Hello folks,

Since resolution of vmdk related CVE, Cinder performs extra checks on format of images used for specific actions, like creating a volume out of an image for instance. See related cinder commit: https://review.opendev.org/c/openstack/cinder/+/871625

Those new checks first led to failures on our tempest tests, on tests that were passing before.

E.g.: tempest.api.compute.servers.test_create_server.ServersTestBootFromVolume

It turned out that tests were failing because of a discrepancy between actual format of the image (qcow2 here) and declared format in glance db (raw).

To us, this raises the question of format checks responsibility throughout images lifecycle, between Glance and Cinder. Today, afaik, Glance will:

- tag as 'raw' any image uploaded without any format specified

- tag the image with the format provided by the customer, whatever the actual format of the image is

whereas Cinder is now more picky, refusing to deal with an image that claims to be of X format but is actually Y.

If you do confirm these observations, in your opinion, what would be the best option among:

1. leave it as is, after all openstack customer is responsible for the accuracy of the information provided on image upload and should not be surprised by downstream mismatches when using the image
2. strengthen customer's responsibility of bullet 1. by making image format declaration mandatory on image upload
3. enforce format checks on glance on image upload
4. other way you may think of? something upstream I may have missed?