On Wed Oct 13 2021 00:57:52 GMT-0700 (Pacific Daylight Time), Franck VEDEL <franck.vedel@univ-grenoble-alpes.fr> wrote:
Hello and first sorry for my english… thanks google.
Something is wrong with what I want to do: I use Wallaby, it works very well (apart from VpnaaS, I wasted too much time this summer to make it work, without success, and the bug does not seem to be fixed).
Here is what I want to do and which does not work as I want: - With an admin account, I launch a Win10 instance from the image I created. The instance is working but it takes about 10 minutes to get Win10 up and running. I wanted to take a snapshot of this instance and then create a new image from this snapshot. And that users use this new image. I create the snapshot, I place the "--public" parameter on the new image. I'm trying to create a new instance from this snapshot with the admin account: it works. I create a new user, who has his project, and sees all the images. I try to create an instance with this new image and I get the message:
Block Device Mapping is Invalid: failed to get snapshot f12c04f2-51e7-4817-ab9b-eda63c5b9aff. (HTTP 400) (Request-ID: req-c26dab86-c25f-409a-8390-8aa0ea8fe1cb)
Is it a legal problem? Is it possible to do as I do? otherwise how should we do it?
According to this cinder doc [1], it looks like what you're trying to do is valid, to create an image backed by a volume and boot instances from that image. The problem I see where the "failed to get snapshot" error is raised in nova for the non-admin user, it looks to be a problem with policy access for the GET /snapshots/{snapshot_id} cinder API. Although the image is public, the volume behind it was created by some project and by default the API will allow the admin project or the project that created/owns the volume [2]: volume:get_snapshot Default rule:admin_or_owner Operations GET /snapshots/{snapshot_id} This is why it works when you boot an instance using the admin account. Currently, you would need to change the above rule in the cinder policy.yaml in order to allow a different project than the owner to GET the snapshot. It's possible this is a bug in nova and that we should be using an elevated admin request context to call GET /snapshots/{snapshot_id} if the snapshot is for a volume-backed image. Hopefully I haven't completely misunderstood what is going on here, if so, please ignore me. :) HTH, -melanie [1] https://docs.openstack.org/cinder/wallaby/admin/blockstorage-volume-backed-i... [2] https://docs.openstack.org/cinder/wallaby/configuration/block-storage/policy...
Thanks if you have ideas for helping me
Franck VEDEL