Re: Problème with image from snapshot

Franck VEDEL franck.vedel at univ-grenoble-alpes.fr
Fri Oct 15 06:45:14 UTC 2021


Melanie, 
On the contrary, I believe that you have fully understood my problem, and your explanations are very clear. Thank you so much.
I looked at the documentation, it is well explained, I understand what to do.
I'm using kolla-ansible to deploy Wallaby, it's not going to be easy, because changing the default permissions for cinder doesn't look easy.
Thanks again, you've saved me a lot of time, and it's going to help me with what I want to do with my students.

Franck


> Le 14 oct. 2021 à 22:58, melanie witt <melwittt at gmail.com> a écrit :
> 
> According to this cinder doc [1], it looks like what you're trying to do is valid, to create an image backed by a volume and boot instances from that image.
> 
> The problem I see where the "failed to get snapshot" error is raised in nova for the non-admin user, it looks to be a problem with policy access for the GET /snapshots/{snapshot_id} cinder API. Although the image is public, the volume behind it was created by some project and by default the API will allow the admin project or the project that created/owns the volume [2]:
> 
> volume:get_snapshot
>    Default
>        rule:admin_or_owner
> 
>    Operations
>        GET /snapshots/{snapshot_id}
> 
> This is why it works when you boot an instance using the admin account. Currently, you would need to change the above rule in the cinder policy.yaml in order to allow a different project than the owner to GET the snapshot.
> 
> It's possible this is a bug in nova and that we should be using an elevated admin request context to call GET /snapshots/{snapshot_id} if the snapshot is for a volume-backed image.
> 
> Hopefully I haven't completely misunderstood what is going on here, if so, please ignore me. :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211015/8570c1e4/attachment.htm>


More information about the openstack-discuss mailing list