Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1055491

Summary:	glance: Glance quota is not enforced when the image is in a remote location (--location)
Product:	Red Hat OpenStack	Reporter:	Dafna Ron <dron>
Component:	openstack-glance	Assignee:	Jon Bernard <jobernar>
Status:	CLOSED UPSTREAM	QA Contact:	Dafna Ron <dron>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	4.0	CC:	eglynn, fpercoco, jobernar, scohen, sgotliv, yeylon
Target Milestone:	Upstream M1
Target Release:	6.0 (Juno)
Hardware:	x86_64
OS:	Linux
Whiteboard:	storage
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-01-27 08:50:25 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dafna Ron 2014-01-20 11:50:22 UTC

Description of problem:

the glance quota is very easy to bypass... 
if we create an image using --location we do not have a size check and the image is created. since we don't enforce the quota in image download we can than simply boot instances from it. 

Version-Release number of selected component (if applicable):

openstack-glance-2013.2.1-3.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. change user_storage_quota = 2 in user_storage_quota = 2
2. create an image using --location from any iso.
3. boot an instance from the image

Actual results:

We succeed in creating the image and booting instances from it 

Expected results:

we should either enforce the quota on image download or block using --location when quota is enabled. 

Additional info:


[root@cougar07 ~(keystone_admin)]# vim /etc/glance/glance-api.conf 
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# /etc/init.d/openstack-glance-api restart
Stopping openstack-glance-api:                             [  OK  ]
Starting openstack-glance-api:                             [  OK  ]
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# cat /etc/glance/glance-api.conf |grep user_storage_quota
user_storage_quota = 2
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# 
[root@cougar07 ~(keystone_admin)]# 
(reverse-i-search)`c': cat /etc/glance/glance-api.^Cnf |grep user_storage_quota
[root@cougar07 ~(keystone_admin)]# glance image-create --name dafna --disk-format  qcow2 --container-format bare --location http://download.eng.tlv.redhat.com/pub/rhel/released/RHEL-6/6.4/Appliance/rhel-workstation-x86_64-ec2-starter-6.4_20130130.0-1-sda.raw
+------------------+--------------------------------------+
| Property         | Value                                |
+------------------+--------------------------------------+
| checksum         | None                                 |
| container_format | bare                                 |
| created_at       | 2014-01-20T11:42:08                  |
| deleted          | False                                |
| deleted_at       | None                                 |
| disk_format      | qcow2                                |
| id               | 52c81c50-3fac-45b0-bd3d-3c6e263b96f6 |
| is_public        | False                                |
| min_disk         | 0                                    |
| min_ram          | 0                                    |
| name             | dafna                                |
| owner            | d4aaa7c237054d408a65f40bb4ee74d0     |
| protected        | False                                |
| size             | 6442450945                           |
| status           | active                               |
| updated_at       | 2014-01-20T11:42:08                  |
+------------------+--------------------------------------+
[root@cougar07 ~(keystone_admin)]# glance image-list 
+--------------------------------------+-------+-------------+------------------+------------+--------+
| ID                                   | Name  | Disk Format | Container Format | Size       | Status |
+--------------------------------------+-------+-------------+------------------+------------+--------+
| 52c81c50-3fac-45b0-bd3d-3c6e263b96f6 | dafna | qcow2       | bare             | 6442450945 | active |
+--------------------------------------+-------+-------------+------------------+------------+--------+
[root@cougar07 ~(keystone_admin)]# 


[root@cougar06 ~(keystone_admin)]# nova boot dafna --flavor 2 --image 52c81c50-3fac-45b0-bd3d-3c6e263b96f6
+--------------------------------------+--------------------------------------+
| Property                             | Value                                |
+--------------------------------------+--------------------------------------+
| OS-EXT-STS:task_state                | scheduling                           |
| image                                | dafna                                |
| OS-EXT-STS:vm_state                  | building                             |
| OS-EXT-SRV-ATTR:instance_name        | instance-0000000c                    |
| OS-SRV-USG:launched_at               | None                                 |
| flavor                               | m1.small                             |
| id                                   | 489ac8bb-336e-44db-a8bd-0fa2aba119fd |
| security_groups                      | [{u'name': u'default'}]              |
| user_id                              | e6ee6034307247b78807be047bd10e76     |
| OS-DCF:diskConfig                    | MANUAL                               |
| accessIPv4                           |                                      |
| accessIPv6                           |                                      |
| progress                             | 0                                    |
| OS-EXT-STS:power_state               | 0                                    |
| OS-EXT-AZ:availability_zone          | nova                                 |
| config_drive                         |                                      |
| status                               | BUILD                                |
| updated                              | 2014-01-20T11:44:21Z                 |
| hostId                               |                                      |
| OS-EXT-SRV-ATTR:host                 | None                                 |
| OS-SRV-USG:terminated_at             | None                                 |
| key_name                             | None                                 |
| OS-EXT-SRV-ATTR:hypervisor_hostname  | None                                 |
| name                                 | dafna                                |
| adminPass                            | 47Q4iCZ2HTDg                         |
| tenant_id                            | d4aaa7c237054d408a65f40bb4ee74d0     |
| created                              | 2014-01-20T11:44:21Z                 |
| os-extended-volumes:volumes_attached | []                                   |
| metadata                             | {}                                   |
+--------------------------------------+--------------------------------------+

[root@cougar06 ~(keystone_admin)]# nova list
+--------------------------------------+-------+--------+------------+-------------+--------------------------+
| ID                                   | Name  | Status | Task State | Power State | Networks                 |
+--------------------------------------+-------+--------+------------+-------------+--------------------------+
| 489ac8bb-336e-44db-a8bd-0fa2aba119fd | dafna | BUILD  | spawning   | NOSTATE     | novanetwork=192.168.32.3 |
| 33d603d5-30d4-471f-ae9d-494b7d0014b5 | vol   | ACTIVE | None       | Running     | novanetwork=192.168.32.2 |
+--------------------------------------+-------+--------+------------+-------------+--------------------------+


[root@cougar06 ~(keystone_admin)]# nova list 
+--------------------------------------+--------+--------+------------+-------------+--------------------------+
| ID                                   | Name   | Status | Task State | Power State | Networks                 |
+--------------------------------------+--------+--------+------------+-------------+--------------------------+
| b06dc972-7a1d-4ae6-a895-9eaf359090e4 | Dafna1 | ACTIVE | None       | Running     | novanetwork=192.168.32.4 |
| 489ac8bb-336e-44db-a8bd-0fa2aba119fd | dafna  | ACTIVE | None       | Running     | novanetwork=192.168.32.3 |
| 33d603d5-30d4-471f-ae9d-494b7d0014b5 | vol    | ACTIVE | None       | Running     | novanetwork=192.168.32.2 |
+--------------------------------------+--------+--------+------------+-------------+--------------------------+

Comment 1 Flavio Percoco 2014-01-21 11:19:51 UTC

To be more precise.

This report holds when glance is not able to *retrieve* the image size from the remote location. This is different from it not enforcing the quota for all images using `--location`

The failure in the store size call can be related to many things. The url being wrong, the remote server not supporting the call we need - for instance, the HTTP store depends on the remote server support for HEAD requests - etc. There are some improvements going on in the stores already.

The retrieve call I mentioned is here[0]

That said, what this bug needs to address is whether checking the quota for remote locations is necessary or not.

For instance, a remote location could be my own server outside the cloud provider. Why should the cloud provider enforce quota space on my own server?

So, the current proposal is to either never enforce quota for remote locations or always enforce it and fail when the size couldn't be retrieve.

A better fix, though, would be to have a list of store urls that have to be checked for quota space. All urls that are not in that list won't be checked.

[0] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L555

Comment 6 Flavio Percoco 2015-01-27 08:50:25 UTC

Although this may make sense for pre-configured locations (as in, let the user specify what locations should be counted for quota) I don't think this will happen any time soon. Neither in K nor L. I'm closing this as UPSTREAM and I'll let the community handle this request.