Cloned from launchpad blueprint https://blueprints.launchpad.net/cinder/+spec/restrict-uploading-volume-to-image. Description: Image with protected properties concept was introduced in Glance in Havana release. One of the main use case of introducing this concept was for billing purpose. i.e. owner of the image would create one or more custom protected properties for a licensed image and share it publicly to the users. When users uses this license image for creating new instances, owner will know who is using licensed images, for many hours and users will be charged accordingly. Also the meta data properties are copied when volume is created from the licensed image so that when this volume is used for booting vms, owner of the licensed image will know who is using it for billing purpose. But presently, when you create a image from volume (volume created from licensed image), it allow user to create image as it only copies core properties leaving custom protected properties behind. This will allow user to use licensed image free of cost. Also he/she can share this image with another tenants. This will be a big blow to the owner of the licensed image. To avoid this, it is necessary to copy custom properties when you create a image from volume. If the glance deployer has allowed only administrator/owner to create custom protected properties, then normal user wouldn’t be able to create image from volume and use licensed image maliciously. For example /etc/glance/protected-properties.conf [^x_billing_code_ntt_xyz.*] create = admin,owner read = admin,Member,_member_ update = admin,owner delete = admin,owner Specification URL (additional information): None
failed verification: 1. set the parameter in the cinder.conf file: glance_core_properties=checksum,container_format,disk_format,image_name,image_id,min_disk,min_ram,name,size 2. restarted the cinder & glance services 3. added Min. RAM & disk size to an image 4. Created a volume from the image: The volume's metadata showed the min requirements 5. upload the volume to glance as a qcow image The result was that the new image didn't had the min. requirements.
(In reply to Yogev Rabl from comment #2) > failed verification: > > The result was that the new image didn't had the min. requirements. Does this mean that the metadata wasn't transferred to glance? How is this verified?
(In reply to Eric Harney from comment #6) > (In reply to Yogev Rabl from comment #2) > > failed verification: > > > > The result was that the new image didn't had the min. requirements. > > Does this mean that the metadata wasn't transferred to glance? How is this > verified? At the end of the day, the new image didn't had the minimum requirements that were set in the volume's metadata.
Verified on python-cinderclient-1.1.1-1.el7ost.noarch python-cinder-2014.2.3-11.el7ost.noarch openstack-cinder-2014.2.3-11.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1315