Hey Christian, The issue you're encountering with Glance and RBD permissions can indeed be tricky to resolve. Let's break it down together: 1. **Glance and RBD Permissions**: - When Glance interacts with RBD (Ceph's block storage), it needs the appropriate permissions to perform operations like deleting images. - The error you're seeing, "Operation not permitted," indicates a permission issue. 2. **Children of Glance Images**: - Glance images can have dependent children, which are typically Cinder volumes. These volumes reside in a different RBD pool called "volumes." - When Glance tries to delete an image, it checks if any dependent children exist. If they do, Glance should handle this gracefully. 3. **Your Current Configuration**: - Let's review your current Ceph auth caps configuration for the relevant clients: - client.cinder: Has read-only access to the "images" pool and read access to the "volumes" pool. - client.glance: Has read access to the "images" pool. - client.nova: Has read access to both the "instances" and "images" pools. 4. **Missing Permissions**: - The issue lies in the Glance configuration. Glance needs read access to the "volumes" pool to handle dependent children correctly. - Update the Glance configuration as follows: - client.glance: - Add the necessary permission for the "volumes" pool: ceph auth caps client.glance mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=glance-images' 5. **Explanation**: - The added permission allows Glance to read the children (dependent volumes) from the "volumes" pool. - It's more restrictive than allowing full access (allow *), which aligns with your desire for tighter security. Remember to apply these changes and restart the relevant services as you know.. If you encounter any further issues, feel free to ask us Kerem ÇELİKER Head of Cloud Architecture linkedin.com/in/keremceliker/