開発中バージョンのリリースノート

20.0.0.0b1-7

アップグレード時の注意

  • Policy defaults are now defined in code, as they already were in other OpenStack services. After upgrading there is no need to provide a policy.json file (and you should not do so) unless you want to override the default policies, and only policies you want to override need be mentioned in the file. You should no longer rely on the default rule, and especially not the default value of the rule (which has been relaxed), to assign a non-default policy to rules not explicitly specified in the policy file.

セキュリティー上の問題

  • If the existing policy.json file relies on the default rule for some policies (i.e. not all policies are explicitly specified in the file) then the default rule must be explicitly set (e.g. to "role:admin") in the file. The new default value for the default rule is "", whereas since the Queens release it has been "role:admin" (prior to Queens it was "@", which allows everything). After upgrading to this release, the policy file should be replaced by one that overrides only policies that need to be different from the defaults, without relying on the default rule.

20.0.0.0b1

アップグレード時の注意

  • Python 2.7 support has been dropped. Last release of Glance to support py2.7 is OpenStack Train (Glance 19.x). The minimum version of Python now supported by Glance is Python 3.6.

  • If upgrade is conducted from PY27 where ssl connections has been terminated into glance-api, the termination needs to happen externally from now on.

セキュリティー上の問題

  • The ssl support from Glance has been removed as it worked only under PY27 which is not anymore supported environment. Termination of encrypted connections needs to happen externally as soon as move to PY3 happens. Any deployment needing end to end encryption would need to put either reverse proxy (using fully blown http server like Apache or Nginx will cause significant performance hit and we advice using something more simple that does not break the http protocol) in front of the service or utilize ssl tunneling (like stunnel) between loadbalancers and glance-api.