[openstack-dev] [glance] Queens PTG: Wednesday summary

Brian Rosmaita rosmaita.fossdev at gmail.com
Thu Sep 14 14:23:36 UTC 2017

For those who couldn't attend, here's a quick synopsis of what was
discussed yesterday.

Please consult the etherpad for each session for details.  Feel free
to put questions/comments on the etherpads, and then put an item on
the agenda for the weekly meeting on Thursday 21 September, and we'll
continue the discussion.

Strategic plan for Glance (Q, R, S, T, U)

No major surprises here, but some things to note:
- Q will be focused on completing interoperable image import and
making 2.6 the CURRENT API version
- The Images v1 API will be removed in Q (necessary condition is 2.6
becoming current, though)
- The Glance Registry API v1 will be removed in Q (necessary condition
is removal of Images v1 API)
- The Glance Registry API v2 will be DEPRECATED in Q and scheduled for
removal in S

Interoperable image import: where we are now and what testing needs to be added

Basically, we need a lot more tests.  Abhishek is going to run a
coverage analysis to give us a list of items to work on.  Everyone is
going to investigate what QA resources are available, and we'll
discuss how to divide up the work at the September 28 Glance meeting.

Can the v1 API be removed in Queens?

Yes, it can!  Assuming other goals are met, namely:
- implementing a safe 'copy-from' import-method (i.e., completing the
2.6 API and making it current).  ("Safe" copy-from addresses
- removing any remaining Images API v1 tempest tests
- notify the Horizon team that the Images API v1 is scheduled for
removal in Queens

Plans for the python-glanceclient are:
- announce deprecation of Images v1 API support
- Q release of glanceclient will be the last one with v1 support
- Images API v1 support will be removed from the python-glanceclient in R
- notify OSC team about this timeline
- notify Shade team (though I don't think they use the glanceclient)

Community goal: policy-in-code: where we are

The conclusion of the discussion is that the proposed advantages to
this effort don't appear to apply to Glance, but it's a bit late to
bring that up now.  The primary advantage will be documentation of the
policies, which will eat reviewer time, but it will be good to do
(though inconvenient given the size of the development team right

A complicating factor is that Glance also allows the use of policies
to define property protections.  We'll have to improve the
documentation around this feature.

Remove show_image_locations config option

The show_image_locations config option was deprecated in Newton and
scheduled for removal in Ocata.  It has become problematic to remove
this option because of OSSN-0065, as it gives operators a one-step way
to make sure the exploit described in that OSSN doesn't apply to their
installation (rather than properly configuring 3 related policies).

One suggestion is to rename the policy to something like
'insecure_location_access' (default value False) and then it will be a
bit more clear to operators what the config option allows.

Interoperable image import: next steps

See the etherpad for the list of to-do items for Queens.

Adding microversion support to the Glance APIs

Matt Treinish led an interesting discussion of why Glance should do
this.  We'll revisit this after the 2.6 API becomes CURRENT and the
Images API v1 has been removed.

See the scheduling etherpad for what we'll be discussing on Thursday:

More information about the OpenStack-dev mailing list