[glance][cinder] No format check on glance image uploading vs. thorough image format checks on cinder
Hello folks, Since resolution of vmdk related CVE<https://bugs.launchpad.net/nova/+bug/1996188>, Cinder performs extra checks on format of images used for specific actions, like creating a volume out of an image for instance. See related cinder commit: https://review.opendev.org/c/openstack/cinder/+/871625 Those new checks first led to failures on our tempest tests, on tests that were passing before. E.g.: tempest.api.compute.servers.test_create_server.ServersTestBootFromVolume It turned out that tests were failing because of a discrepancy between actual format of the image (qcow2 here) and declared format in glance db (raw). To us, this raises the question of format checks responsibility throughout images lifecycle, between Glance and Cinder. Today, afaik, Glance will: - tag as 'raw' any image uploaded without any format specified - tag the image with the format provided by the customer, whatever the actual format of the image is whereas Cinder is now more picky, refusing to deal with an image that claims to be of X format but is actually Y. If you do confirm these observations, in your opinion, what would be the best option among: 1. leave it as is, after all openstack customer is responsible for the accuracy of the information provided on image upload and should not be surprised by downstream mismatches when using the image 2. strengthen customer's responsibility of bullet 1. by making image format declaration mandatory on image upload 3. enforce format checks on glance on image upload 4. other way you may think of? something upstream I may have missed? Thank you for your opinion! Regards, Florent Le Lain SRE Team Lead – Public Cloud OVHcloud Rennes [1672217009737]
To us, this raises the question of format checks responsibility throughout images lifecycle, between Glance and Cinder. Today, afaik, Glance will: - tag as 'raw' any image uploaded without any format specified - tag the image with the format provided by the customer, whatever the actual format of the image is whereas Cinder is now more picky, refusing to deal with an image that claims to be of X format but is actually Y.
If you do confirm these observations, in your opinion, what would be the best option among: • leave it as is, after all openstack customer is responsible for the accuracy of the information provided on image upload and should not be surprised by downstream mismatches when using the image • strengthen customer's responsibility of bullet 1. by making image format declaration mandatory on image upload • enforce format checks on glance on image upload • other way you may think of? something upstream I may have missed?
This will probably answer your questions: https://review.opendev.org/c/openstack/glance-specs/+/925111 In short, yes, glance should be enforcing that the format matches on upload, IMHO. Glance does enforce it on import currently *if* image_conversion is enabled. I think that nova and cinder should continue to not trust glance to have done this though, and continue to inspect and assert that what they got matches what they expect. The above spec is my plan for the upcoming cycle to robustify glance in this regard. Moving nova, glance, and cinder to the oslo implementation (which has merged but is awaiting a release) will be a first step to making the continued diligence by the downstream-of-glance projects easier. --Dan
participants (2)
-
Dan Smith
-
Florent Le Lain