[Openstack] [Ocata] config option show_multiple_locations
Brian Rosmaita
rosmaita.fossdev at gmail.com
Thu Nov 29 13:59:57 UTC 2018
Apoologies for top-posting, but the answer is that
show_multiple_locations is deprecated, but its removal has been
postponed, so you should continue to use it (but keep an eye on the
Glance release notes).
The original idea behind the deprecation was that because image
locations are also governed by policies, it would simplify things to use
only policies and eliminate the configuration option. In the meantime,
an OSSN [0] was issued where the easiest way to mitigate the exploit is
to set show_multiple_locations=False, so the deprecation period was
extended [1].
Finally, closer inspection has revealed that show_multiple_locations
cannot be removed without some major refactoring. There's a draft spec
explaining the situation [2], but no one has been able to commit time to
work on the issue (or even finish the spec).
The Glance team would be happy to discuss this more with anyone
interested in working on the issue.
cheers,
brian
[0] https://wiki.openstack.org/wiki/OSSN/OSSN-0065
[1]
https://docs.openstack.org/releasenotes/glance/ocata.html#relnotes-14-0-0-origin-stable-ocata-other-notes
[2] https://review.openstack.org/#/c/528021/
On 11/29/18 6:01 AM, Eugen Block wrote:
> Hello list,
>
> I have a strange issue I'd like to report here, I'm not sure whether
> this could be a bug or a config issue on my side.
>
> The environment has developed from Liberty to Ocata over the last 3
> years, backend for glance, cinder and nova is Ceph since Mitaka release.
> So according to [1] these two config options should be set to true.
>
>> show_multiple_locations = True
>> show_image_direct_url = True
>
> This setup has worked just fine, live snapshots of nova worked as
> expected. Last year the environment was upgraded to Ocata
> (successfully), and some time later I decided to clean up the configs, I
> set show_multiple_locations to false, also because glance reports:
>
>> Option "show_multiple_locations" from group "DEFAULT" is deprecated
>> for removal. Its value may be silently ignored in the future.
>
> Since this change the nova live snapshots stopped working, resulting in
> this stack trace:
>
> ---cut here---
> [req-5bd2fef2-2155-4a89-b346-e20fb0b0d14a
> df7b63e69da3b1ee2be3d79342e7992f3620beddbdac7768dcb738105e74301e
> 2e3c3f3822124a3fa9fd905164f519ae - - -] Failed to snapshot image
> Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/nova/virt/libvirt/driver.py",
> line 1626, in snapshot
> purge_props=False)
> File "/usr/lib/python2.7/site-packages/nova/image/api.py", line 132,
> in update
> purge_props=purge_props)
> File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line
> 733, in update
> _reraise_translated_image_exception(image_id)
> File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line
> 1050, in _reraise_translated_image_exception
> six.reraise(type(new_exc), new_exc, exc_trace)
> File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line
> 731, in update
> image = self._update_v2(context, sent_service_image_meta, data)
> File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line
> 745, in _update_v2
> image = self._add_location(context, image_id, location)
> File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line
> 630, in _add_location
> location, {})
> File "/usr/lib/python2.7/site-packages/nova/image/glance.py", line
> 168, in call
> result = getattr(controller, method)(*args, **kwargs)
> File "/usr/lib/python2.7/site-packages/glanceclient/v2/images.py",
> line 340, in add_location
> response = self._send_image_update_request(image_id, add_patch)
> File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py",
> line 535, in inner
> return RequestIdProxy(wrapped(*args, **kwargs))
> File "/usr/lib/python2.7/site-packages/glanceclient/v2/images.py",
> line 324, in _send_image_update_request
> data=json.dumps(patch_body))
> File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py",
> line 294, in patch
> return self._request('PATCH', url, **kwargs)
> File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py",
> line 277, in _request
> resp, body_iter = self._handle_response(resp)
> File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py",
> line 107, in _handle_response
> raise exc.from_response(resp, resp.content)
> ImageNotAuthorized: Not authorized for image
> e99b2dfd-db33-4475-a51f-af4b913a7041.
>
> INFO nova.compute.manager [req-5bd2fef2-2155-4a89-b346-e20fb0b0d14a
> df7b63e69da3b1ee2be3d79342e7992f3620beddbdac7768dcb738105e74301e
> 2e3c3f3822124a3fa9fd905164f519ae - - -] [instance:
> 751b3731-de0d-42cd-a105-b92e326294aa] Successfully reverted task state
> from image_uploading on failure for instance.
> ---cut here---
>
> A couple of weeks passed until this problem occured (oviously nobody
> took snapshots), so I didn't immediately connect it to the config
> change, but when I followed the stack trace, I found this comment:
>
> ---cut here---
> def _add_location(self, context, image_id, location):
> # 'show_multiple_locations' must be enabled in glance api conf
> file.
> [...]
> ---cut here---
>
> I wouldn't expect this dependency if the option is marked as deprecated.
> Is this my misunderstanding or did I forget other configs that would
> prevent this behavior?
>
> Thank you for any information about this topic.
>
> Regards,
> Eugen
>
> [1] http://docs.ceph.com/docs/master/rbd/rbd-openstack/#for-mitaka-only
>
>
More information about the openstack-discuss
mailing list