Open Stack

On Fri, 1 Jul 2022 at 07:17, Massimo Sgaravatto <
massimo.sgaravatto at gmail.com> wrote:

> Converting the image from public to private seems indeed a good idea.
> Thanks a lot for the hint !
> Cheers, Massimo
>
>
Hi Massimo,

Turning it into private will cause the very same issue for anyone using the
image who was consuming it outside of the project that owns the image. The
"hidden" [0] flag was developed for this purpose. Even it does not prevent
one to launch new instances from the said image, it will strongly
discourage it as the image is not listed in the normal image listings. So
if you have a new up to date version of the image, but the old one is still
widely in use, turn the old image hidden and unless someone is specifically
launching the instance with that old image ID, they will be directed
towards your new version.

As we don't currently have any mechanism separating a user making a call to
Glance with one of the clients vs. Nova making the call on behalf of the
user, we also have no means to ensure that the image would be consumable
for housekeeping purposes while new instances would be prevented. So this
was the most user friendly solution we came up with at the time.

[0]
https://specs.openstack.org/openstack/glance-specs/specs/rocky/implemented/glance/operator-image-workflow.html

- jokke

On Thu, Jun 30, 2022 at 2:56 PM Sean Mooney <smooney at redhat.com> wrote:
>
>> On Thu, 2022-06-30 at 14:37 +0200, Massimo Sgaravatto wrote:
>> > No: I really mean resize
>> i guess for resize we need to pcy the backing file which we preusmabel
>> are doing by redownloading the orginal image. it could technically be
>> copied form the souce
>> host instead but i think if you change the visiableity rahter then
>> blocking download that would
>> hide it form peopel lookign to create new vms with it in the image list
>> but allow it to consiute
>> to be used by exsiting instace for rebuild and resize.
>> >
>> > On Thu, Jun 30, 2022 at 1:42 PM Sean Mooney <smooney at redhat.com> wrote:
>> >
>> > > On Thu, 2022-06-30 at 10:09 +0200, Massimo Sgaravatto wrote:
>> > > > Dear all
>> > > >
>> > > > What is the blessed method to avoid using an image for new virtual
>> > > machines
>> > > > without causing problems for existing instances using that image ?
>> > > >
>> > > > If I deactivate the image, I then have problems resizing instances
>> using
>> > > > that image [*]: it claims that image download is forbidden since the
>> > > image
>> > > > was deactivated
>> > > i think you mean rebuilding the instance not resizeing right?
>> > > resize should not need the image since it should use the image info we
>> > > embed in the nova
>> > > in the instance_system_metadata table.
>> > >
>> > > im not sure if there is a blessed way but i proably would have
>> changed the
>> > > visablity to private.
>> > >
>> > >
>> > > >
>> > > > Thanks, Massimo
>> > > >
>> > > > [*]
>> > > >
>> > > >
>> > > >  | fault                               | {'code': 500, 'created':
>> > > > '2022-06-30T07:57:30Z', 'message': 'Not authorized for image
>> > > > dd1492d5-17a2-4dc2-a4e3-ec6c99255e4b.', 'details': 'Traceback (most
>> > > recent
>> > > > call last):\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 377,
>> in
>> > > > download\n    context, 2, \'data\', args=(image_id,))\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 191,
>> in
>> > > > call\n    result = getattr(controller, method)(*args, **kwargs)\n
>> File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/common/utils.py",
>> line
>> > > 670,
>> > > > in inner\n    return RequestIdProxy(wrapped(*args, **kwargs))\n
>> File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/v2/images.py", line
>> 255,
>> > > in
>> > > > data\n    resp, body = self.http_client.get(url)\n  File
>> > > > "/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py", line
>> 395, in
>> > > > get\n    return self.request(url, \'GET\', **kwargs)\n  File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
>> line 380,
>> > > > in request\n    return self._handle_response(resp)\n  File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
>> line 120,
>> > > > in _handle_response\n    raise exc.from_response(resp,
>> > > > resp.content)\nglanceclient.exc.HTTPForbidden: HTTP 403 Forbidden:
>> The
>> > > > requested image has been deactivated. Image data download is
>> > > > forbidden.\n\nDuring handling of the above exception, another
>> exception
>> > > > occurred:\n\nTraceback (most recent call last):\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line
>> 201, in
>> > > > decorated_function\n    return function(self, context, *args,
>> **kwargs)\n
>> > > >  File "/usr/lib/python3.6/site-packages/nova/compute/manager.py",
>> line
>> > > > 5950, in finish_resize\n    context, instance, migration)\n  File
>> > > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line
>> 227, in
>> > > > __exit__\n    self.force_reraise()\n  File
>> > > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line
>> 200, in
>> > > > force_reraise\n    raise self.value\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line
>> 5932, in
>> > > > finish_resize\n    migration, request_spec)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line
>> 5966, in
>> > > > _finish_resize_helper\n    request_spec)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line
>> 5902, in
>> > > > _finish_resize\n    self._set_instance_info(instance,
>> old_flavor)\n  File
>> > > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line
>> 227, in
>> > > > __exit__\n    self.force_reraise()\n  File
>> > > > "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line
>> 200, in
>> > > > force_reraise\n    raise self.value\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line
>> 5890, in
>> > > > _finish_resize\n    block_device_info, power_on)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line
>> > > 11343,
>> > > > in finish_migration\n
>> fallback_from_host=migration.source_compute)\n
>> > > >  File
>> "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py",
>> > > line
>> > > > 4703, in _create_image\n    injection_info, fallback_from_host)\n
>> File
>> > > > "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line
>> > > 4831,
>> > > > in _create_and_inject_local_root\n    instance, size,
>> > > fallback_from_host)\n
>> > > >  File
>> "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py",
>> > > line
>> > > > 10625, in _try_fetch_image_cache\n
>> > > >  trusted_certs=instance.trusted_certs)\n  File
>> > > >
>> "/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py",
>> > > line
>> > > > 275, in cache\n    *args, **kwargs)\n  File
>> > > >
>> "/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py",
>> > > line
>> > > > 638, in create_image\n    prepare_template(target=base, *args,
>> > > **kwargs)\n
>> > > >  File
>> "/usr/lib/python3.6/site-packages/oslo_concurrency/lockutils.py",
>> > > > line 391, in inner\n    return f(*args, **kwargs)\n  File
>> > > >
>> "/usr/lib/python3.6/site-packages/nova/virt/libvirt/imagebackend.py",
>> > > line
>> > > > 271, in fetch_func_sync\n    fetch_func(target=target, *args,
>> **kwargs)\n
>> > > >  File
>> "/usr/lib/python3.6/site-packages/nova/virt/libvirt/utils.py", line
>> > > > 395, in fetch_image\n    images.fetch_to_raw(context, image_id,
>> target,
>> > > > trusted_certs)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/virt/images.py", line 115, in
>> > > > fetch_to_raw\n    fetch(context, image_href, path_tmp,
>> trusted_certs)\n
>> > > >  File "/usr/lib/python3.6/site-packages/nova/virt/images.py", line
>> 106,
>> > > in
>> > > > fetch\n    trusted_certs=trusted_certs)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 1300,
>> in
>> > > > download\n    trusted_certs=trusted_certs)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 379,
>> in
>> > > > download\n    _reraise_translated_image_exception(image_id)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 1031,
>> in
>> > > > _reraise_translated_image_exception\n    raise
>> > > > new_exc.with_traceback(exc_trace)\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 377,
>> in
>> > > > download\n    context, 2, \'data\', args=(image_id,))\n  File
>> > > > "/usr/lib/python3.6/site-packages/nova/image/glance.py", line 191,
>> in
>> > > > call\n    result = getattr(controller, method)(*args, **kwargs)\n
>> File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/common/utils.py",
>> line
>> > > 670,
>> > > > in inner\n    return RequestIdProxy(wrapped(*args, **kwargs))\n
>> File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/v2/images.py", line
>> 255,
>> > > in
>> > > > data\n    resp, body = self.http_client.get(url)\n  File
>> > > > "/usr/lib/python3.6/site-packages/keystoneauth1/adapter.py", line
>> 395, in
>> > > > get\n    return self.request(url, \'GET\', **kwargs)\n  File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
>> line 380,
>> > > > in request\n    return self._handle_response(resp)\n  File
>> > > > "/usr/lib/python3.6/site-packages/glanceclient/common/http.py",
>> line 120,
>> > > > in _handle_response\n    raise exc.from_response(resp,
>> > > > resp.content)\nnova.exception.ImageNotAuthorized: Not authorized for
>> > > image
>> > > > dd1492d5-17a2-4dc2-a4e3-ec6c99255e4b.\n'} |
>> > >
>> > >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220704/9286cc0b/attachment-0001.htm>