Skip to main content

Overview

The Xloud Image Service security configuration covers three areas: image signature verification (preventing tampered images from being launched), property protections (preventing unauthorized modification of critical metadata fields), and public image access controls (restricting who can publish images to the global catalog).
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

Image Signing and Verification

Xloud Image Service supports image signature verification using certificates stored in Xloud Key Management. When enabled, the compute service verifies the image signature before launching an instance, preventing tampered images from being used.

Generate a signing key and certificate

Store the certificate in Xloud Key Management:
Create a certificate container in Key Management
openstack secret store \
  --name image-signing-cert \
  --payload-content-type "application/pkix-cert" \
  --payload "$(cat signing-cert.pem | base64)"
Note the Secret href — this is the <CERT_UUID>.

Upload image with signature

Upload image with signature metadata
openstack image create \
  --disk-format qcow2 \
  --container-format bare \
  --file ubuntu-24.04.qcow2 \
  --property img_signature="<BASE64_SIGNATURE>" \
  --property img_signature_certificate_uuid="<CERT_UUID>" \
  --property img_signature_hash_method="SHA-256" \
  --property img_signature_key_type="RSA-PSS" \
  ubuntu-24.04-signed

Enable verification in Compute

Configure the compute service to verify image signatures before launching:
Compute service: enable image signature verification
nova_verify_glance_signatures: "true"
Deploy after configuring:
Apply compute configuration
xavs-ansible deploy --tags nova
The compute service now rejects instances launched from images with invalid or missing signatures when verification is enforced.
Enable signature verification enforcement via the compute service policy to ensure only signed images from your approved certificate authority can be launched.

Property Protections

Property protections prevent unauthorized users from modifying sensitive image properties — such as signature fields or hardware requirements — after upload.

Create the property protections configuration

/etc/xavs/glance/property-protections.conf
[x-image-meta-property-img_signature]
create = admin
read = @
update = admin
delete = admin

[x-image-meta-property-xloud_base_image]
create = admin
read = @
update = admin
delete = admin

[x-image-meta-property-hw_firmware_type]
create = @
read = @
update = admin
delete = admin

Apply the configuration

Redeploy glance configuration
xavs-ansible deploy --tags glance
Property protections are active. Non-admin users cannot modify protected properties.

Public Image Access Controls

Only users with the admin role can mark images as public. Enforce this via policy to prevent accidental or malicious exposure of proprietary images organization-wide. Verify the policy is active:
Check publicize_image policy
openstack registered limit list | grep publicize
If the policy needs tightening, add an override:
/etc/xavs/glance/policy.yaml — restrict public image creation
"publicize_image": "role:admin"
"deactivate_image": "role:admin"
"reactivate_image": "role:admin"
Apply:
Apply policy override
xavs-ansible deploy --tags glance

Security Checklist

Signature verification enabled

Verify that image signature verification is enforced in the compute service policy. Test by attempting to launch an unsigned image — it should be rejected.
Confirm that signature-related properties (img_signature*) and platform properties (xloud_base_image, hw_firmware_type) require admin to modify.
Verify that non-admin users cannot set images to public visibility. Test with a project-member account: openstack image set --public <image-id> should return a policy violation error.
Regularly audit the public image catalog:
List all public images
openstack image list --public --all-projects \
  -c name -c owner -c status -c updated_at
Remove or deactivate any images that should not be publicly accessible.

Next Steps

Admin Troubleshooting

Diagnose signature verification failures and policy enforcement issues.

Quotas

Combine security controls with quota enforcement for complete image governance.

Identity Admin Guide

Manage the authentication policies governing image service access.

Metadata

Define structured property schemas that work with property protection rules.