Rocky Series Release Notes¶
This release adds verification of image data downloads using the Glance “multihash” feature introduced in the OpenStack Rocky release. When the
os_hash_valueis populated on an image, the glanceclient will verify this value by computing the hexdigest of the downloaded data using the algorithm specified by the image’s
Because the secure hash algorithm specified is determined by the cloud provider, it is possible that the
os_hash_algomay identify an algorithm not available in the version of the Python
hashliblibrary used by the client. In such a case the download will fail due to an unsupported hash type. In the event this occurs, a new option,
--allow-md5-fallback, is introduced to the
image-downloadcommand. When present, this option will allow the glanceclient to use the legacy MD5 checksum to verify the downloaded data if the secure hash algorithm specified by the
os_hash_algoimage property is not supported.
Note that the fallback is not used in the case where the algorithm is supported but the hexdigest of the downloaded data does not match the
os_hash_value. In that case the download fails regardless of whether the option is present or not.
Whether using the
--allow-md5-fallbackoption is a good idea depends upon the user’s expectations for the verification. MD5 is an insecure hashing algorithm, so if you are interested in making sure that the downloaded image data has not been replaced by a datastream carefully crafted to have the same MD5 checksum, then you should not use the fallback. If, however, you are using Glance in a trusted environment and your interest is simply to verify that no bits have flipped during the data transfer, the MD5 fallback is sufficient for that purpose. That being said, it is our recommendation that the multihash should be used whenever possible.
This release of the glanceclient uses the Glance “multihash” feature, introduced in Rocky, to use a secure hashing algorithm to verify the integrity of downloaded data. Legacy images without the “multihash” image properties (
os_hash_value) are verified using the MD5
The announcement that Bug 1783290 was fixed in the previous release was premature. That bug has been more thoroughly fixed in this release.
This release adds client support for the Glance “hidden images” feature described in the spec Operator maintained images lifecycle.
Support in the glanceclient includes the following:
The following calls now allow the specification of a
--hiddenoption that takes a boolean value (
false). When this option is omitted, the default value is
image-listcall now allows the specification of a
--hiddenfilter that takes a boolean value (
false). By default, “hidden” images are not displayed in the
image-listresponse (that’s why they’re called “hidden”). To see those images, use
--hidden trueas a filter on the
This release adds client support for the Glance feature multi-store backend support, introduced in the Rocky release. This feature allows end users to direct uploaded or imported image data to a particular backend when a cloud operator has configured the Image Service to use multiple backends.
The available backends are discoverable by making the
stores-infocall, which will return a list of available backends. The list contains an identifier (
id) and a
descriptionof each available backend. The default backend is indicated in this response.
When uploading or importing an image, the glanceclient now accepts the
--backendoption. Its value must be the
idof a backend configured in the cloud against which the call is being made. This option may also be configured by exporting the
OS_IMAGE_BACKENDenvironment variable with the
idof a configured backend as its value.
Some other points to keep in mind:
If no backend is specified, the image data is stored in the default backend.
If the version of the Image Service API contacted does not support multi-store backends, the option is silently ignored and the image data is stored in the default backend.
If an invalid backend identifier is used, the glanceclient will exit with an error message.
Backend identifiers and their meanings are unique to each cloud. Consult the
stores-infocall and your cloud provider’s documentation for details.
This release adds client support for the Glance “multihash” feature introduced in Rocky. This feature introduces two new image properties,
os_hash_value. The content of
os_hash_algois an algorithm identifier recognized by the Python
os_hash_valueis a hexdigest of the image data computed using this algorithm. The
os_hash_algois not end-user settable; it is configured in Glance by the cloud operator. In the glanceclient, the feature is limited solely to the display of these values.
If the “multihash” properties are not available on an image, their values are displayed as
Nonein the glanceclient image-show and image-list responses.
Bug 1783290: glance will return 401 error if the request token contains url code
Bug 1766235: Handle HTTP headers per RFC 8187
Previously the glanceclient encoded HTTP headers as UTF-8 bytes. According to RFC 8187, however, headers should be encoded as 7-bit ASCII. The glanceclient now sends all headers as 7-bit ASCII. It handles unicode strings by percent-encoding them before sending them in headers.
Help texts for some properties has possibly outdated links. Please refer to the documentation of the deployment while we try to find a way how to document these references in a way that they do not point user to false information.
Bug 1762044: Sync schema with glance-api service
The following options to the command line client, which have been deprecated since Icehouse, have been removed: