Rocky Series Release Notes


New Features

  • This release adds verification of image data downloads using the Glance “multihash” feature introduced in the OpenStack Rocky release. When the os_hash_value is populated on an image, the glanceclient will verify this value by computing the hexdigest of the downloaded data using the algorithm specified by the image’s os_hash_algo property.

    Because the secure hash algorithm specified is determined by the cloud provider, it is possible that the os_hash_algo may identify an algorithm not available in the version of the Python hashlib library used by the client. In such a case the download will fail due to an unsupported hash type. In the event this occurs, a new option, --allow-md5-fallback, is introduced to the image-download command. When present, this option will allow the glanceclient to use the legacy MD5 checksum to verify the downloaded data if the secure hash algorithm specified by the os_hash_algo image property is not supported.

    Note that the fallback is not used in the case where the algorithm is supported but the hexdigest of the downloaded data does not match the os_hash_value. In that case the download fails regardless of whether the option is present or not.

    Whether using the --allow-md5-fallback option is a good idea depends upon the user’s expectations for the verification. MD5 is an insecure hashing algorithm, so if you are interested in making sure that the downloaded image data has not been replaced by a datastream carefully crafted to have the same MD5 checksum, then you should not use the fallback. If, however, you are using Glance in a trusted environment and your interest is simply to verify that no bits have flipped during the data transfer, the MD5 fallback is sufficient for that purpose. That being said, it is our recommendation that the multihash should be used whenever possible.

Security Issues

  • This release of the glanceclient uses the Glance “multihash” feature, introduced in Rocky, to use a secure hashing algorithm to verify the integrity of downloaded data. Legacy images without the “multihash” image properties (os_hash_algo and os_hash_value) are verified using the MD5 checksum image property.


Bug Fixes

  • The announcement that Bug 1783290 was fixed in the previous release was premature. That bug has been more thoroughly fixed in this release.


New Features

  • This release adds client support for the Glance “hidden images” feature described in the spec Operator maintained images lifecycle.

    Support in the glanceclient includes the following:

    • The following calls now allow the specification of a --hidden option that takes a boolean value (true or false). When this option is omitted, the default value is false.

      • image-create

      • image-create-via-import

      • image-update

    • The image-list call now allows the specification of a --hidden filter that takes a boolean value (true or false). By default, “hidden” images are not displayed in the image-list response (that’s why they’re called “hidden”). To see those images, use --hidden true as a filter on the image-list call.

  • This release adds client support for the Glance feature multi-store backend support, introduced in the Rocky release. This feature allows end users to direct uploaded or imported image data to a particular backend when a cloud operator has configured the Image Service to use multiple backends.

    The available backends are discoverable by making the stores-info call, which will return a list of available backends. The list contains an identifier (id) and a description of each available backend. The default backend is indicated in this response.

    When uploading or importing an image, the glanceclient now accepts the --backend option. Its value must be the id of a backend configured in the cloud against which the call is being made. This option may also be configured by exporting the OS_IMAGE_BACKEND environment variable with the id of a configured backend as its value.

    Some other points to keep in mind:

    • If no backend is specified, the image data is stored in the default backend.

    • If the version of the Image Service API contacted does not support multi-store backends, the option is silently ignored and the image data is stored in the default backend.

    • If an invalid backend identifier is used, the glanceclient will exit with an error message.

    • Backend identifiers and their meanings are unique to each cloud. Consult the stores-info call and your cloud provider’s documentation for details.

  • This release adds client support for the Glance “multihash” feature introduced in Rocky. This feature introduces two new image properties, os_hash_algo and os_hash_value. The content of os_hash_algo is an algorithm identifier recognized by the Python hashlib library. The os_hash_value is a hexdigest of the image data computed using this algorithm. The os_hash_algo is not end-user settable; it is configured in Glance by the cloud operator. In the glanceclient, the feature is limited solely to the display of these values.

    If the “multihash” properties are not available on an image, their values are displayed as None in the glanceclient image-show and image-list responses.

Bug Fixes

    • Bug 1783290: glance will return 401 error if the request token contains url code


Bug Fixes

  • Bug 1766235: Handle HTTP headers per RFC 8187

    Previously the glanceclient encoded HTTP headers as UTF-8 bytes. According to RFC 8187, however, headers should be encoded as 7-bit ASCII. The glanceclient now sends all headers as 7-bit ASCII. It handles unicode strings by percent-encoding them before sending them in headers.


Known Issues

  • Help texts for some properties has possibly outdated links. Please refer to the documentation of the deployment while we try to find a way how to document these references in a way that they do not point user to false information.

Bug Fixes

    • Bug 1762044: Sync schema with glance-api service

Other Notes

  • The following options to the command line client, which have been deprecated since Icehouse, have been removed:

    • --key-file (use --os-key instead)

    • --ca-file (use --os-cacert instead)

    • --cert-file (use --os-cert instead)