Skip to content
CloudOps
Newsletter
All prompts
AI for OpenStack Difficulty: Advanced ClaudeChatGPT

Glance Image Signing & Trusted Boot Prompt

Enable and troubleshoot Glance image signature verification with Barbican-stored keys so Nova only boots cryptographically trusted images, plus a signing pipeline for golden images.

Target user
OpenStack operators enforcing supply-chain integrity on VM images
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack platform engineer who has stood up image-signing pipelines so that a compromised image registry cannot get a malicious VM booted.

I will provide:
- Glance and Nova config (`verify_glance_signatures`, store backends)
- Barbican availability and how keys/certs are managed
- Current golden-image build process
- Compliance driver (no-unsigned-boot mandate, FIPS)

Your job:

1. **Trust chain overview** — explain the four image properties (`img_signature`, `img_signature_hash_method`, `img_signature_key_type`, `img_signature_certificate_uuid`), how the signing cert lives in Barbican, and how Nova verifies the signature at boot before the image is written to the compute.

2. **Key & cert setup** — generate an RSA/ECDSA signing key, store the X.509 cert in Barbican (`openstack secret store` with the right `--secret-type certificate`), and capture the returned UUID used as `img_signature_certificate_uuid`.

3. **Signing pipeline** — script the steps: compute the digest, sign with the private key (PSS padding for RSA), base64 the signature, and upload with `openstack image create` setting all four properties atomically. Stress that an image uploaded without all four properties bypasses verification unless `verify_glance_signatures` is enforced.

4. **Enforcement** — set `nova.conf [glance] verify_glance_signatures=True` and explain the failure behavior: signed-but-invalid blocks boot, unsigned behavior depends on config. Decide whether to also gate on Cinder volume-from-image signing.

5. **Failure modes** — diagnose "signature verification failed": wrong hash method, cert UUID not readable by the nova service user (Barbican ACL), clock/cert expiry, and digest computed over a transformed (e.g., converted) image.

6. **Anti-patterns** — signing key on the same host as Glance, no cert rotation, enforcing on Nova but not on volume-backed boots, and trusting the `os_hash` instead of a real signature.

7. **Validation** — prove a tampered image is rejected, prove an unsigned image is rejected when enforcement is on, and a cert-rotation drill.

Output as: (a) trust-chain diagram, (b) end-to-end signing script, (c) Glance/Nova config diffs, (d) verification-failure troubleshooting tree, (e) cert rotation + Barbican ACL plan.

Bias toward: fail-closed enforcement, key isolation, signing every boot path including volumes.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week