Ussuri Series Release Notes

20.0.0-11

バグ修正

  • Bug 1881958: read-only http store should not be used if --all-stores specified for import/copy image workflow

  • Bug 1887994: Mixed message in admin docs to deploy under httpd

  • Bug 1885725: 'copy-image' import job should not run additional plugins

  • Bug 1888349: glance-cache-manage utility is broken

  • Bug 1886374: Improve lazy loading mechanism for multiple stores

  • Bug 1885003: Interrupted copy-image may break a subsequent operation

  • Bug 1884587: image import copy-image API should reflect proper authorization

20.0.0

紹介

Ussuri release includes multiple important milestones in Glance development priorities.

  • Added support for importing images in multiple stores

  • Added support for copying existing images in multiple stores

  • Added support to delete image from single store

  • Dropped support for python 2.7

新機能

  • Policy enforcement for several Metadata Definition delete APIs are added in this release. The following actions are enforced and added to the policy.json:

    • delete_metadef_namespace

    • delete_metadef_object

    • remove_metadef_resource_type_association

    • remove_metadef_property

    • delete_metadef_tag

    • delete_metadef_tags

    This prevents roles that should not have access to these APIs from performing the APIs associated with the actions above.

  • Added new import method copy-image which will copy existing image into multiple stores.

  • As part of the multi-store efforts this release introduces deletion from single store. Through new '/v2/stores' endpoint the API user can request image to be deleted from single store instead of deleting the whole image. This feature can be used to clean up store metadata in cases where the image data has for some reason disappeared from the store already, except 410 Gone HTTP response.

  • New Interoperable Image Import plugin has been introduced to address the use case of providing compressed images either through 'web-download' or to optimize the network utilization between the client and Glance.

アップグレード時の注意

  • Added new import method copy-image which will copy existing image into multiple stores. The new import method will work only if multiple stores are enabled in the deployment. To use this feature operator needs to mention copy-image import method in enabled_import_methods configuration option. Note that this new internal plugin applies only to images imported via the interoperable image import process.

  • The default value of the Glance API configuration option admin_role has been changed in this release. If you were also using the default policy configuration, this change will not affect you. If you were not using the default policy configuration, please read on.

    With the previous default value, any user with the admin role could act in an administrative context regardless of what your policy file defined as the administrative context. And this might not be a problem because usually the admin role is not assigned to "regular" end users. It does become a problem, however, when operators attempt to configure different gradations of administrator.

    In this release, the default value of admin_role has been defined as __NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__. This effectively makes it inoperable (unless your Keystone administrator has actually created such a role and assigned it to someone, which is unlikely but possible, so you should check). If your local policy tests (you have some, right?) indicate that your Glance policies no longer function as expected, then you have been relying on the admin_role configuration option and need to revise your policy file. (A short term fix would be to set the admin_role option back to admin, but keep in mind that it is a short-term fix, because this configuration option is deprecated and subject to removal.)

    See the "Deprecation Notes" section of this document for more information.

  • The show_multiple_locations configuration option remains DEPRECATED but not removed in the Ussuri release. We continue to recommend that image locations not be exposed to end users. See OSSN-0065 for more information.

    The plan continues to be to eliminate the option and use only policies to control image locations access. This, however, requires some major refactoring, as discussed in the draft Policy Refactor spec. Further, there is no projected timeline for this change, as no one has been able to commit time to it. (The Glance team would be happy to discuss this more with anyone interested in working on it.)

    Please keep a watch on the Glance release notes and the glance-specs repository to stay informed about developments on this issue.

  • Python 2.7 support has been dropped. Last release of Glance to support py2.7 is OpenStack Train (Glance 19.x). The minimum version of Python now supported by Glance is Python 3.6.

  • The sheepdog storage backend driver was deprecated in the Train release and has now been removed. Any deployments still using Sheepdog storage will need to migrate to a different backend storage prior to upgrading to this release.

  • Add ability to import image into multiple stores during interoperable image import process. This feature will only work if multiple stores are enabled in the deployment. It introduces 3 new optional body fields to the import API path:

    • stores: List containing the stores id to import the image binary data to.

    • all_stores: To import the data in all configured stores.

    • all_stores_must_succeed: Control wether the import have to succeed in all stores.

    Users can follow workflow execution with 2 new reserved properties:

    • os_glance_importing_to_stores: list of stores that has not yet been processed.

    • os_glance_failed_import: Each time an import in a store fails, it is added to this list.

  • Policy defaults are now defined in code, as they already were in other OpenStack services. After upgrading there is no need to provide a policy.json file (and you should not do so) unless you want to override the default policies, and only policies you want to override need be mentioned in the file. You should no longer rely on the default rule, and especially not the default value of the rule (which has been relaxed), to assign a non-default policy to rules not explicitly specified in the policy file.

  • Operators who use property protections with the property_protection_rule_format set to policies must still define the policy rules used for property protections in a policy file. The content of the file may be JSON or YAML. Additionally, we suggest that the absolute pathname of this file be set as the value of policy_file in the [oslo_policy] section of the glance-api.conf file.

    Be aware that if you define a policy rule for default or context_is_admin, that policy rule will also be used by the policies that govern permissions to perform actions using the Images API, even if these actions are not specified in the policy file.

  • If upgrade is conducted from PY27 where ssl connections has been terminated into glance-api, the termination needs to happen externally from now on.

廃止予定の機能

  • The Glance API configuration option admin_role is deprecated in this release and is subject to removal at the beginning of the Victoria development cycle, following the OpenStack standard deprecation policy.

    What this option does is to grant complete admin access to any authenticated user with a particular role. This overrides any policy rules configured in the policy configuration file. While everything will behave as expected if you are also using the default policy settings, this setting may cause anomalous behavior when you are configuring custom policies.

    Additionally, the default value of this option has been changed in this release. See the "Upgrade Notes" section of this document for more information.

    If you were previously aware of this option and were actually using it, we apologize for the inconvenience its removal will cause, but overall it will be better for everyone if policy configuration is confined to the policy configuration file and this backdoor is eliminated. The migration path is to explictly mention the role you configured for this option in appropriate places in your policy configuration file.

  • The Glance API configuration option allow_additional_image_properties is deprecated in this release and is subject to removal at the beginning of the Victoria development cycle, following the OpenStack standard deprecation policy.

    The migration path for operators who were using this option in its nondefault False setting is to set the image_property_quota option to 0. Since many other OpenStack services depend upon the ability to read/write custom image properties, however, we suspect that no one has been using the option with a nondefault value.

  • The Image checksum property contains an MD5 hash of the image data associated with an image. MD5 has not been considered secure for some time, and in order to comply with various security standards (for example, FIPS), an implementation of the MD5 algorithm may not be available on glance nodes.

    The secure "multihash" image properties, os_hash_algo and os_hash_value have been available on images since glance version 17.0.0 (Rocky). Until this point, the MD5 checksum property has been populated solely for backward compatability. It is not, however, necessary for validating downloaded image data.

    Thus, we are announcing the DEPRECATION in this release of the image checksum property. It will remain as an image property, but beginning with the Victoria release, the checksum will not be populated on new images.

    Users should instead rely on the secure "multihash" to validate image downloads. The python-glanceclient, for example, has been using multihash validation (with an optional MD5 fallback) since version 2.13.0 (Rocky).

セキュリティー上の問題

  • If the existing policy.json file relies on the default rule for some policies (i.e. not all policies are explicitly specified in the file) then the default rule must be explicitly set (e.g. to "role:admin") in the file. The new default value for the default rule is "", whereas since the Queens release it has been "role:admin" (prior to Queens it was "@", which allows everything). After upgrading to this release, the policy file should be replaced by one that overrides only policies that need to be different from the defaults, without relying on the default rule.

  • The ssl support from Glance has been removed as it worked only under PY27 which is not anymore supported environment. Termination of encrypted connections needs to happen externally as soon as move to PY3 happens. Any deployment needing end to end encryption would need to put either reverse proxy (using fully blown http server like Apache or Nginx will cause significant performance hit and we advice using something more simple that does not break the http protocol) in front of the service or utilize ssl tunneling (like stunnel) between loadbalancers and glance-api.

バグ修正

  • Bug 1861334: cors config defaults not used when Glance is run as WSGI app

  • Bug 1823703: Wrong version URL when Glance is deployed behind proxy with vhost

  • Bug 1863021: eventlet monkey patch results in assert len(_active) == 1 AssertionError

  • Bug 1855708: Reload tests broken in Py3

  • Bug 1850412: Useful image properties in glance - os_admin_user not documented

  • Bug 1863879: Multiple import fails if all-stores 'True' is passed

  • Bug 1861723: Glance is listening on TCP socket before store initialization

  • Bug 1861501: Store ID fetched from URI is incorrectly encoded under py27