Bug 896115
Summary: | Allow nova to directly copy a file out of glance | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | John Bresnahan <jbresnah> |
Component: | openstack-nova | Assignee: | John Bresnahan <jbresnah> |
Status: | CLOSED ERRATA | QA Contact: | Kashyap Chamarthy <kchamart> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | abaron, fsimonce, markmc, ndipanov, pbrady |
Target Milestone: | snapshot3 | Keywords: | FutureFeature, Triaged |
Target Release: | 2.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-nova-2012.2.3-1.el6ost | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-03-05 18:30:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Bresnahan
2013-01-16 16:30:46 UTC
A patch has been accepted upstream. Glance has some safe guards in place for this: https://bugs.launchpad.net/glance/+bug/942118 https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L256 However, I agree that nova should protect itself and not rely on Glance to provide safe information. I will create a new bug that allows the user to configure a whitelisted of acceptable base paths. Need to document how to use this, i.e. enable show_image_direct_url in glance-api.conf and add 'file' to allowed_direct_url_schemes in nova.conf Looks like docs got sorted for 2.1 Hi, I'm trying to test this, can someone provide a bit more detail here on the usage. (Also, can someone point to the 2.1 docs alluded to in Comment #12 ? Thanks.) Build info. (I'm using nightly repo) #-----------------------------------------# [tuser1@interceptor ~(keystone_admin)]$ rpm -qi openstack-nova Name : openstack-nova Relocations: (not relocatable) Version : 2012.2.3 Vendor: Red Hat, Inc. Release : 1.el6ost Build Date: Tue 12 Feb 2013 02:14:12 AM IST #-----------------------------------------# [tuser1@interceptor ~(keystone_admin)]$ rpm -qi openstack-glance Name : openstack-glance Relocations: (not relocatable) Version : 2012.2.3 Vendor: Red Hat, Inc. Release : 1.el6ost Build Date: Wed 13 Feb 2013 04:51:47 PM IST #-----------------------------------------# #-----------------------------------------# [tuser1@interceptor ~(keystone_admin)]$ sudo grep show_image_direct_url /usr/share/glance/glance-api-dist.conf [tuser1@interceptor ~(keystone_admin)]$ sudo grep show_image_direct_url /etc/glance/glance-api.conf [tuser1@interceptor ~(keystone_admin)]$ sudo grep allowed_direct_url_schemes /etc/nova/nova.conf [tuser1@interceptor ~(keystone_admin)]$ sudo grep allowed_direct_url_schemes /usr/share/nova/nova-dist.conf [tuser1@interceptor ~(keystone_admin)]$ #-----------------------------------------# [tuser1@interceptor ~(keystone_admin)]$ sudo grep -A3 allowed /usr/lib/python2.6/site-packages/nova/flags.py cfg.ListOpt('allowed_direct_url_schemes', default=[], #-----------------------------------------# What happens here is hard to test from a black box perspective. Behind the scenes what happens here is that instead of having nova download the image via HTTP, it simply copies the image with a system call. The first means of testing it would be to verify that a boot happens as normal when this behavior is enabled. However, that does still leave the question: how do we know the new feature is activated. Unfortunately there is no log statement where the copy is made in nova. However, you should be able to verify in the glance logs that a download to the given image was *not* made. VERIFIED. Version Info: #=========================================# [tuser1@interceptor ~(keystone_admin)]$ rpm -qa | grep -i glance ; arch ; cat /etc/redhat-release python-glanceclient-0.5.1-2.el6ost.noarch python-glance-2012.2.3-1.el6ost.noarch openstack-glance-2012.2.3-1.el6ost.noarch x86_64 Red Hat Enterprise Linux Server release 6.4 (Santiago) [tuser1@interceptor ~(keystone_admin)]$ #=========================================# Verification Procedure: [1] Ensure to have these flags enabled in nova.conf & glance-api.conf #=========================================# [tuser1@interceptor nova(keystone_user1)]$ sudo grep allowed_direct_url_schemes /etc/nova/nova.conf allowed_direct_url_schemes=[file] #=========================================# [tuser1@interceptor nova(keystone_user1)]$ sudo grep show_image_direct_url /etc/glance/glance-api.conf show_image_direct_url = True [tuser1@interceptor nova(keystone_user1)]$ #=========================================# Note: I had to set the "show_image_direct_url = True" directive in Default section for Glance (Thanks fpercoco). [2] Restart all Openstack services #=========================================# $ for j in `for i in $(ls -1 /etc/init.d/openstack-*) ; do $i status | grep running ; done | awk '{print $1}'` ; do service $j restart ; done #=========================================# [3] List existing images: #=========================================# [tuser1@interceptor nova(keystone_admin)]$ glance image-list +--------------------------------------+-----------+-------------+------------------+------------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+-----------+-------------+------------------+------------+--------+ | 1e6292f9-82bd-4cdb-969e-c863cb1c6692 | fedora-17 | qcow2 | bare | 251985920 | active | | acc4c853-9153-4e80-b3c8-e253451ae983 | rhel63 | qcow2 | bare | 1074135040 | active | +--------------------------------------+-----------+-------------+------------------+------------+--------+ [tuser1@interceptor nova(keystone_admin)]$ #=========================================# [4] Get information about the fedora-17 image: NOTE: The --os-image-api-version has to be version 2, so that, it provides all the debug info: #=========================================# $ glance --debug --os-image-api-version 2 image-show 1e6292f9-82bd-4cdb-969e-c863cb1c6692 . . . . {"status": "active", "name": "fedora-17", "tags": [], "container_format": "bare", "created_at": "2012-01-12T23:04:40Z", "size": 251985920, "disk_format": "qcow2", "updated_at": "2012-01-12T23:04:42Z", "visibility": "public", "id": "1e6292f9-82bd-4cdb-969e-c863cb1c6692", "protected": false, "min_ram": 0, "file": "/v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692/file", "checksum": "1f104b5667768964d5df8c4ad1d7cd27", "min_disk": 0, "direct_url": "file:///var/lib/glance/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692", "self": "/v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692", "schema": "/v2/schemas/image"} #=========================================# You can see direct_url o/p : (which shows the path to the disk image) "direct_url": "file:///var/lib/glance/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692" [5] And, the given image was /not/ downloaded via HTTP. From /var/log/glance/api.log : #=========================================# . . . 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Determining version of request: GET /v2/schemas/image Accept: process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:45 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Using url versioning process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:58 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Matched version: v2 process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:70 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] new uri /v2/schemas/image process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:71 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Determining version of request: GET /v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692 Accept: process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:45 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Using url versioning process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:58 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Matched version: v2 process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:70 2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] new uri /v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692 process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:71 2013-02-21 18:50:30 DEBUG glance.api.policy [60120f14-304d-4788-8e31-84233e7cc8ca e34da0f70aaa4b86b97857299d66155f 5aaa100a372248dd9c658f8b7775784c] Loaded policy rules: {u'default': [], u'manage_image_cache': [[u'role:admin']]} load_rules /usr/lib/python2.6/site-packages/glance/api/policy.py:63 #=========================================# Per above information, turning the bug to VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0593.html |