Xena and CEPH RBD backend (show_image_direct_url status )

Eugen Block eblock at nde.ag
Mon Feb 28 14:04:33 UTC 2022


Hi,

it's disappointing that this is still an issue.
We're currently using OpenStack Ussuri with Ceph Nautilus (we plan the  
Upgrade to Octopus soon) which works fine without enabling  
show_image_direct_url. The same goes for Victoria and Octopus (one of  
our customers uses this combination).


> How is the noted GRAVE Security RISK  of enabling  
> Show_image_direct_url mitigated  ?  (i.e I think , for CEPH RBD, it  
> needs to  be True to get cloning to work efficiently)

I'm also wondering in which case the location contains credentials, I  
haven't seen that yet. Depending on how your cloud is used (is it a  
public or private cloud) maybe enabling the option is not that big of  
a risk?

Regards,
Eugen


Zitat von "west, andrew" <andrew.west-contractor at cgg.com>:

> Hello experts
>
> Currently using openstack Xena and Ceph backend (Pacific 16.2.7)
>
> It seems there is a bug (since Wallaby?) where the efficient use of  
> a CEPH Pacific RBD backend (i.e with copy-on-write-cloning) is not  
> working .
> Show_image_direct_url needs to be False to create volumes (or  
> ephemeral volumes for nova)
>
> This can of course be tremendously slow (Nova  , ephemeral root  
> disk) without copy-on-write cloning feature of Ceph.
>
> As Ceph RBD is THE most favourite  backend for block storage in  
> openstack I am wondering how others are coping (or workarounds found  
> ?)
> Which combinations of Openstack and Ceph  are known to work well  
> with copy-on-write-cloning?
>
> How is the noted GRAVE Security RISK  of enabling  
> Show_image_direct_url mitigated  ?  (i.e I think , for CEPH RBD, it  
> needs to  be True to get cloning to work efficiently)
>
>
> See another report of this issue here:
> Re: Ceph Pacifif and Openstack Wallaby - ERROR  
> cinder.scheduler.flows.create_volume - CEPH Filesystem Users  
> (spinics.net)<https://www.spinics.net/lists/ceph-users/msg66016.html>
>
> Thanks for any help or pointers,
>
> Andrew West
> Openstack consulting
> CGG France
>
>
> ________________________________
> "This e-mail and any accompanying attachments are confidential. The  
> information is intended solely for the use of the individual to whom  
> it is addressed. Any review, disclosure, copying, distribution, or  
> use of the email by others is strictly prohibited. If you are not  
> the intended recipient, you must not review, disclose, copy,  
> distribute or use this e-mail; please delete it from your system and  
> notify the sender immediately."






More information about the openstack-discuss mailing list