Ussuri Series Release Notes¶
A change was added to the import API which provides time-based locking of an image to exclude other import operations from starting until the lock-holding task completes (see Bug 1884596). The lock is based on the task that we start to do the work, and the UUID of that task is stored in the
os_glance_import_taskimage property, which indicates who owns the lock. If the task holding the lock fails to make progress for 60 minutes, another import operation will be allowed to steal the lock and start another import operation.
Bug 1881958: read-only http store should not be used if –all-stores specified for import/copy image workflow
Bug 1889640: Image import might result ‘active’ image with no data.
Bug 1889676: “stores” can be set as property breaking multistore indication of stores where the images are present
Bug 1887994: Mixed message in admin docs to deploy under httpd
Bug 1885725: ‘copy-image’ import job should not run additional plugins
Bug 1888349: glance-cache-manage utility is broken
Bug 1886374: Improve lazy loading mechanism for multiple stores
Bug 1885003: Interrupted copy-image may break a subsequent operation
Bug 1884587: image import copy-image API should reflect proper authorization
Ussuri release includes multiple important milestones in Glance development priorities.
Added support for importing images in multiple stores
Added support for copying existing images in multiple stores
Added support to delete image from single store
Dropped support for python 2.7
Policy enforcement for several Metadata Definition delete APIs are added in this release. The following actions are enforced and added to the policy.json:
This prevents roles that should not have access to these APIs from performing the APIs associated with the actions above.
Added new import method
copy-imagewhich will copy existing image into multiple stores.
As part of the multi-store efforts this release introduces deletion from single store. Through new ‘/v2/stores’ endpoint the API user can request image to be deleted from single store instead of deleting the whole image. This feature can be used to clean up store metadata in cases where the image data has for some reason disappeared from the store already, except 410 Gone HTTP response.
New Interoperable Image Import plugin has been introduced to address the use case of providing compressed images either through ‘web-download’ or to optimize the network utilization between the client and Glance.
Add ability to import image into multiple stores during interoperable image import process.
Added new import method
copy-imagewhich will copy existing image into multiple stores. The new import method will work only if multiple stores are enabled in the deployment. To use this feature operator needs to mention
copy-imageimport method in
enabled_import_methodsconfiguration option. Note that this new internal plugin applies only to images imported via the interoperable image import process.
The default value of the Glance API configuration option
admin_rolehas been changed in this release. If you were also using the default policy configuration, this change will not affect you. If you were not using the default policy configuration, please read on.
With the previous default value, any user with the
adminrole could act in an administrative context regardless of what your policy file defined as the administrative context. And this might not be a problem because usually the
adminrole is not assigned to “regular” end users. It does become a problem, however, when operators attempt to configure different gradations of administrator.
In this release, the default value of
admin_rolehas been defined as
__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__. This effectively makes it inoperable (unless your Keystone administrator has actually created such a role and assigned it to someone, which is unlikely but possible, so you should check). If your local policy tests (you have some, right?) indicate that your Glance policies no longer function as expected, then you have been relying on the
admin_roleconfiguration option and need to revise your policy file. (A short term fix would be to set the
admin_roleoption back to
admin, but keep in mind that it is a short-term fix, because this configuration option is deprecated and subject to removal.)
See the “Deprecation Notes” section of this document for more information.
show_multiple_locationsconfiguration option remains DEPRECATED but not removed in the Ussuri release. We continue to recommend that image locations not be exposed to end users. See OSSN-0065 for more information.
The plan continues to be to eliminate the option and use only policies to control image locations access. This, however, requires some major refactoring, as discussed in the draft Policy Refactor spec. Further, there is no projected timeline for this change, as no one has been able to commit time to it. (The Glance team would be happy to discuss this more with anyone interested in working on it.)
Please keep a watch on the Glance release notes and the glance-specs repository to stay informed about developments on this issue.
Python 2.7 support has been dropped. Last release of Glance to support py2.7 is OpenStack Train (Glance 19.x). The minimum version of Python now supported by Glance is Python 3.6.
sheepdogstorage backend driver was deprecated in the Train release and has now been removed. Any deployments still using Sheepdog storage will need to migrate to a different backend storage prior to upgrading to this release.
Add ability to import image into multiple stores during interoperable image import process. This feature will only work if multiple stores are enabled in the deployment. It introduces 3 new optional body fields to the import API path:
stores: List containing the stores id to import the image binary data to.
all_stores: To import the data in all configured stores.
all_stores_must_succeed: Control wether the import have to succeed in all stores.
Users can follow workflow execution with 2 new reserved properties:
os_glance_importing_to_stores: list of stores that has not yet been processed.
os_glance_failed_import: Each time an import in a store fails, it is added to this list.
Policy defaults are now defined in code, as they already were in other OpenStack services. After upgrading there is no need to provide a
policy.jsonfile (and you should not do so) unless you want to override the default policies, and only policies you want to override need be mentioned in the file. You should no longer rely on the
defaultrule, and especially not the default value of the rule (which has been relaxed), to assign a non-default policy to rules not explicitly specified in the policy file.
Operators who use property protections with the
policiesmust still define the policy rules used for property protections in a policy file. The content of the file may be JSON or YAML. Additionally, we suggest that the absolute pathname of this file be set as the value of
[oslo_policy]section of the
Be aware that if you define a policy rule for
context_is_admin, that policy rule will also be used by the policies that govern permissions to perform actions using the Images API, even if these actions are not specified in the policy file.
If upgrade is conducted from PY27 where ssl connections has been terminated into glance-api, the termination needs to happen externally from now on.
The Glance API configuration option
admin_roleis deprecated in this release and is subject to removal at the beginning of the Victoria development cycle, following the OpenStack standard deprecation policy.
What this option does is to grant complete admin access to any authenticated user with a particular role. This overrides any policy rules configured in the policy configuration file. While everything will behave as expected if you are also using the default policy settings, this setting may cause anomalous behavior when you are configuring custom policies.
Additionally, the default value of this option has been changed in this release. See the “Upgrade Notes” section of this document for more information.
If you were previously aware of this option and were actually using it, we apologize for the inconvenience its removal will cause, but overall it will be better for everyone if policy configuration is confined to the policy configuration file and this backdoor is eliminated. The migration path is to explictly mention the role you configured for this option in appropriate places in your policy configuration file.
The Glance API configuration option
allow_additional_image_propertiesis deprecated in this release and is subject to removal at the beginning of the Victoria development cycle, following the OpenStack standard deprecation policy.
The migration path for operators who were using this option in its nondefault
Falsesetting is to set the
0. Since many other OpenStack services depend upon the ability to read/write custom image properties, however, we suspect that no one has been using the option with a nondefault value.
checksumproperty contains an MD5 hash of the image data associated with an image. MD5 has not been considered secure for some time, and in order to comply with various security standards (for example, FIPS), an implementation of the MD5 algorithm may not be available on glance nodes.
The secure “multihash” image properties,
os_hash_valuehave been available on images since glance version 17.0.0 (Rocky). Until this point, the MD5
checksumproperty has been populated solely for backward compatability. It is not, however, necessary for validating downloaded image data.
Thus, we are announcing the DEPRECATION in this release of the image
checksumproperty. It will remain as an image property, but beginning with the Victoria release, the
checksumwill not be populated on new images.
Users should instead rely on the secure “multihash” to validate image downloads. The python-glanceclient, for example, has been using multihash validation (with an optional MD5 fallback) since version 2.13.0 (Rocky).
If the existing
policy.jsonfile relies on the
defaultrule for some policies (i.e. not all policies are explicitly specified in the file) then the
defaultrule must be explicitly set (e.g. to
"role:admin") in the file. The new default value for the
"", whereas since the Queens release it has been
"role:admin"(prior to Queens it was
"@", which allows everything). After upgrading to this release, the policy file should be replaced by one that overrides only policies that need to be different from the defaults, without relying on the
The ssl support from Glance has been removed as it worked only under PY27 which is not anymore supported environment. Termination of encrypted connections needs to happen externally as soon as move to PY3 happens. Any deployment needing end to end encryption would need to put either reverse proxy (using fully blown http server like Apache or Nginx will cause significant performance hit and we advice using something more simple that does not break the http protocol) in front of the service or utilize ssl tunneling (like stunnel) between loadbalancers and glance-api.
Bug 1861334: cors config defaults not used when Glance is run as WSGI app
Bug 1823703: Wrong version URL when Glance is deployed behind proxy with vhost
Bug 1863021: eventlet monkey patch results in assert len(_active) == 1 AssertionError
Bug 1855708: Reload tests broken in Py3
Bug 1850412: Useful image properties in glance - os_admin_user not documented
Bug 1863879: Multiple import fails if all-stores ‘True’ is passed
Bug 1861723: Glance is listening on TCP socket before store initialization
Bug 1861501: Store ID fetched from URI is incorrectly encoded under py27