[Openstack] Ubuntu Cloud Image - Forbidden access! Glance fails with error 500.
Nikhil Komawar
nik.komawar at gmail.com
Wed Aug 31 22:58:52 UTC 2016
Thanks Thiago for including OpenStackers. But you do point out some
interesting deployment scenario for which I'm more than inclined to
comment on for being a community and openstack users' well wisher.
Please see notes inline.
On 8/31/16 6:24 PM, Martinx - ジェームズ wrote:
> But I need to rely on the upstream URLs for two reasons:
>
> 1- During Glance provision, I can't download the images, the images
> MUST be downloaded by Glance itself, by demand (that's why I always
> use --location and that's why I'm still using Glance v1;
It's a bit unfortunate that you use it this way, as Glance v1 was never
designed to be directly used by the users, it has a design for an
internal service for Nova, Cinder, etc. to use (service to service
communications).
>
> 2- By relying on a remote URL, I don't need to re-add the images every
> single time that upstream updates its image, Glance will always
> download the latest directly from upstream.
This is a bad idea (very very ... very bad idea). The very fact that
OpenStack replies on storing images to glance is so that the user can
know what image they are going to consume. Image locations has been
designed to be admin only feature for the same reason (with the
assumption that v1 was supposed to be internal only API). I strongly
urge you to use the image locations feature with that context.
Having such a setup will result into a unknown state where the uuid of
the image is same but if some random (may even be malicious) image is
stored at that http url, at any given point of time your cloud is not
secure. Also, there are other reasons why such a setup shouldn't be
made: the references Nova uses to determine which image the VM was
booted from is stored against the uuid of that image. If the remote url
is subject to change anytime, the shared understanding of Nova, Glance
and the user about that image will be wrong, for the image bytes have
mutated since last check.
>
> BTW, I've sent those messages to both lists (Ubuntu / OpenStack)
> because this interests Ubuntu and since Glance is failing with Error
> 500, OpenStack guys might be interested as well.
Glance has no control over the remote urls so, it's failing to interpret
the inaccessible location. In such a scenario the appropriate error is
indeed 500 -- as glance assumes that the deployment will have resilient
access to that image location.
Hope that helps.
>
> Cheers!
> Thiago
>
> On 29 August 2016 at 05:37, <stuart.mclaren at hp.com
> <mailto:stuart.mclaren at hp.com>> wrote:
>
>
> To prevent this kind of thing recurring you can upload the image bytes
> into Glance rather than relying on the third party url always being
> available, eg:
>
> curl
> http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img
> <http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img>
> | glance image-create --name "Ubuntu 16.04.1 LTS - Xenial Xerus -
> 64-bit - Cloud Based Ima
> ge" --is-public true --container-format bare --disk-format qcow2
>
>
> On Sun, 28 Aug 2016, Kaustubh Kelkar wrote:
>
> Broken link?
>
> https://cloud-images.ubuntu.com/xenial/
> <https://cloud-images.ubuntu.com/xenial/>
>
> -Kaustubh
>
> From: Martinx - ジェームズ
> Sent: Saturday, August 27, 23:06
> Subject: [Openstack] Ubuntu Cloud Image - Forbidden access!
> Glance failswith error 500.
> To: ubuntu-server, Ubuntu user technical support, not for
> general discussions, openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
>
> Guys,
>
> It is impossible to download Ubuntu Cloud Image right now:
>
> http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img
> <http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img>
>
> Returns: Forbidden!
>
> ----
>
> wget
> http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img
> <http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img>
>
> --2016-08-28 02:50:36--
> http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img
> <http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img>
>
> Resolving uec-images.ubuntu.com
> <http://uec-images.ubuntu.com><http://uec-images.ubuntu.com
> <http://uec-images.ubuntu.com>> (uec-images.ubuntu.com
> <http://uec-images.ubuntu.com><http://uec-images.ubuntu.com
> <http://uec-images.ubuntu.com>>)... 91.189.88.140
>
> Connecting to uec-images.ubuntu.com
> <http://uec-images.ubuntu.com><http://uec-images.ubuntu.com
> <http://uec-images.ubuntu.com>> (uec-images.ubuntu.com
> <http://uec-images.ubuntu.com><http://uec-images.ubuntu.com
> <http://uec-images.ubuntu.com>>)|91.189.88.140|:80... connected.
>
> HTTP request sent, awaiting response... 403 Forbidden
>
> 2016-08-28 02:50:36 ERROR 403: Forbidden.
>
> ----
>
> This broke my OpenStack deployment, because Glance tries to
> download it and then it fails (error 500 on Glance).
>
> ---
>
> http://paste.openstack.org/show/564302/
> <http://paste.openstack.org/show/564302/>
>
> ---
>
> Here is how I'm adding Ubuntu images to my OpenStack Mitaka Cloud:
>
> ---
>
> glance image-create --location
> http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img
> <http://uec-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img>
> --name "Ubuntu 16.04.1 LTS - Xenial Xerus - 64-bit - Cloud
> Based Image" --is-public true --container-format bare
> --disk-format qcow2
>
> ---
>
> Cheers!
>
> Thiago
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Thanks,
Nikhil
More information about the Openstack
mailing list