Liberty Series Release Notes


Security Issues

  • Fixing bug 1525915; image might be transitioning from active to queued by regular user by removing last location of image (or replacing locations with empty list). This allows user to re-upload data to the image breaking Glance’s promise of image data immutability. From now on, last location cannot be removed and locations cannot be replaced with empty list.

  • All qemu-img info calls will be run under resource limitations that limit the CPU time and address space usage of the process if oslo.concurrency is at least version 2.6.1. qemu-img info calls are now limited to 2 seconds and 1 GB respectively. This addresses the bug Current usage of “qemu-img” is limited to Glance tasks. In the Mitaka release, tasks by default will only be available to admin users. In general, we recommend that tasks only be exposed to trusted users, even in releases prior to Mitaka.



This release has impact on API behavior.

Translations have been synced from Zanata.

On this release requirements.txt were synced from global-requirements.

Security Issues

  • This release prevents non-admin user to change ‘size’ and ‘checksum’ properties of an image after it has been deactivated via Images API v1.

Bug Fixes

  • Bug 1505474 Glance raise 500 error when delete images with unallowed status change

  • Bug 1505675 Flaky tasks test glance.tests.unit.v2.test_tasks_resource.TestTasksController.test_create_with_live_time

  • Bug 1517060 Users (without admin privileges) can change ACTIVE_IMMUTABLE properties of their own images when deactivated.

  • Bug 1504184 Glance does not error gracefully on token validation error

  • Bug 1522132 Scrubber tests are broken due to deprecated config filesystem_store_datadir under DEFAULT section

  • Bug 1505710 Wrong logging setup in replicator

  • Bug 1483353 v1 Updates using x-image-meta-id header provoke E500 or 200

  • Bug 1512369 glance should declare a test-requirements.txt on swiftclient (for config generator)

Other Notes

  • Start using reno to manage release notes.