On Fri, Jul 19, 2024, at 2:23 PM, Dmitriy Rabotyagov wrote:
Wait, I just started realizing the bugfix ..
So basically all previously uploaded images not in raw format are useless after upgrading so the safe version of cinder/nova? That is a very nasty regression for any public cloud I would say, as users used to upload images in arbitrary formats and rely on future conversions.
See below. I think maybe the conversion is still allowed in some circumstances (the config doesn't prevent it and the image checks don't find problems?).
And also - in case you have Ceph for cinder volumes (that requires raw), and local storage with qcow for nova - that means you now need to maintain 2 set of images, in raw and qcow respectfully?
I think nova can use raw as well as qcow2 so you could standardize on just raw images if necessary. But again see below. This may be less of an issue with the specific security fixes and more to do with configuration options (that may have been opted into in response to the security concern?)
What would really make life slightly easier - a way to mandate usage of interoperable import, in case it still has the option to convert image to required format on upload.... But I guess it was also prohibited?
On Fri, Jul 19, 2024, 23:09 Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> wrote:
Hello. Thank you very much, Do you mean it is a feature?. But I think it will be hard, because raw images are too big to use. It wll make complex things in operation. Qcow2 is too famous.
Actually looking more closely at the specific error you're getting it originates from here: https://opendev.org/openstack/cinder/src/branch/unmaintained/zed/cinder/imag... and that config option seems to allow conversions by default: https://opendev.org/openstack/cinder/src/branch/unmaintained/zed/cinder/imag.... So I'm less positive that this is directly related to 2059809. Are you sure this was happening due to the security bug fixes? Is it possible that instead you flipped the option to True and it was False before? Note that I believe cinder must convert image to raw and can't operate on them as qcow2 files so you don't really save much space in the end I don't think.
Nguyen Huu Khoi
On Sat, Jul 20, 2024 at 3:59 AM Clark Boylan <cboylan@sapwetik.org> wrote:
On Fri, Jul 19, 2024, at 1:53 PM, Nguyễn Hữu Khôi wrote:
Hello, i encounter this error when apply patch about bug/2059809:
raise exception.ImageConversionNotAllowed( 2024-07-20 03:35:28.067 736 ERROR oslo_messaging.rpc.server cinder.exception.ImageConversionNotAllowed: Image Conversion disallowed for image 7bacbdfb-2ea3-4ed8-90ad-3ec0e274a1d9: Image conversion is disabled. The volume type you have requested requires that the image it is being created from be in 'raw' format, but the image you are using has the disk_format property 'qcow2'. You must use an image with the disk_format property 'raw' to create a volume of this type.
I am using Zed version. Could I have some suggestions?
The issue is that converting arbitrary qcow2 images to other formats is not necessarily secure. The bug fix you refer to addressed the security concerns with this process in OpenStack by preventing the conversion in the first place. This means you will need to upload images in the format that they will be used in. In this case the format is a raw image. If you upload a raw image version of the image you wish to use I suspect it will work.
Note if you convert the image locally you are potentially exposing yourself to the same risk. You should ensure you trust the image source before doing a conversion locally as well.
Thank you.
Nguyen Huu Khoi