On Fri, 1 Jul 2022 at 07:17, Massimo Sgaravatto < massimo.sgaravatto@gmail.com> wrote:
Converting the image from public to private seems indeed a good idea. Thanks a lot for the hint ! Cheers, Massimo
Hi Massimo, Turning it into private will cause the very same issue for anyone using the image who was consuming it outside of the project that owns the image. The "hidden" [0] flag was developed for this purpose. Even it does not prevent one to launch new instances from the said image, it will strongly discourage it as the image is not listed in the normal image listings. So if you have a new up to date version of the image, but the old one is still widely in use, turn the old image hidden and unless someone is specifically launching the instance with that old image ID, they will be directed towards your new version. As we don't currently have any mechanism separating a user making a call to Glance with one of the clients vs. Nova making the call on behalf of the user, we also have no means to ensure that the image would be consumable for housekeeping purposes while new instances would be prevented. So this was the most user friendly solution we came up with at the time. [0] https://specs.openstack.org/openstack/glance-specs/specs/rocky/implemented/g... - jokke On Thu, Jun 30, 2022 at 2:56 PM Sean Mooney <smooney@redhat.com> wrote:
No: I really mean resize i guess for resize we need to pcy the backing file which we preusmabel are doing by redownloading the orginal image. it could technically be copied form the souce host instead but i think if you change the visiableity rahter then blocking download that would hide it form peopel lookign to create new vms with it in the image list but allow it to consiute to be used by exsiting instace for rebuild and resize.
On Thu, Jun 30, 2022 at 1:42 PM Sean Mooney <smooney@redhat.com> wrote:
On Thu, 2022-06-30 at 10:09 +0200, Massimo Sgaravatto wrote:
Dear all
What is the blessed method to avoid using an image for new virtual machines without causing problems for existing instances using that image ?
If I deactivate the image, I then have problems resizing instances using that image [*]: it claims that image download is forbidden since the image was deactivated i think you mean rebuilding the instance not resizeing right? resize should not need the image since it should use the image info we embed in the nova in the instance_system_metadata table.
im not sure if there is a blessed way but i proably would have changed the visablity to private.
Thanks, Massimo
[*]
| fault | {'code': 500, 'created': '2022-06-30T07:57:30Z', 'message': 'Not authorized for image dd1492d5-17a2-4dc2-a4e3-ec6c99255e4b.', 'details': 'Traceback (most
recent
call last):\n File "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 377, in download\n context, 2, \'data\', args=(image_id,))\n File "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 191, in call\n result = getattr(controller, method)(*args, **kwargs)\n File "/usr/lib/python3.6/site-packages/glanceclient/common/utils.py",
670,
in inner\n return RequestIdProxy(wrapped(*args, **kwargs))\n File "/usr/lib/python3.6/site-packages/glanceclient/v2/images.py", line 255, in data\n resp, body = self.http_client.get(url)\n File "/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 395, in get\n return self.request(url, \'GET\', **kwargs)\n File "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
in request\n return self._handle_response(resp)\n File "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
in _handle_response\n raise exc.from_response(resp, resp.content)\nglanceclient.exc.HTTPForbidden: HTTP 403 Forbidden: The requested image has been deactivated. Image data download is forbidden.\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 201, in decorated_function\n return function(self, context, *args, **kwargs)\n File "/usr/lib/python3.6/site-packages/nova/compute/manager.py",
5950, in finish_resize\n context, instance, migration)\n File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 227, in __exit__\n self.force_reraise()\n File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 200, in force_reraise\n raise self.value\n File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5932, in finish_resize\n migration, request_spec)\n File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5966, in _finish_resize_helper\n request_spec)\n File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5902, in _finish_resize\n self._set_instance_info(instance,
"/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 227, in __exit__\n self.force_reraise()\n File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 200, in force_reraise\n raise self.value\n File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5890, in _finish_resize\n block_device_info, power_on)\n File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 11343, in finish_migration\n fallback_from_host=migration.source_compute)\n File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 4703, in _create_image\n injection_info, fallback_from_host)\n File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 4831, in _create_and_inject_local_root\n instance, size, fallback_from_host)\n File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 10625, in _try_fetch_image_cache\n trusted_certs=instance.trusted_certs)\n File
"/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py", line
275, in cache\n *args, **kwargs)\n File
"/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py", line
638, in create_image\n prepare_template(target=base, *args, **kwargs)\n File "/usr/lib/python3.6/site-packages/oslo_concurrency/lockutils.py", line 391, in inner\n return f(*args, **kwargs)\n File
"/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py", line
271, in fetch_func_sync\n fetch_func(target=target, *args, **kwargs)\n File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/utils.py", line 395, in fetch_image\n images.fetch_to_raw(context, image_id, target, trusted_certs)\n File "/usr/lib/python3.6/site-packages/nova/virt/images.py", line 115, in fetch_to_raw\n fetch(context, image_href, path_tmp,
File "/usr/lib/python3.6/site-packages/nova/virt/images.py", line 106, in fetch\n trusted_certs=trusted_certs)\n File "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 1300, in download\n trusted_certs=trusted_certs)\n File "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 379, in download\n _reraise_translated_image_exception(image_id)\n File "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 1031, in _reraise_translated_image_exception\n raise new_exc.with_traceback(exc_trace)\n File "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 377, in download\n context, 2, \'data\', args=(image_id,))\n File "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 191, in call\n result = getattr(controller, method)(*args, **kwargs)\n File "/usr/lib/python3.6/site-packages/glanceclient/common/utils.py",
670,
in inner\n return RequestIdProxy(wrapped(*args, **kwargs))\n File "/usr/lib/python3.6/site-packages/glanceclient/v2/images.py", line 255, in data\n resp, body = self.http_client.get(url)\n File "/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 395, in get\n return self.request(url, \'GET\', **kwargs)\n File "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
in request\n return self._handle_response(resp)\n File "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
On Thu, 2022-06-30 at 14:37 +0200, Massimo Sgaravatto wrote: line line 380, line 120, line old_flavor)\n File trusted_certs)\n line line 380, line 120,
in _handle_response\n raise exc.from_response(resp, resp.content)\nnova.exception.ImageNotAuthorized: Not authorized for image dd1492d5-17a2-4dc2-a4e3-ec6c99255e4b.\n'} |