 - the main mechanism used, e.g. \u0027LUKS\u0027"},{"line_number":89,"context_line":"* \u0027os_encrypt_cipher\u0027 - the cipher algorithm, e.g. \u0027AES256\u0027"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":91,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":92,"context_line":"  should be deleted too"},{"line_number":93,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":94,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"78c88368_d7bba4aa","line":92,"range":{"start_line":91,"start_character":65,"end_line":92,"end_character":23},"in_reply_to":"12d09202_dd5a09b9","updated":"2024-05-15 14:45:15.000000000","message":"The key could be used by multiple images, and/or re-used if replacing an image. For example, I could take an image, download it, update the software inside, upload it as \"image 2.0\" and reference the same key. We should be very careful about deleting keys as it has the same impact as deleting data. Nova is going to be very careful about ever deleting keys other than ones it created for specific uses. Knowing how much trouble auto-delete volumes can be for our users, I think having a knob to convey intent before a delete is pretty important given the penalty for deleting someone\u0027s key accidentally.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"7ecf10a7bb17ec90cfaaa4bb6cdb73cf7832b26a","unresolved":true,"context_lines":[{"line_number":88,"context_line":"* \u0027os_encrypt_format\u0027 - the main mechanism used, e.g. \u0027LUKS\u0027"},{"line_number":89,"context_line":"* \u0027os_encrypt_cipher\u0027 - the cipher algorithm, e.g. \u0027AES256\u0027"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":91,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":92,"context_line":"  should be deleted too"},{"line_number":93,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":94,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"12d09202_dd5a09b9","line":92,"range":{"start_line":91,"start_character":65,"end_line":92,"end_character":23},"in_reply_to":"3398bc4d_612aab3b","updated":"2024-05-14 08:09:00.000000000","message":"With this new set of metadata we want to establish an interoperable image encryption format (between Cinder, Nova and potentially more) based on the needs and functionality of the services involved.\n\nWe took the current implementation of encrypted images in Cinder[^1] (i.e. \"os-volume_upload_image\" on encrypted volumes) as a basis and aimed to preserve its feature set in order to not introduce functional regressions.\nThis parameter is already part of Cinder\u0027s implementation currently albeit with a different naming scheme.\n\n[^1]: https://github.com/openstack/cinder/blob/6e71a67f4da86bf95ca118eeb26ad75de2a19c1f/cinder/api/contrib/volume_actions.py#L231-L236","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":88,"context_line":"* \u0027os_encrypt_format\u0027 - the main mechanism used, e.g. \u0027LUKS\u0027"},{"line_number":89,"context_line":"* \u0027os_encrypt_cipher\u0027 - the cipher algorithm, e.g. \u0027AES256\u0027"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":91,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":92,"context_line":"  should be deleted too"},{"line_number":93,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":94,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"e9540425_3168da32","line":92,"range":{"start_line":91,"start_character":65,"end_line":92,"end_character":23},"in_reply_to":"5d0b396a_b2f8947c","updated":"2024-06-17 11:59:11.000000000","message":"Acknowledged","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"7d69d766cefb9b2791caec80e5b06c42e6baff2e","unresolved":true,"context_lines":[{"line_number":88,"context_line":"* \u0027os_encrypt_format\u0027 - the main mechanism used, e.g. \u0027LUKS\u0027"},{"line_number":89,"context_line":"* \u0027os_encrypt_cipher\u0027 - the cipher algorithm, e.g. \u0027AES256\u0027"},{"line_number":90,"context_line":"* \u0027os_encrypt_key_id\u0027 - reference to key in the key manager"},{"line_number":91,"context_line":"* \u0027os_encrypt_key_deletion_policy\u0027 - on image deletion indicates whether the key"},{"line_number":92,"context_line":"  should be deleted too"},{"line_number":93,"context_line":"* \u0027os_decrypt_container_format\u0027 - format after payload decryption, e.g. \u0027qcow\u0027"},{"line_number":94,"context_line":"* \u0027os_decrypt_size\u0027 - size after payload decryption"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"0657503b_0bb01c49","line":92,"range":{"start_line":91,"start_character":65,"end_line":92,"end_character":23},"in_reply_to":"78c88368_d7bba4aa","updated":"2024-05-16 10:11:12.000000000","message":"This basically aims to be a double check on an image deletion:\n1. check whether `os_encrypt_key_deletion_policy\u003dtrue` - this should only ever be set, when the key is unique.\n2. using the secret consumers: if there is accidently another consumer of the secret, barbican will not allow to delete the secret (unless you use \"--force\").\n\nFor the second part we will let Glance register as a consumer of a secret as soon as an encrypted image is uploaded. And unregister as a consumer when an image is deleted. So we will prevent deletion of a secret, when it is accidentally used by two images.\n\nCinder always clones the key, when storing an encrypted image - so that key is unique, and melwitt said that Nova will do that too.\n\nSO with all these constraints I think it is okay to \u003etry to\u003c delete a secret after an image deletion. If an Error occurs on secret deleteion, because there are still other consumers, we will catch it, log it, and proceed without deleting the secret.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":109,"context_line":"1. Nova can directly use qcow-LUKS encrypted when creating a server. This is"},{"line_number":110,"context_line":"   the standard procedure of Nova."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":113,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":114,"context_line":"   directly to volumes again."},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5474d7e7_c541324c","line":112,"range":{"start_line":112,"start_character":3,"end_line":112,"end_character":63},"updated":"2024-05-08 15:30:40.000000000","message":"i think we are referring to the upload volume to image feature here, so we could upload encrypted volumes as images.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":109,"context_line":"1. Nova can directly use qcow-LUKS encrypted when creating a server. This is"},{"line_number":110,"context_line":"   the standard procedure of Nova."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":113,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":114,"context_line":"   directly to volumes again."},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"bb316d50_5e8697a6","line":112,"range":{"start_line":112,"start_character":3,"end_line":112,"end_character":63},"in_reply_to":"19e483c9_619503ad","updated":"2024-06-17 11:59:11.000000000","message":"Acknowledged","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"7ecf10a7bb17ec90cfaaa4bb6cdb73cf7832b26a","unresolved":true,"context_lines":[{"line_number":109,"context_line":"1. Nova can directly use qcow-LUKS encrypted when creating a server. This is"},{"line_number":110,"context_line":"   the standard procedure of Nova."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":113,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":114,"context_line":"   directly to volumes again."},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"19e483c9_619503ad","line":112,"range":{"start_line":112,"start_character":3,"end_line":112,"end_character":63},"in_reply_to":"5474d7e7_c541324c","updated":"2024-05-14 08:09:00.000000000","message":"Correct. This specifically refers to the \"os-volume_upload_image\" API action on volumes that are using a LUKS-encrypted volume type. This will result in a dump of the LUKS-encrypted blocks as the contents of the image in Glance.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":110,"context_line":"   the standard procedure of Nova."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":113,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":114,"context_line":"   directly to volumes again."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":117,"context_line":"another OpenStack infrastructure, upload the key as well and set the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e8bf674f_767ea3ba","line":114,"range":{"start_line":113,"start_character":47,"end_line":114,"end_character":29},"updated":"2024-05-08 15:30:40.000000000","message":"this looks a little ambiguous to me, do we mean we can create a bootable volume from such an image? what happens if i create an unencrypted volume from an image that is created by uploading an encrypted volume?\n\n1. create encrypted volume\n2. upload encrypted volume to image\n3. create unencrypted volume from the image -- what happens in this case?","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"7d69d766cefb9b2791caec80e5b06c42e6baff2e","unresolved":true,"context_lines":[{"line_number":110,"context_line":"   the standard procedure of Nova."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":113,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":114,"context_line":"   directly to volumes again."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":117,"context_line":"another OpenStack infrastructure, upload the key as well and set the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b3898885_2cf2a11f","line":114,"range":{"start_line":113,"start_character":47,"end_line":114,"end_character":29},"in_reply_to":"8392145e_fb2a7571","updated":"2024-05-16 10:11:12.000000000","message":"I also mentioned these cases in the Cinder spec of the image encryption. We will need to forbid using an encrypted image for an unencrypted volume. See: https://review.opendev.org/c/openstack/cinder-specs/+/919499","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"1b32091d9013e35f6d08e825ccfda7994dc51c53","unresolved":false,"context_lines":[{"line_number":110,"context_line":"   the standard procedure of Nova."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":113,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":114,"context_line":"   directly to volumes again."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":117,"context_line":"another OpenStack infrastructure, upload the key as well and set the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df6a0534_daeb6129","line":114,"range":{"start_line":113,"start_character":47,"end_line":114,"end_character":29},"in_reply_to":"b3898885_2cf2a11f","updated":"2024-05-28 12:49:15.000000000","message":"But in the end, this is Cinders responsibility. The check, whether an image can be used with a certain volume type or not needs to happen in the Cinder API.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"7ecf10a7bb17ec90cfaaa4bb6cdb73cf7832b26a","unresolved":true,"context_lines":[{"line_number":110,"context_line":"   the standard procedure of Nova."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"2. Cinder allows the creation of Images from encrypted volumes. These will"},{"line_number":113,"context_line":"   always result in LUKS-encrypted raw images. Those images can be converted"},{"line_number":114,"context_line":"   directly to volumes again."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"In the latter case it is already possible to upload such an encrpyted image to"},{"line_number":117,"context_line":"another OpenStack infrastructure, upload the key as well and set the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8392145e_fb2a7571","line":114,"range":{"start_line":113,"start_character":47,"end_line":114,"end_character":29},"in_reply_to":"e8bf674f_767ea3ba","updated":"2024-05-14 08:09:00.000000000","message":"Currently such volume would become unusable, see https://bugs.launchpad.net/cinder/+bug/2061154\n\nChecks are currently missing in Cinder that verify the compatibility between the image (i.e. its encryption state) and target volume type. There are cases where Cinder fails to properly consume images it created itself with Cinder\u0027s current implementation. See the example in the bug report.","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":183,"context_line":"REST API impact"},{"line_number":184,"context_line":"---------------"},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"While uploading an image, which should be encrypted, additional properties in"},{"line_number":187,"context_line":"the request body will need to be introduced to specify the desired encryption"},{"line_number":188,"context_line":"format and key id. Both to be used while encrypting the image locally before"},{"line_number":189,"context_line":"uploading it."},{"line_number":190,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"ecf5e39e_1f47994d","line":187,"range":{"start_line":186,"start_character":52,"end_line":187,"end_character":16},"updated":"2024-05-08 15:30:40.000000000","message":"good to have an example of payload for cinder/nova reference as to which properties needs to be provided","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"1b32091d9013e35f6d08e825ccfda7994dc51c53","unresolved":false,"context_lines":[{"line_number":183,"context_line":"REST API impact"},{"line_number":184,"context_line":"---------------"},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"While uploading an image, which should be encrypted, additional properties in"},{"line_number":187,"context_line":"the request body will need to be introduced to specify the desired encryption"},{"line_number":188,"context_line":"format and key id. Both to be used while encrypting the image locally before"},{"line_number":189,"context_line":"uploading it."},{"line_number":190,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f7ea82a2_8c07f1d3","line":187,"range":{"start_line":186,"start_character":52,"end_line":187,"end_character":16},"in_reply_to":"ecf5e39e_1f47994d","updated":"2024-05-28 12:49:15.000000000","message":"The additional properties should reside in the \"extra_properties\". The Glance side will look like this patchset: https://review.opendev.org/c/openstack/glance/+/902648/2/glance/api/v2/images.py#173 (this is from the old GPG encryption, but it is extremely similar)","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0c3138614286db032bb17d9edb3fa5368c941f35","unresolved":true,"context_lines":[{"line_number":244,"context_line":"  types in \u0027container_formats\u0027 will make public images unavailable due to the"},{"line_number":245,"context_line":"  lack of a public secrets functionality in Barbican."},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"* A key manager - like Barbican - is required, if encrypted images are to be"},{"line_number":248,"context_line":"  used."},{"line_number":249,"context_line":""},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"64f3c370_d34cbc82","line":247,"range":{"start_line":247,"start_character":23,"end_line":247,"end_character":31},"updated":"2024-05-08 15:30:40.000000000","message":"do we have other key manager support in OpenStack? and do they support the requirements of this feature? not necessary but it would simplify the spec if we just mention Barbican (specific project) instead of key manager (generic term) but that\u0027s just a suggestion and I\u0027m not very inclined on making that change","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"7ecf10a7bb17ec90cfaaa4bb6cdb73cf7832b26a","unresolved":true,"context_lines":[{"line_number":244,"context_line":"  types in \u0027container_formats\u0027 will make public images unavailable due to the"},{"line_number":245,"context_line":"  lack of a public secrets functionality in Barbican."},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"* A key manager - like Barbican - is required, if encrypted images are to be"},{"line_number":248,"context_line":"  used."},{"line_number":249,"context_line":""},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9311b0c0_f6396bf1","line":247,"range":{"start_line":247,"start_character":23,"end_line":247,"end_character":31},"in_reply_to":"64f3c370_d34cbc82","updated":"2024-05-14 08:09:00.000000000","message":"Cinder uses Castellan[^1] as a generic key manager interface. Barbican is more or less the OpenStack-specific reference implementation of the Key Manager API which Castellan is the abstraction layer for as far as I understand. However, Castellan currently states[^2]: \"Secret consumers are currently only avaliable for the Barbican backend.\".\n\nI think we\u0027d want the secret consumer functionality here, so currently we\u0027d be limited to Barbican. However, if any backend implementation of Castellan offers this feature set in the future, it should be supported as well.\n\n[^1]: https://github.com/openstack/cinder/blob/6e71a67f4da86bf95ca118eeb26ad75de2a19c1f/cinder/volume/flows/manager/create_volume.py#L20\n\n[^2]: https://docs.openstack.org/castellan/latest/user/index.html#basic-usage","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":244,"context_line":"  types in \u0027container_formats\u0027 will make public images unavailable due to the"},{"line_number":245,"context_line":"  lack of a public secrets functionality in Barbican."},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"* A key manager - like Barbican - is required, if encrypted images are to be"},{"line_number":248,"context_line":"  used."},{"line_number":249,"context_line":""},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"e550a83d_a347161e","line":247,"range":{"start_line":247,"start_character":23,"end_line":247,"end_character":31},"in_reply_to":"9311b0c0_f6396bf1","updated":"2024-06-17 11:59:11.000000000","message":"Acknowledged","commit_id":"b080d6628f0b1b9f9ac650cf5359a0ce9d91b469"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"752b46e2abf133ce8aee37c5e70ea9ed4cc640e3","unresolved":true,"context_lines":[{"line_number":128,"context_line":"handled in similar ways by both Cinder and Nova."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"The key management is handled differently than with encrypted volumes or"},{"line_number":131,"context_line":"encrypted ephemeral storage. The reason for this is, that the encryption and"},{"line_number":132,"context_line":"decryption of an image will never happen in Glance but only on client side."},{"line_number":133,"context_line":"Therefore the service which needs to create a key for a newly created"},{"line_number":134,"context_line":"encrypted image may not be the same service which then has to delete the key"},{"line_number":135,"context_line":"(in most cases Glance). To delete a key, which has not been created by the same"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9eda8ac8_a68a0b13","line":132,"range":{"start_line":131,"start_character":62,"end_line":132,"end_character":50},"updated":"2024-05-21 13:58:06.000000000","message":"Again, you either need to call out that image conversion will not be possible on encrypted images, or say that glance *will* do those things if it has the key_id (and access to it). Also note that without access to the key, glance won\u0027t be able to do any sort of image inspection (for virtual_size, format confirmation, backing file rejection, etc). I think it\u0027s worth mentioning those drawbacks here.","commit_id":"b3eedc420122e3d4fb24d2f0e2ffa4281fd18cb4"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"1b32091d9013e35f6d08e825ccfda7994dc51c53","unresolved":false,"context_lines":[{"line_number":128,"context_line":"handled in similar ways by both Cinder and Nova."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"The key management is handled differently than with encrypted volumes or"},{"line_number":131,"context_line":"encrypted ephemeral storage. The reason for this is, that the encryption and"},{"line_number":132,"context_line":"decryption of an image will never happen in Glance but only on client side."},{"line_number":133,"context_line":"Therefore the service which needs to create a key for a newly created"},{"line_number":134,"context_line":"encrypted image may not be the same service which then has to delete the key"},{"line_number":135,"context_line":"(in most cases Glance). To delete a key, which has not been created by the same"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ed1850d3_431a91ce","line":132,"range":{"start_line":131,"start_character":62,"end_line":132,"end_character":50},"in_reply_to":"9eda8ac8_a68a0b13","updated":"2024-05-28 12:49:15.000000000","message":"I added a paragraph at the end of the proposed change section.","commit_id":"b3eedc420122e3d4fb24d2f0e2ffa4281fd18cb4"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"752b46e2abf133ce8aee37c5e70ea9ed4cc640e3","unresolved":true,"context_lines":[{"line_number":214,"context_line":""},{"line_number":215,"context_line":"* image encryption is introduced formally, thus cryptographic algorithms will"},{"line_number":216,"context_line":"  be used in all involved components (Nova, Cinder, OSC)"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"Notifications impact"},{"line_number":220,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ae3f6149_53a98d3f","line":217,"updated":"2024-05-21 13:58:06.000000000","message":"Can you add:\n\n* Glance may lose the ability to provide a first-layer defense against image policy violations (such as rejecting invalid/disallowed formats)\n\n?","commit_id":"b3eedc420122e3d4fb24d2f0e2ffa4281fd18cb4"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"1b32091d9013e35f6d08e825ccfda7994dc51c53","unresolved":false,"context_lines":[{"line_number":214,"context_line":""},{"line_number":215,"context_line":"* image encryption is introduced formally, thus cryptographic algorithms will"},{"line_number":216,"context_line":"  be used in all involved components (Nova, Cinder, OSC)"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"Notifications impact"},{"line_number":220,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"cef9b1e4_ecb3078f","line":217,"in_reply_to":"ae3f6149_53a98d3f","updated":"2024-05-28 12:49:15.000000000","message":"I added a half-sentence and then added it","commit_id":"b3eedc420122e3d4fb24d2f0e2ffa4281fd18cb4"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0950443b41549ecbf4e33162a42e4640fbe1a4bf","unresolved":false,"context_lines":[{"line_number":214,"context_line":""},{"line_number":215,"context_line":"* image encryption is introduced formally, thus cryptographic algorithms will"},{"line_number":216,"context_line":"  be used in all involved components (Nova, Cinder, OSC)"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"Notifications impact"},{"line_number":220,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fec2e07e_63f87252","line":217,"in_reply_to":"cef9b1e4_ecb3078f","updated":"2024-05-28 14:06:21.000000000","message":"Thanks.","commit_id":"b3eedc420122e3d4fb24d2f0e2ffa4281fd18cb4"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0950443b41549ecbf4e33162a42e4640fbe1a4bf","unresolved":true,"context_lines":[{"line_number":150,"context_line":"corresponding encrypted image is uploaded and unregister as a consumer when the"},{"line_number":151,"context_line":"image is deleted in Glance."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"As the possible image formats that will support encryption are only raw and"},{"line_number":154,"context_line":"qcow2, image conversion with encrypted images will not be allowed. The vmdk"},{"line_number":155,"context_line":"format is not supported by this spec and the conversion itself would need"},{"line_number":156,"context_line":"decryption and encryption to be handled by Glance. This would be more than the"},{"line_number":157,"context_line":"scope of this spec should be."}],"source_content_type":"text/x-rst","patch_set":5,"id":"b3cb8dca_6895c728","line":154,"range":{"start_line":153,"start_character":0,"end_line":154,"end_character":66},"updated":"2024-05-28 14:06:21.000000000","message":"I don\u0027t mean to be too pedantic, but this has nothing to do with why image conversion isn\u0027t supported. It\u0027s surely quite possible to support converting between image formats (raw and qcow2 at least). I assume you\u0027re not planning to actually do it, which is why it won\u0027t be supported. The statement about vmdk makes sense, of course. So I\u0027d suggest changing this first sentence to something like:\n```\nimage conversion will not be encyrption-aware as part of this spec and as such, conversion of encrypted images will not be supported.\n```\nI think you should also state what will happen in this case. If image conversion is enabled and someone uploads an encrypted image, what will we do? Allow it to go ACTIVE in the wrong format? Put the image in ERROR state because it is not/can not be converted to the right format? I suppose if an operator is trying to avoid having, for example, qcow images in their ceph-only cloud, they may want the error behavior.","commit_id":"73276bac98b419d722d6a7a008bed1f210b0b3a4"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":150,"context_line":"corresponding encrypted image is uploaded and unregister as a consumer when the"},{"line_number":151,"context_line":"image is deleted in Glance."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"As the possible image formats that will support encryption are only raw and"},{"line_number":154,"context_line":"qcow2, image conversion with encrypted images will not be allowed. The vmdk"},{"line_number":155,"context_line":"format is not supported by this spec and the conversion itself would need"},{"line_number":156,"context_line":"decryption and encryption to be handled by Glance. This would be more than the"},{"line_number":157,"context_line":"scope of this spec should be."}],"source_content_type":"text/x-rst","patch_set":5,"id":"ff2c156d_ffcff95c","line":154,"range":{"start_line":153,"start_character":0,"end_line":154,"end_character":66},"in_reply_to":"987b5fd5_80da5134","updated":"2024-06-17 11:59:11.000000000","message":"Done","commit_id":"73276bac98b419d722d6a7a008bed1f210b0b3a4"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"4052870da4fe7725f14d1c46ff93ea7999869860","unresolved":true,"context_lines":[{"line_number":150,"context_line":"corresponding encrypted image is uploaded and unregister as a consumer when the"},{"line_number":151,"context_line":"image is deleted in Glance."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"As the possible image formats that will support encryption are only raw and"},{"line_number":154,"context_line":"qcow2, image conversion with encrypted images will not be allowed. The vmdk"},{"line_number":155,"context_line":"format is not supported by this spec and the conversion itself would need"},{"line_number":156,"context_line":"decryption and encryption to be handled by Glance. This would be more than the"},{"line_number":157,"context_line":"scope of this spec should be."}],"source_content_type":"text/x-rst","patch_set":5,"id":"987b5fd5_80da5134","line":154,"range":{"start_line":153,"start_character":0,"end_line":154,"end_character":66},"in_reply_to":"b3cb8dca_6895c728","updated":"2024-06-03 09:05:37.000000000","message":"I\u0027ll add that.","commit_id":"73276bac98b419d722d6a7a008bed1f210b0b3a4"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"89f3327926b047e8467838f03216f2ea6c485d50","unresolved":true,"context_lines":[{"line_number":155,"context_line":"image or some other ressource and we do not want to delete it, we rather assume"},{"line_number":156,"context_line":"that the \"os_encrypt_key_deletion_policy\" was set mistakenly set to \"True\"."},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Image conversion will not be encyrption-aware as part of this spec and as such,"},{"line_number":159,"context_line":"conversion of encrypted images will not be supported. The vmdk format is not"},{"line_number":160,"context_line":"supported by this spec and the conversion itself would need decryption and"},{"line_number":161,"context_line":"encryption to be handled by Glance. This would be more than the scope of this"}],"source_content_type":"text/x-rst","patch_set":6,"id":"66b4acdd_1cec7130","line":158,"range":{"start_line":158,"start_character":29,"end_line":158,"end_character":39},"updated":"2024-06-08 17:08:00.000000000","message":"\"encryption\"","commit_id":"ca223f0c702423c2d4c357ad90868b9466f9c3b7"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":155,"context_line":"image or some other ressource and we do not want to delete it, we rather assume"},{"line_number":156,"context_line":"that the \"os_encrypt_key_deletion_policy\" was set mistakenly set to \"True\"."},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Image conversion will not be encyrption-aware as part of this spec and as such,"},{"line_number":159,"context_line":"conversion of encrypted images will not be supported. The vmdk format is not"},{"line_number":160,"context_line":"supported by this spec and the conversion itself would need decryption and"},{"line_number":161,"context_line":"encryption to be handled by Glance. This would be more than the scope of this"}],"source_content_type":"text/x-rst","patch_set":6,"id":"cfa66bcd_d6c658b3","line":158,"range":{"start_line":158,"start_character":29,"end_line":158,"end_character":39},"in_reply_to":"66b4acdd_1cec7130","updated":"2024-06-17 11:59:11.000000000","message":"Done","commit_id":"ca223f0c702423c2d4c357ad90868b9466f9c3b7"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"89f3327926b047e8467838f03216f2ea6c485d50","unresolved":true,"context_lines":[{"line_number":254,"context_line":"aren’t encrypted."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"When creating a volume or server from an encrypted image the only operation"},{"line_number":257,"context_line":"that may be triggerd is the conversion between qcow-LUKS and raw LUKS blocks."},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"Thus, any performance impact is only applicable to the newly introduced"},{"line_number":260,"context_line":"encrypted image type where the processing of the image will have increased"}],"source_content_type":"text/x-rst","patch_set":6,"id":"2e769e97_53dc8046","line":257,"range":{"start_line":257,"start_character":12,"end_line":257,"end_character":21},"updated":"2024-06-08 17:08:00.000000000","message":"\"triggered\"","commit_id":"ca223f0c702423c2d4c357ad90868b9466f9c3b7"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"45b518f330537553a4a3678833086bb2cbcc3d8d","unresolved":false,"context_lines":[{"line_number":254,"context_line":"aren’t encrypted."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"When creating a volume or server from an encrypted image the only operation"},{"line_number":257,"context_line":"that may be triggerd is the conversion between qcow-LUKS and raw LUKS blocks."},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"Thus, any performance impact is only applicable to the newly introduced"},{"line_number":260,"context_line":"encrypted image type where the processing of the image will have increased"}],"source_content_type":"text/x-rst","patch_set":6,"id":"202df29b_927563e8","line":257,"range":{"start_line":257,"start_character":12,"end_line":257,"end_character":21},"in_reply_to":"2e769e97_53dc8046","updated":"2024-06-17 11:59:11.000000000","message":"Done","commit_id":"ca223f0c702423c2d4c357ad90868b9466f9c3b7"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e2ce7ee883448cf5fe1d73bdda16614b390c91a0","unresolved":true,"context_lines":[{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"An image, when uploaded to Glance or being created through Nova from an"},{"line_number":29,"context_line":"existing server (VM), may contain sensitive information. The already provided"},{"line_number":30,"context_line":"signature functionality only protects images against alteration. Images may be"},{"line_number":31,"context_line":"stored on several hosts over long periods of time. First and foremost this"},{"line_number":32,"context_line":"includes the image storage hosts of Glance itself. Furthermore it might also"}],"source_content_type":"text/x-rst","patch_set":8,"id":"107cbb7a_7d8b0d4f","line":29,"range":{"start_line":29,"start_character":17,"end_line":29,"end_character":19},"updated":"2024-06-19 17:19:50.000000000","message":"nit - VM snapshot?","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"95000b072688016f30347089ffc597af60338697","unresolved":false,"context_lines":[{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"An image, when uploaded to Glance or being created through Nova from an"},{"line_number":29,"context_line":"existing server (VM), may contain sensitive information. The already provided"},{"line_number":30,"context_line":"signature functionality only protects images against alteration. Images may be"},{"line_number":31,"context_line":"stored on several hosts over long periods of time. First and foremost this"},{"line_number":32,"context_line":"includes the image storage hosts of Glance itself. Furthermore it might also"}],"source_content_type":"text/x-rst","patch_set":8,"id":"6051a562_2939acb6","line":29,"range":{"start_line":29,"start_character":17,"end_line":29,"end_character":19},"in_reply_to":"107cbb7a_7d8b0d4f","updated":"2024-06-21 09:40:58.000000000","message":"Done","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e2ce7ee883448cf5fe1d73bdda16614b390c91a0","unresolved":true,"context_lines":[{"line_number":145,"context_line":"2. if Cinder or Nova are uploading an image, they are responsible for creating"},{"line_number":146,"context_line":"   a key (e.g. as it is handled in Cinder currently)."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Optionally the deletion of the secret can be delegated to Glance through"},{"line_number":149,"context_line":"setting the special metadata parameter \"os_encrypt_key_deletion_policy\" to"},{"line_number":150,"context_line":"true. This behavior is already implemented for encrypted images from Cinder,"},{"line_number":151,"context_line":"we will only rename the property so it is not solely be usable by Cinder."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"To not accidently delete a key, which is used to encrypt an image, we will let"},{"line_number":154,"context_line":"Glance register as a consumer of that key (secret in Barbican [1]) when the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"1b7b6301_1e15a90e","line":151,"range":{"start_line":148,"start_character":0,"end_line":151,"end_character":73},"updated":"2024-06-19 17:19:50.000000000","message":"and this will be allowed only for case 2 mentioned at line 145, right?","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"95000b072688016f30347089ffc597af60338697","unresolved":true,"context_lines":[{"line_number":145,"context_line":"2. if Cinder or Nova are uploading an image, they are responsible for creating"},{"line_number":146,"context_line":"   a key (e.g. as it is handled in Cinder currently)."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Optionally the deletion of the secret can be delegated to Glance through"},{"line_number":149,"context_line":"setting the special metadata parameter \"os_encrypt_key_deletion_policy\" to"},{"line_number":150,"context_line":"true. This behavior is already implemented for encrypted images from Cinder,"},{"line_number":151,"context_line":"we will only rename the property so it is not solely be usable by Cinder."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"To not accidently delete a key, which is used to encrypt an image, we will let"},{"line_number":154,"context_line":"Glance register as a consumer of that key (secret in Barbican [1]) when the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"f5242cbd_222fc62e","line":151,"range":{"start_line":148,"start_character":0,"end_line":151,"end_character":73},"in_reply_to":"1b7b6301_1e15a90e","updated":"2024-06-21 09:40:58.000000000","message":"We need to also enable it for Images, that are VM snapshots - so they come from Nova.\n\nIn combination with the Barbican consumers API, we could also give users the option to use this parameter (default will be false - users should be responsible for their own keys). When users set this, they obviously need to know, that the key will be deleted and should not be used.\n\nThis is also a part of standardization, so that all workflows are aligned. It should not matter where an encrypted image comes from (Cinder, Nova or a User). We should give them all the same workflow.\n\nThen there are also already automation workflows from the layer above IaaS. These could also benefit from such a clear workflow.","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"338465edbe1dbd6b0fb2b6bf53c65c7d877ad9ea","unresolved":false,"context_lines":[{"line_number":145,"context_line":"2. if Cinder or Nova are uploading an image, they are responsible for creating"},{"line_number":146,"context_line":"   a key (e.g. as it is handled in Cinder currently)."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Optionally the deletion of the secret can be delegated to Glance through"},{"line_number":149,"context_line":"setting the special metadata parameter \"os_encrypt_key_deletion_policy\" to"},{"line_number":150,"context_line":"true. This behavior is already implemented for encrypted images from Cinder,"},{"line_number":151,"context_line":"we will only rename the property so it is not solely be usable by Cinder."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"To not accidently delete a key, which is used to encrypt an image, we will let"},{"line_number":154,"context_line":"Glance register as a consumer of that key (secret in Barbican [1]) when the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"a1da9237_9b110626","line":151,"range":{"start_line":148,"start_character":0,"end_line":151,"end_character":73},"in_reply_to":"f5242cbd_222fc62e","updated":"2024-06-21 09:51:10.000000000","message":"Acknowledged","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e2ce7ee883448cf5fe1d73bdda16614b390c91a0","unresolved":true,"context_lines":[{"line_number":165,"context_line":"supported by this spec and the conversion itself would need decryption and"},{"line_number":166,"context_line":"encryption to be handled by Glance. This would be more than the scope of this"},{"line_number":167,"context_line":"spec will be. So if image conversion is enabled, encrypted images that need"},{"line_number":168,"context_line":"conversion will be put in an ERROR state."},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Alternatives"},{"line_number":171,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"09d23e6c_df0b95ec","line":168,"range":{"start_line":168,"start_character":19,"end_line":168,"end_character":41},"updated":"2024-06-19 17:19:50.000000000","message":"Glance does not have ERROR state\n\nI think you can return 400 error and set image status to queued as a result.","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"95000b072688016f30347089ffc597af60338697","unresolved":false,"context_lines":[{"line_number":165,"context_line":"supported by this spec and the conversion itself would need decryption and"},{"line_number":166,"context_line":"encryption to be handled by Glance. This would be more than the scope of this"},{"line_number":167,"context_line":"spec will be. So if image conversion is enabled, encrypted images that need"},{"line_number":168,"context_line":"conversion will be put in an ERROR state."},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Alternatives"},{"line_number":171,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"64b85fa6_d838545d","line":168,"range":{"start_line":168,"start_character":19,"end_line":168,"end_character":41},"in_reply_to":"09d23e6c_df0b95ec","updated":"2024-06-21 09:40:58.000000000","message":"Done","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e2ce7ee883448cf5fe1d73bdda16614b390c91a0","unresolved":true,"context_lines":[{"line_number":215,"context_line":"```"},{"line_number":216,"context_line":"REQ: curl -g -i -X POST"},{"line_number":217,"context_line":"http://a.b.c.d/image/v2/images -H \"Content-Type: application/json\" .... -d \u0027"},{"line_number":218,"context_line":"{\"disk_format\": \"raw\", \"name\": \"cirros\", \"container_format\": \"compressed\","},{"line_number":219,"context_line":"\"os_encrypt_format\": \"LUKS\", \"os_encrypt_key_id\": \"...\","},{"line_number":220,"context_line":"\"os_encrypt_key_deletion_policy\": \"True\", \"os_encrypt_cipher\": \"...\","},{"line_number":221,"context_line":"\"os_decrypt_container_format\": \"bare\", \"os_decrypt_size\": \"...\", ...}\u0027"},{"line_number":222,"context_line":"```"},{"line_number":223,"context_line":""},{"line_number":224,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":8,"id":"b3d602e9_82aba28c","line":221,"range":{"start_line":218,"start_character":0,"end_line":221,"end_character":70},"updated":"2024-06-19 17:19:50.000000000","message":"Are all of these properties will be displayed to user on GET API call (glance image-show) or some will be hidden/restricted?\n\nIf yes then that should be also mentioned in the spec.","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"95000b072688016f30347089ffc597af60338697","unresolved":false,"context_lines":[{"line_number":215,"context_line":"```"},{"line_number":216,"context_line":"REQ: curl -g -i -X POST"},{"line_number":217,"context_line":"http://a.b.c.d/image/v2/images -H \"Content-Type: application/json\" .... -d \u0027"},{"line_number":218,"context_line":"{\"disk_format\": \"raw\", \"name\": \"cirros\", \"container_format\": \"compressed\","},{"line_number":219,"context_line":"\"os_encrypt_format\": \"LUKS\", \"os_encrypt_key_id\": \"...\","},{"line_number":220,"context_line":"\"os_encrypt_key_deletion_policy\": \"True\", \"os_encrypt_cipher\": \"...\","},{"line_number":221,"context_line":"\"os_decrypt_container_format\": \"bare\", \"os_decrypt_size\": \"...\", ...}\u0027"},{"line_number":222,"context_line":"```"},{"line_number":223,"context_line":""},{"line_number":224,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":8,"id":"30018061_36fa8127","line":221,"range":{"start_line":218,"start_character":0,"end_line":221,"end_character":70},"in_reply_to":"b3d602e9_82aba28c","updated":"2024-06-21 09:40:58.000000000","message":"From my opinion these properties should be displayed in a GET API call.\n\nI will add that.","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e2ce7ee883448cf5fe1d73bdda16614b390c91a0","unresolved":true,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"* all images that have \u0027cinder_encryption_key_deletion_policy\u0027 set, need to"},{"line_number":294,"context_line":"  convert it to \u0027os_encrypt_key_deletion_policy\u0027"},{"line_number":295,"context_line":""},{"line_number":296,"context_line":""},{"line_number":297,"context_line":"Implementation"},{"line_number":298,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"d0b91128_23e87a3a","line":295,"updated":"2024-06-19 17:19:50.000000000","message":"so this part requires migration script or should be handled on GET call?","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"f8aa65675e7bf9b4a9c3d99dba673364d2db14b0","unresolved":false,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"* all images that have \u0027cinder_encryption_key_deletion_policy\u0027 set, need to"},{"line_number":294,"context_line":"  convert it to \u0027os_encrypt_key_deletion_policy\u0027"},{"line_number":295,"context_line":""},{"line_number":296,"context_line":""},{"line_number":297,"context_line":"Implementation"},{"line_number":298,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"c260d4a0_9cab4959","line":295,"in_reply_to":"112a1501_7e8994c1","updated":"2024-06-21 10:54:55.000000000","message":"Done","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"95000b072688016f30347089ffc597af60338697","unresolved":true,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"* all images that have \u0027cinder_encryption_key_deletion_policy\u0027 set, need to"},{"line_number":294,"context_line":"  convert it to \u0027os_encrypt_key_deletion_policy\u0027"},{"line_number":295,"context_line":""},{"line_number":296,"context_line":""},{"line_number":297,"context_line":"Implementation"},{"line_number":298,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"e097580a_6f95dae1","line":295,"in_reply_to":"d0b91128_23e87a3a","updated":"2024-06-21 09:40:58.000000000","message":"As these properties are currently stored in the image_properties tables, imho we could use a migration script to change the database table.\n\nI added a work item for this.","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"338465edbe1dbd6b0fb2b6bf53c65c7d877ad9ea","unresolved":true,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"* all images that have \u0027cinder_encryption_key_deletion_policy\u0027 set, need to"},{"line_number":294,"context_line":"  convert it to \u0027os_encrypt_key_deletion_policy\u0027"},{"line_number":295,"context_line":""},{"line_number":296,"context_line":""},{"line_number":297,"context_line":"Implementation"},{"line_number":298,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"112a1501_7e8994c1","line":295,"in_reply_to":"e097580a_6f95dae1","updated":"2024-06-21 09:51:10.000000000","message":"Just to note, apart from migration script, you also need to make changes in code where these properties are used.","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e2ce7ee883448cf5fe1d73bdda16614b390c91a0","unresolved":true,"context_lines":[{"line_number":318,"context_line":"* Add support for providing the new image properties to the"},{"line_number":319,"context_line":"  python-openstackclient and openstacksdk, so that an encrypted image"},{"line_number":320,"context_line":"  can be uploaded"},{"line_number":321,"context_line":""},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"Dependencies"},{"line_number":324,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"e568565f_dbfe6deb","line":321,"updated":"2024-06-19 17:19:50.000000000","message":"I think work items should also include unit/functional tests and related documentation changes","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"95000b072688016f30347089ffc597af60338697","unresolved":false,"context_lines":[{"line_number":318,"context_line":"* Add support for providing the new image properties to the"},{"line_number":319,"context_line":"  python-openstackclient and openstacksdk, so that an encrypted image"},{"line_number":320,"context_line":"  can be uploaded"},{"line_number":321,"context_line":""},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"Dependencies"},{"line_number":324,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"2d3910d4_c4ed961b","line":321,"in_reply_to":"e568565f_dbfe6deb","updated":"2024-06-21 09:40:58.000000000","message":"Done","commit_id":"81a05b23855338afca297d2981a65dfdbae8ec0a"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"338465edbe1dbd6b0fb2b6bf53c65c7d877ad9ea","unresolved":true,"context_lines":[{"line_number":164,"context_line":"conversion of encrypted images will not be supported. The vmdk format is not"},{"line_number":165,"context_line":"supported by this spec and the conversion itself would need decryption and"},{"line_number":166,"context_line":"encryption to be handled by Glance. This would be more than the scope of this"},{"line_number":167,"context_line":"spec will be. So if image conversion is enabled and ab encrypted images that"},{"line_number":168,"context_line":"needs conversion is uploaded the API will return a 400 Error and the image will"},{"line_number":169,"context_line":"be put in the queued state as a result."},{"line_number":170,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"13ba8ccf_7e9eb0e1","line":167,"range":{"start_line":167,"start_character":52,"end_line":167,"end_character":54},"updated":"2024-06-21 09:51:10.000000000","message":"nit: an","commit_id":"ab9af5bb81a764e7b1c2f53e1eeabb1bb7ef96ba"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"f8aa65675e7bf9b4a9c3d99dba673364d2db14b0","unresolved":false,"context_lines":[{"line_number":164,"context_line":"conversion of encrypted images will not be supported. The vmdk format is not"},{"line_number":165,"context_line":"supported by this spec and the conversion itself would need decryption and"},{"line_number":166,"context_line":"encryption to be handled by Glance. This would be more than the scope of this"},{"line_number":167,"context_line":"spec will be. So if image conversion is enabled and ab encrypted images that"},{"line_number":168,"context_line":"needs conversion is uploaded the API will return a 400 Error and the image will"},{"line_number":169,"context_line":"be put in the queued state as a result."},{"line_number":170,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"b2a9ac0a_7453ca48","line":167,"range":{"start_line":167,"start_character":52,"end_line":167,"end_character":54},"in_reply_to":"13ba8ccf_7e9eb0e1","updated":"2024-06-21 10:54:55.000000000","message":"Done","commit_id":"ab9af5bb81a764e7b1c2f53e1eeabb1bb7ef96ba"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"469b5d792104cbca2a96c76b1bbe7e67a7150666","unresolved":true,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"To upload an encrypted image to Glance we want to extend the OpenStack Client"},{"line_number":101,"context_line":"to allow the specification of the necessary metadata properties as the key ID"},{"line_number":102,"context_line":"and the encryption and optionally metadata properties as for exapmle the"},{"line_number":103,"context_line":"specification of the key deletion poilicy."},{"line_number":104,"context_line":"Later on there might be support added for encrypting images using the specified"},{"line_number":105,"context_line":"key ID directly in the OpenStack Client."}],"source_content_type":"text/x-rst","patch_set":10,"id":"5fc79c8d_26a15ced","line":102,"range":{"start_line":102,"start_character":61,"end_line":102,"end_character":68},"updated":"2024-06-25 10:30:30.000000000","message":"nit: example","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"22c1169615cc7ccc25daa5217320a43aa80c4a4f","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"To upload an encrypted image to Glance we want to extend the OpenStack Client"},{"line_number":101,"context_line":"to allow the specification of the necessary metadata properties as the key ID"},{"line_number":102,"context_line":"and the encryption and optionally metadata properties as for exapmle the"},{"line_number":103,"context_line":"specification of the key deletion poilicy."},{"line_number":104,"context_line":"Later on there might be support added for encrypting images using the specified"},{"line_number":105,"context_line":"key ID directly in the OpenStack Client."}],"source_content_type":"text/x-rst","patch_set":10,"id":"a5d4f870_9b0e86e7","line":102,"range":{"start_line":102,"start_character":61,"end_line":102,"end_character":68},"in_reply_to":"5fc79c8d_26a15ced","updated":"2024-07-01 07:51:19.000000000","message":"Done","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"469b5d792104cbca2a96c76b1bbe7e67a7150666","unresolved":true,"context_lines":[{"line_number":100,"context_line":"To upload an encrypted image to Glance we want to extend the OpenStack Client"},{"line_number":101,"context_line":"to allow the specification of the necessary metadata properties as the key ID"},{"line_number":102,"context_line":"and the encryption and optionally metadata properties as for exapmle the"},{"line_number":103,"context_line":"specification of the key deletion poilicy."},{"line_number":104,"context_line":"Later on there might be support added for encrypting images using the specified"},{"line_number":105,"context_line":"key ID directly in the OpenStack Client."},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"b47b9cb0_ecd78a18","line":103,"range":{"start_line":103,"start_character":34,"end_line":103,"end_character":41},"updated":"2024-06-25 10:30:30.000000000","message":"nit: policy","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"22c1169615cc7ccc25daa5217320a43aa80c4a4f","unresolved":false,"context_lines":[{"line_number":100,"context_line":"To upload an encrypted image to Glance we want to extend the OpenStack Client"},{"line_number":101,"context_line":"to allow the specification of the necessary metadata properties as the key ID"},{"line_number":102,"context_line":"and the encryption and optionally metadata properties as for exapmle the"},{"line_number":103,"context_line":"specification of the key deletion poilicy."},{"line_number":104,"context_line":"Later on there might be support added for encrypting images using the specified"},{"line_number":105,"context_line":"key ID directly in the OpenStack Client."},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"ec8c88d6_ed357c01","line":103,"range":{"start_line":103,"start_character":34,"end_line":103,"end_character":41},"in_reply_to":"b47b9cb0_ecd78a18","updated":"2024-07-01 07:51:19.000000000","message":"Done","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"469b5d792104cbca2a96c76b1bbe7e67a7150666","unresolved":true,"context_lines":[{"line_number":150,"context_line":"true. This behavior is already implemented for encrypted images from Cinder,"},{"line_number":151,"context_line":"we will only rename the property so it is not solely be usable by Cinder."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"To not accidently delete a key, which is used to encrypt an image, we will let"},{"line_number":154,"context_line":"Glance register as a consumer of that key (secret in Barbican [1]) when the"},{"line_number":155,"context_line":"corresponding encrypted image is uploaded and unregister as a consumer when the"},{"line_number":156,"context_line":"image is deleted in Glance. When the parameter \"os_encrypt_key_deletion_policy\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"88ca2d01_be733e3b","line":153,"range":{"start_line":153,"start_character":7,"end_line":153,"end_character":17},"updated":"2024-06-25 10:30:30.000000000","message":"nit: accidentally","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"22c1169615cc7ccc25daa5217320a43aa80c4a4f","unresolved":false,"context_lines":[{"line_number":150,"context_line":"true. This behavior is already implemented for encrypted images from Cinder,"},{"line_number":151,"context_line":"we will only rename the property so it is not solely be usable by Cinder."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"To not accidently delete a key, which is used to encrypt an image, we will let"},{"line_number":154,"context_line":"Glance register as a consumer of that key (secret in Barbican [1]) when the"},{"line_number":155,"context_line":"corresponding encrypted image is uploaded and unregister as a consumer when the"},{"line_number":156,"context_line":"image is deleted in Glance. When the parameter \"os_encrypt_key_deletion_policy\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"35f6b4f4_47346c33","line":153,"range":{"start_line":153,"start_character":7,"end_line":153,"end_character":17},"in_reply_to":"88ca2d01_be733e3b","updated":"2024-07-01 07:51:19.000000000","message":"Done","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"469b5d792104cbca2a96c76b1bbe7e67a7150666","unresolved":true,"context_lines":[{"line_number":158,"context_line":"was still a consumer, we let Glance log that as a warning and proceed with the"},{"line_number":159,"context_line":"image deletion process. In this case the key might still be used for another"},{"line_number":160,"context_line":"image or some other ressource and we do not want to delete it, we rather assume"},{"line_number":161,"context_line":"that the \"os_encrypt_key_deletion_policy\" was set mistakenly set to \"True\"."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"Image conversion will not be encryption-aware as part of this spec and as such,"},{"line_number":164,"context_line":"conversion of encrypted images will not be supported. The vmdk format is not"}],"source_content_type":"text/x-rst","patch_set":10,"id":"a6e4f967_8b1ef5d8","line":161,"range":{"start_line":161,"start_character":42,"end_line":161,"end_character":64},"updated":"2024-06-25 10:30:30.000000000","message":"nit: was mistakenly set","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"22c1169615cc7ccc25daa5217320a43aa80c4a4f","unresolved":false,"context_lines":[{"line_number":158,"context_line":"was still a consumer, we let Glance log that as a warning and proceed with the"},{"line_number":159,"context_line":"image deletion process. In this case the key might still be used for another"},{"line_number":160,"context_line":"image or some other ressource and we do not want to delete it, we rather assume"},{"line_number":161,"context_line":"that the \"os_encrypt_key_deletion_policy\" was set mistakenly set to \"True\"."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"Image conversion will not be encryption-aware as part of this spec and as such,"},{"line_number":164,"context_line":"conversion of encrypted images will not be supported. The vmdk format is not"}],"source_content_type":"text/x-rst","patch_set":10,"id":"4dbba2d4_4fff78c1","line":161,"range":{"start_line":161,"start_character":42,"end_line":161,"end_character":64},"in_reply_to":"a6e4f967_8b1ef5d8","updated":"2024-07-01 07:51:19.000000000","message":"Done","commit_id":"cfa53d38f27ec8dc27d023fcf0a98a851f964849"}]}