Re: Problème with image from snapshot

melanie witt melwittt at gmail.com
Thu Oct 14 20:58:44 UTC 2021 

On Wed Oct 13 2021 00:57:52 GMT-0700 (Pacific Daylight Time), Franck 
VEDEL <franck.vedel at univ-grenoble-alpes.fr> wrote:
> Hello and first sorry for my english… thanks google.
> 
> Something is wrong with what I want to do:
> I use Wallaby, it works very well (apart from VpnaaS, I wasted too much 
> time this summer to make it work, without success, and the bug does not 
> seem to be fixed).
> 
> Here is what I want to do and which does not work as I want:
> - With an admin account, I launch a Win10 instance from the image I 
> created. The instance is working but it takes about 10 minutes to get 
> Win10 up and running.
> I wanted to take a snapshot of this instance and then create a new image 
> from this snapshot. And that users use this new image.
> I create the snapshot, I place the "--public" parameter on the new image.
> I'm trying to create a new instance from this snapshot with the admin 
> account: it works.
> I create a new user, who has his project, and sees all the images. I try 
> to create an instance with this new image and I get the message:
> 
> Block Device Mapping is Invalid: failed to get snapshot 
> f12c04f2-51e7-4817-ab9b-eda63c5b9aff. (HTTP 400) (Request-ID: 
> req-c26dab86-c25f-409a-8390-8aa0ea8fe1cb)
> 
> Is it a legal problem? Is it possible to do as I do? otherwise how 
> should we do it?

According to this cinder doc [1], it looks like what you're trying to do 
is valid, to create an image backed by a volume and boot instances from 
that image.

The problem I see where the "failed to get snapshot" error is raised in 
nova for the non-admin user, it looks to be a problem with policy access 
for the GET /snapshots/{snapshot_id} cinder API. Although the image is 
public, the volume behind it was created by some project and by default 
the API will allow the admin project or the project that created/owns 
the volume [2]:

volume:get_snapshot
     Default
         rule:admin_or_owner

     Operations
         GET /snapshots/{snapshot_id}

This is why it works when you boot an instance using the admin account. 
Currently, you would need to change the above rule in the cinder 
policy.yaml in order to allow a different project than the owner to GET 
the snapshot.

It's possible this is a bug in nova and that we should be using an 
elevated admin request context to call GET /snapshots/{snapshot_id} if 
the snapshot is for a volume-backed image.

Hopefully I haven't completely misunderstood what is going on here, if 
so, please ignore me. :)

HTH,
-melanie

[1] 
https://docs.openstack.org/cinder/wallaby/admin/blockstorage-volume-backed-image.html
[2] 
https://docs.openstack.org/cinder/wallaby/configuration/block-storage/policy.html#cinder

> Thanks if you have ideas for helping me
> 
> 
> Franck VEDEL
>

More information about the openstack-discuss mailing list