Current Series Release Notes

New Features

  • Added new import method copy-image which will copy existing image into multiple stores.

Upgrade Notes

  • Added new import method copy-image which will copy existing image into multiple stores. The new import method will work only if multiple stores are enabled in the deployment. To use this feature operator needs to mention copy-image import method in enabled_import_methods configuration option. Note that this new internal plugin applies only to images imported via the interoperable image import process.

  • Add ability to import image into multiple stores during interoperable image import process. This feature will only work if multiple stores are enabled in the deployment. It introduces 3 new optional body fields to the import API path:

    • stores: List containing the stores id to import the image binary data to.

    • all_stores: To import the data in all configured stores.

    • all_stores_must_succeed: Control wether the import have to succeed in all stores.

    Users can follow workflow execution with 2 new reserved properties:

    • os_glance_importing_to_stores: list of stores that has not yet been processed.

    • os_glance_failed_import: Each time an import in a store fails, it is added to this list.

  • Policy defaults are now defined in code, as they already were in other OpenStack services. After upgrading there is no need to provide a policy.json file (and you should not do so) unless you want to override the default policies, and only policies you want to override need be mentioned in the file. You should no longer rely on the default rule, and especially not the default value of the rule (which has been relaxed), to assign a non-default policy to rules not explicitly specified in the policy file.

Security Issues

  • If the existing policy.json file relies on the default rule for some policies (i.e. not all policies are explicitly specified in the file) then the default rule must be explicitly set (e.g. to "role:admin") in the file. The new default value for the default rule is "", whereas since the Queens release it has been "role:admin" (prior to Queens it was "@", which allows everything). After upgrading to this release, the policy file should be replaced by one that overrides only policies that need to be different from the defaults, without relying on the default rule.

Upgrade Notes

  • Python 2.7 support has been dropped. Last release of Glance to support py2.7 is OpenStack Train (Glance 19.x). The minimum version of Python now supported by Glance is Python 3.6.

  • If upgrade is conducted from PY27 where ssl connections has been terminated into glance-api, the termination needs to happen externally from now on.

Security Issues

  • The ssl support from Glance has been removed as it worked only under PY27 which is not anymore supported environment. Termination of encrypted connections needs to happen externally as soon as move to PY3 happens. Any deployment needing end to end encryption would need to put either reverse proxy (using fully blown http server like Apache or Nginx will cause significant performance hit and we advice using something more simple that does not break the http protocol) in front of the service or utilize ssl tunneling (like stunnel) between loadbalancers and glance-api.