On Fri, 1 Jul 2022 at 07:17, Massimo Sgaravatto <massimo.sgaravatto@gmail.com> wrote:
Converting the image from public to private seems indeed a good idea.
Thanks a lot for the hint !
Cheers, Massimo


Hi Massimo,

Turning it into private will cause the very same issue for anyone using the image who was consuming it outside of the project that owns the image. The "hidden" [0] flag was developed for this purpose. Even it does not prevent one to launch new instances from the said image, it will strongly discourage it as the image is not listed in the normal image listings. So if you have a new up to date version of the image, but the old one is still widely in use, turn the old image hidden and unless someone is specifically launching the instance with that old image ID, they will be directed towards your new version.

As we don't currently have any mechanism separating a user making a call to Glance with one of the clients vs. Nova making the call on behalf of the user, we also have no means to ensure that the image would be consumable for housekeeping purposes while new instances would be prevented. So this was the most user friendly solution we came up with at the time.

[0] https://specs.openstack.org/openstack/glance-specs/specs/rocky/implemented/glance/operator-image-workflow.html

- jokke

On Thu, Jun 30, 2022 at 2:56 PM Sean Mooney <smooney@redhat.com> wrote:
On Thu, 2022-06-30 at 14:37 +0200, Massimo Sgaravatto wrote:
> No: I really mean resize
i guess for resize we need to pcy the backing file which we preusmabel 
are doing by redownloading the orginal image. it could technically be copied form the souce
host instead but i think if you change the visiableity rahter then blocking download that would
hide it form peopel lookign to create new vms with it in the image list but allow it to consiute
to be used by exsiting instace for rebuild and resize.
>
> On Thu, Jun 30, 2022 at 1:42 PM Sean Mooney <smooney@redhat.com> wrote:
>
> > On Thu, 2022-06-30 at 10:09 +0200, Massimo Sgaravatto wrote:
> > > Dear all
> > >
> > > What is the blessed method to avoid using an image for new virtual
> > machines
> > > without causing problems for existing instances using that image ?
> > >
> > > If I deactivate the image, I then have problems resizing instances using
> > > that image [*]: it claims that image download is forbidden since the
> > image
> > > was deactivated
> > i think you mean rebuilding the instance not resizeing right?
> > resize should not need the image since it should use the image info we
> > embed in the nova
> > in the instance_system_metadata table.
> >
> > im not sure if there is a blessed way but i proably would have changed the
> > visablity to private.
> >
> >
> > >
> > > Thanks, Massimo
> > >
> > > [*]
> > >
> > >
> > >  | fault                               | {'code': 500, 'created':
> > > '2022-06-30T07:57:30Z', 'message': 'Not authorized for image
> > > dd1492d5-17a2-4dc2-a4e3-ec6c99255e4b.', 'details': 'Traceback (most
> > recent
> > > call last):\n  File
> > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 377, in
> > > download\n    context, 2, \'data\', args=(image_id,))\n  File
> > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 191, in
> > > call\n    result = getattr(controller, method)(*args, **kwargs)\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/common/utils.py", line
> > 670,
> > > in inner\n    return RequestIdProxy(wrapped(*args, **kwargs))\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/v2/images.py", line 255,
> > in
> > > data\n    resp, body = self.http_client.get(url)\n  File
> > > "/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 395, in
> > > get\n    return self.request(url, \'GET\', **kwargs)\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py", line 380,
> > > in request\n    return self._handle_response(resp)\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py", line 120,
> > > in _handle_response\n    raise exc.from_response(resp,
> > > resp.content)\nglanceclient.exc.HTTPForbidden: HTTP 403 Forbidden: The
> > > requested image has been deactivated. Image data download is
> > > forbidden.\n\nDuring handling of the above exception, another exception
> > > occurred:\n\nTraceback (most recent call last):\n  File
> > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 201, in
> > > decorated_function\n    return function(self, context, *args, **kwargs)\n
> > >  File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line
> > > 5950, in finish_resize\n    context, instance, migration)\n  File
> > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 227, in
> > > __exit__\n    self.force_reraise()\n  File
> > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 200, in
> > > force_reraise\n    raise self.value\n  File
> > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5932, in
> > > finish_resize\n    migration, request_spec)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5966, in
> > > _finish_resize_helper\n    request_spec)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5902, in
> > > _finish_resize\n    self._set_instance_info(instance, old_flavor)\n  File
> > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 227, in
> > > __exit__\n    self.force_reraise()\n  File
> > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 200, in
> > > force_reraise\n    raise self.value\n  File
> > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 5890, in
> > > _finish_resize\n    block_device_info, power_on)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line
> > 11343,
> > > in finish_migration\n    fallback_from_host=migration.source_compute)\n
> > >  File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py",
> > line
> > > 4703, in _create_image\n    injection_info, fallback_from_host)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line
> > 4831,
> > > in _create_and_inject_local_root\n    instance, size,
> > fallback_from_host)\n
> > >  File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py",
> > line
> > > 10625, in _try_fetch_image_cache\n
> > >  trusted_certs=instance.trusted_certs)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py",
> > line
> > > 275, in cache\n    *args, **kwargs)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py",
> > line
> > > 638, in create_image\n    prepare_template(target=base, *args,
> > **kwargs)\n
> > >  File "/usr/lib/python3.6/site-packages/oslo_concurrency/lockutils.py",
> > > line 391, in inner\n    return f(*args, **kwargs)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py",
> > line
> > > 271, in fetch_func_sync\n    fetch_func(target=target, *args, **kwargs)\n
> > >  File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/utils.py", line
> > > 395, in fetch_image\n    images.fetch_to_raw(context, image_id, target,
> > > trusted_certs)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/virt/images.py", line 115, in
> > > fetch_to_raw\n    fetch(context, image_href, path_tmp, trusted_certs)\n
> > >  File "/usr/lib/python3.6/site-packages/nova/virt/images.py", line 106,
> > in
> > > fetch\n    trusted_certs=trusted_certs)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 1300, in
> > > download\n    trusted_certs=trusted_certs)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 379, in
> > > download\n    _reraise_translated_image_exception(image_id)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 1031, in
> > > _reraise_translated_image_exception\n    raise
> > > new_exc.with_traceback(exc_trace)\n  File
> > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 377, in
> > > download\n    context, 2, \'data\', args=(image_id,))\n  File
> > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 191, in
> > > call\n    result = getattr(controller, method)(*args, **kwargs)\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/common/utils.py", line
> > 670,
> > > in inner\n    return RequestIdProxy(wrapped(*args, **kwargs))\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/v2/images.py", line 255,
> > in
> > > data\n    resp, body = self.http_client.get(url)\n  File
> > > "/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 395, in
> > > get\n    return self.request(url, \'GET\', **kwargs)\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py", line 380,
> > > in request\n    return self._handle_response(resp)\n  File
> > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py", line 120,
> > > in _handle_response\n    raise exc.from_response(resp,
> > > resp.content)\nnova.exception.ImageNotAuthorized: Not authorized for
> > image
> > > dd1492d5-17a2-4dc2-a4e3-ec6c99255e4b.\n'} |
> >
> >