Description of problem: We added a custom property to an image: "cinder_img_vol_type". Thus, the block devices sourced from the image are created on the specific cinder backend defined by the property. But we are hitting a problem that the property works only if one creates a volume in the "admin" project logged in via admin user. The admin project is the owner of the image. Its a public image and the properties are visible to other projects/users also.
IMO problem is in glance-protection.conf file, here you need to allow access to read properties to all the users. As of now it has access to admin user only which needs to be changed to all intended users. As of now http://collab-shell.usersys.redhat.com/02305543/sosreport-20190130-184654/stagin-controller-01.testdev.env/etc/glance/glance-protection.conf has below property protection is defined. [cinder_img_volume_type] create = admin read = admin update = admin delete = admin Which needs to be changed to, [cinder_img_volume_type] create = admin read = @ update = admin delete = admin '@' means all users will able to read this property, if you want to restrict it to specific users then you can specify comma separated list as "read=admin,user1,user2,..." Also need to enable this option in glance-api.conf file, as of now it is commented. #property_protection_file = /etc/glance/glance-protection.conf After changing this file, restart the glance api service and check again.
*** Bug 1671258 has been marked as a duplicate of this bug. ***
This is a context elevation problem. During the creation process we get the volume type declared in the cinder_img_volume_type on the volume.flows.api.create_volume, and we use the context of the user that made the call. If this user is not admin, then it is not allowed to see the extra specs, so the DB layer removes the extra specs from the data returned. Since there are not extra specs in the loaded volume type, when we make the call to the scheduler it doesn't have the backend name to select the right backend. This doesn't happen with the admin user because the DB will return the extra specs. Also, this doesn't happen when you create a volume directly with the volume type because in that case we are forcefully loading the specs at cinder.volume.api. We'll need a custom patch on OSP12, OSP11, and OSP10, as this was inadvertently fixed in OSP13 when fixing a different bug: https://review.openstack.org/579049, and we can't backport directly because it's based on a features added in OSP13: https://review.openstack.org/552243
OSP11 and OSP12 are EOL, so a patch for just OSP10 should be sufficient.
Turns out this issue is not present in OSP11, and closer inspection showed that it was fixed on https://review.openstack.org/409030 to resolve a completely different issue (https://bugs.launchpad.net/cinder/+bug/1648717), though they are both caused by the same context check. So we just need to backport that patch. ps: @abishop: if I had needed a custom patch, which I just realized I don't, I would still have had to fix it in upstream OSP12's counterpart first ;-)
Gorka, Think missing some step or did something wrong. Created a cirros image - set backend property [stack@undercloud-0 ~]$ glance image-show c315c240-555c-4ac9-97e3-78159f547ec3 +---------------------+-----------------------------------------------------------------+ | Property | Value | +---------------------+-----------------------------------------------------------------+ | checksum | 7316af7358dd32ca1956d72ac2c9e147 | | cinder_img_vol_type | tripleo_iscsi | | container_format | bare | | created_at | 2019-04-02T06:57:57Z | | direct_url | swift+config://ref1/glance/c315c240-555c-4ac9-97e3-78159f547ec3 | | disk_format | qcow2 | | id | c315c240-555c-4ac9-97e3-78159f547ec3 | | min_disk | 0 | | min_ram | 0 | | name | cir | | owner | 72e08b8250f44d45953fa34bf989c0f1 | | protected | False | | size | 12528640 | | status | active | | tags | [] | | updated_at | 2019-04-02T07:26:26Z | | virtual_size | None | | visibility | private | +---------------------+-----------------------------------------------------------------+ I've got two cinder volume types lvm and k2 [stack@undercloud-0 ~]$ cinder extra-specs-list +--------------------------------------+---------------+--------------------------------------------+ | ID | Name | extra_specs | +--------------------------------------+---------------+--------------------------------------------+ | 300dda3a-623f-4bcf-b883-e2f3222cc736 | kaminario | {u'volume_backend_name': u'kaminario'} | | 64429ac0-d5ca-4da6-920e-5ac2c5b1354d | tripleo_iscsi | {u'volume_backend_name': u'tripleo_iscsi'} | +--------------------------------------+---------------+--------------------------------------------+ If I create an empty volume and don't state backend it defaults to Kaminario. If I create a volume from said image, volume is created but on K2 rather than tripleo_iscsi, notice volume type isn't populated. [stack@undercloud-0 ~]$ cinder create 1 --image cir +--------------------------------+--------------------------------------+ | Property | Value | +--------------------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2019-04-02T07:29:05.000000 | | description | None | | encrypted | False | | id | 2ab2c986-b0df-42e7-8d44-f6b600bf2894 | | metadata | {} | | migration_status | None | | multiattach | False | | name | None | | os-vol-host-attr:host | hostgroup@kaminario#kaminario | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 72e08b8250f44d45953fa34bf989c0f1 | | replication_status | disabled | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | 2019-04-02T07:29:05.000000 | | user_id | 56c007498f134abf871548ee7483e99b | | volume_type | None | +--------------------------------+--------------------------------------+ Also tried to create a glance-protection.conf file [root@controller-2 glance]# cat glance-protection.conf [cinder_img_volume_type] create = admin read = @ update = admin delete = admin Enabled it on glance-api.conf chown root:glance glance-protection.conf Then restarted glance api service. But the only thing this ended up doing was that it hides cinder_img_vol_type property. [stack@undercloud-0 ~]$ glance image-show c315c240-555c-4ac9-97e3-78159f547ec3 +------------------+-----------------------------------------------------------------+ | Property | Value | +------------------+-----------------------------------------------------------------+ | checksum | 7316af7358dd32ca1956d72ac2c9e147 | | container_format | bare | | created_at | 2019-04-02T06:57:57Z | | direct_url | swift+config://ref1/glance/c315c240-555c-4ac9-97e3-78159f547ec3 | | disk_format | qcow2 | | id | c315c240-555c-4ac9-97e3-78159f547ec3 | | min_disk | 0 | | min_ram | 0 | | name | cir | | owner | 72e08b8250f44d45953fa34bf989c0f1 | | protected | False | | size | 12528640 | | status | active | | tags | [] | | updated_at | 2019-04-02T06:57:58Z | | virtual_size | None | | visibility | private | +------------------+-----------------------------------------------------------------+ Commentated out the glance-protection-conf on api.conf and restarted service. Now the property is visible again. If I create a volume from said image while stating volume-type things work, but then again this defeats the whole purpose. [stack@undercloud-0 ~]$ cinder create 1 --image cir --volume-type tripleo_iscsi --name test +--------------------------------+---------------------------------------+ | Property | Value | +--------------------------------+---------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2019-04-02T07:56:21.000000 | | description | None | | encrypted | False | | id | 84dd242b-fbbf-45fa-8b55-4fb0f67f9efa | | metadata | {} | | migration_status | None | | multiattach | False | | name | test | | os-vol-host-attr:host | hostgroup@tripleo_iscsi#tripleo_iscsi | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 72e08b8250f44d45953fa34bf989c0f1 | | replication_status | disabled | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | 2019-04-02T07:56:22.000000 | | user_id | 56c007498f134abf871548ee7483e99b | | volume_type | tripleo_iscsi | +--------------------------------+---------------------------------------+ | 84dd242b-fbbf-45fa-8b55-4fb0f67f9efa | available | test | 1 | tripleo_iscsi | true | | I tired another attempt [stack@undercloud-0 ~]$ cinder create 1 --image cir +--------------------------------+--------------------------------------+ | Property | Value | +--------------------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2019-04-02T08:07:09.000000 | | description | None | | encrypted | False | | id | 4652bef4-05db-4614-af21-a48e7fa60637 | | metadata | {} | | migration_status | None | | multiattach | False | | name | None | | os-vol-host-attr:host | hostgroup@kaminario#kaminario | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 72e08b8250f44d45953fa34bf989c0f1 | | replication_status | disabled | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | 2019-04-02T08:07:09.000000 | | user_id | 56c007498f134abf871548ee7483e99b | | volume_type | None | +--------------------------------+--------------------------------------+ [stack@undercloud-0 ~]$ cinder show 4652bef4-05db-4614-af21-a48e7fa60637 +--------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +--------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | true | | consistencygroup_id | None | | created_at | 2019-04-02T08:07:09.000000 | | description | None | | encrypted | False | | id | 4652bef4-05db-4614-af21-a48e7fa60637 | | metadata | {} | | migration_status | None | | multiattach | False | | name | None | | os-vol-host-attr:host | hostgroup@kaminario#kaminario | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 72e08b8250f44d45953fa34bf989c0f1 | | replication_status | disabled | | size | 1 | | snapshot_id | None | | source_volid | None | | status | available | | updated_at | 2019-04-02T08:07:40.000000 | | user_id | 56c007498f134abf871548ee7483e99b | | volume_image_metadata | {u'container_format': u'bare', u'min_ram': u'0', u'disk_format': u'qcow2', u'image_name': u'cir', u'image_id': u'c315c240-555c-4ac9-97e3-78159f547ec3', u'checksum': u'7316af7358dd32ca1956d72ac2c9e147', u'min_disk': u'0', u'cinder_img_vol_type': u'tripleo_iscsi', u'size': u'12528640'} | | volume_type | None | +--------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ So we see volume_image_metadata mentions -> cinder_img_vol_type': u'tripleo_iscsi Yet we see volume type is K2 | os-vol-host-attr:host | hostgroup@kaminario#kaminario Any ideas whats going on?
Created attachment 1550918 [details] Cinder log file
The problem is that it's not "cinder_img_vol_type" but "cinder_img_volume_type" like mentioned in Abhishek's comment #2 and my comment #4. You should first confirm that you can do it with the admin, since the description of the problem says they can do that, and then confirm you can also do it with a non admin user.
Verified on: openstack-cinder-9.1.4-49.el7ost.noarch Under admin created a Cirros image glance image-create --disk-format qcow2 --container-format bare --file cirros-0.3.5-i386-disk.img --name CirrosLVM +------------------+-----------------------------------------------------------------+ | Property | Value | +------------------+-----------------------------------------------------------------+ | checksum | 7316af7358dd32ca1956d72ac2c9e147 | | container_format | bare | | created_at | 2019-04-08T08:56:14Z | | direct_url | swift+config://ref1/glance/c532dfd7-1bf9-4281-b856-6ea26780afec | | disk_format | qcow2 | | id | c532dfd7-1bf9-4281-b856-6ea26780afec | | min_disk | 0 | | min_ram | 0 | | name | CirrosLVM | | owner | 5e3b5a1473184ba2801fcb0ba948ca07 | | protected | False | | size | 12528640 | | status | active | | tags | [] | | updated_at | 2019-04-08T08:56:16Z | | virtual_size | None | | visibility | private | +------------------+-----------------------------------------------------------------+ Updated it's property: glance image-update c532dfd7-1bf9-4281-b856-6ea26780afec --property cinder_img_volume_type="tripleo_iscsi" Configured two Cinder back ends [stack@puma52 ~]$ cinder extra-specs-list +--------------------------------------+---------------+--------------------------------------------+ | ID | Name | extra_specs | +--------------------------------------+---------------+--------------------------------------------+ | 0712515f-9acd-46fa-a454-ca2e4f4be49b | tripleo_iscsi | {u'volume_backend_name': u'tripleo_iscsi'} | | 88079f03-68f1-41b8-ac6b-a22e4c44617e | 3parfc | {u'volume_backend_name': u'3parfc'} | +--------------------------------------+---------------+--------------------------------------------+ First lets check create vol from this image in admin (which already worked before) [stack@puma52 ~]$ cinder create 1 --image c532dfd7-1bf9-4281-b856-6ea26780afec --name 2 +--------------------------------+--------------------------------------+ | Property | Value | +--------------------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2019-04-08T11:31:17.000000 | | description | None | | encrypted | False | | id | d0e0e121-4959-42ee-abc1-1e5b484393d2 | | metadata | {} | | migration_status | None | | multiattach | False | | name | 2 | | os-vol-host-attr:host | None | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 5e3b5a1473184ba2801fcb0ba948ca07 | | replication_status | disabled | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | None | | user_id | c8c4b031225b409abea35ceeddd2ba9d | | volume_type | tripleo_iscsi | +--------------------------------+--------------------------------------+ As expected we get a volume created on tripleo_iscsi backend | d0e0e121-4959-42ee-abc1-1e5b484393d2 | available | 2 | 1 | tripleo_iscsi | true | | Lets update share the image, change to public [stack@puma52 ~]$ glance image-update c532dfd7-1bf9-4281-b856-6ea26780afec --visibility public +------------------------+-----------------------------------------------------------------+ | Property | Value | +------------------------+-----------------------------------------------------------------+ | checksum | 7316af7358dd32ca1956d72ac2c9e147 | | cinder_img_vol_type | tripleo_iscsi | | cinder_img_volume_type | tripleo_iscsi | | container_format | bare | | created_at | 2019-04-08T08:56:14Z | | direct_url | swift+config://ref1/glance/c532dfd7-1bf9-4281-b856-6ea26780afec | | disk_format | qcow2 | | id | c532dfd7-1bf9-4281-b856-6ea26780afec | | min_disk | 0 | | min_ram | 0 | | name | CirrosLVM | | owner | 5e3b5a1473184ba2801fcb0ba948ca07 | | protected | False | | size | 12528640 | | status | active | | tags | [] | | updated_at | 2019-04-08T11:41:51Z | | virtual_size | None | | visibility | public | +------------------------+-----------------------------------------------------------------+ Now lets create a none admin user/project check [stack@puma52 ~]$ openstack project create nimda +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | enabled | True | | id | e148e5c21c254dc3b5f739b4693c395e | | name | nimda | +-------------+----------------------------------+ [stack@puma52 ~]$ openstack user create hal --project e148e5c21c254dc3b5f739b4693c395e --password secret +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | email | None | | enabled | True | | id | b375d2233cd24402bdd25cab0db60ad0 | | name | hal | | project_id | e148e5c21c254dc3b5f739b4693c395e | | username | hal | +------------+----------------------------------+ Create a fitting overclourdrc-hal file [stack@puma52 ~]$ cat overcloudrc-hal # Clear any old environment that may conflict. for key in $( set | awk '{FS="="} /^OS_/ {print $1}' ); do unset $key ; done export OS_USERNAME=hal export OS_TENANT_NAME=nimda export NOVA_VERSION=1.1 export OS_PROJECT_NAME=nimda export OS_PASSWORD=secret export OS_NO_CACHE=True export COMPUTE_API_VERSION=1.1 export no_proxy=,192.168.24.14,192.168.24.14,192.168.24.7,192.168.24.7 export OS_CLOUDNAME=overcloud export OS_AUTH_URL=http://192.168.24.7:5000/v2.0 export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" Source ^ file and check [stack@puma52 ~]$ glance image-list +--------------------------------------+-----------+ | ID | Name | +--------------------------------------+-----------+ | 5b50ea6c-996b-49c4-98fe-0794de10cb78 | cirros | | c532dfd7-1bf9-4281-b856-6ea26780afec | CirrosLVM | +--------------------------------------+-----------+ We see both public images, great. [stack@puma52 ~]$ cinder type-list +--------------------------------------+---------------+-------------+-----------+ | ID | Name | Description | Is_Public | +--------------------------------------+---------------+-------------+-----------+ | 0712515f-9acd-46fa-a454-ca2e4f4be49b | tripleo_iscsi | - | True | | 88079f03-68f1-41b8-ac6b-a22e4c44617e | 3parfc | - | True | +--------------------------------------+---------------+-------------+-----------+ We see both Cinder volume types. [stack@puma52 ~]$ cinder list +----+--------+------+------+-------------+----------+-------------+ | ID | Status | Name | Size | Volume Type | Bootable | Attached to | +----+--------+------+------+-------------+----------+-------------+ +----+--------+------+------+-------------+----------+-------------+ As expected in this project/user we have yet laid any Cinder bricks. [stack@puma52 ~]$ cinder create 1 --image CirrosLVM --name TestingNoneAdminUser +------------------------------+--------------------------------------+ | Property | Value | +------------------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2019-04-08T11:51:00.000000 | | description | None | | encrypted | False | | id | a7668444-da05-40c3-b36d-3699794392b3 | | metadata | {} | | multiattach | False | | name | TestingNoneAdminUser | | os-vol-tenant-attr:tenant_id | e148e5c21c254dc3b5f739b4693c395e | | replication_status | disabled | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | None | | user_id | b375d2233cd24402bdd25cab0db60ad0 | | volume_type | tripleo_iscsi | +------------------------------+--------------------------------------+ This looks good volume is created on LVM [stack@puma52 ~]$ cinder list +--------------------------------------+-----------+----------------------+------+---------------+----------+-------------+ | ID | Status | Name | Size | Volume Type | Bootable | Attached to | +--------------------------------------+-----------+----------------------+------+---------------+----------+-------------+ | a7668444-da05-40c3-b36d-3699794392b3 | available | TestingNoneAdminUser | 1 | tripleo_iscsi | true | | +--------------------------------------+-----------+----------------------+------+---------------+----------+-------------+ Now lets create (source admin for this bit) a new image this time pointing to 3par back end. [stack@puma52 ~]$ glance image-create --disk-format qcow2 --container-format bare --file cirros-0.3.5-i386-disk.img --name Cirros3par +------------------+-----------------------------------------------------------------+ | Property | Value | +------------------+-----------------------------------------------------------------+ | checksum | 7316af7358dd32ca1956d72ac2c9e147 | | container_format | bare | | created_at | 2019-04-08T11:52:54Z | | direct_url | swift+config://ref1/glance/b9c23a81-af68-4b0c-b9f9-17472720d5f4 | | disk_format | qcow2 | | id | b9c23a81-af68-4b0c-b9f9-17472720d5f4 | | min_disk | 0 | | min_ram | 0 | | name | Cirros3par | | owner | 5e3b5a1473184ba2801fcb0ba948ca07 | | protected | False | | size | 12528640 | | status | active | | tags | [] | | updated_at | 2019-04-08T11:52:56Z | | virtual_size | None | | visibility | private | +------------------+-----------------------------------------------------------------+ Set public and backend: [stack@puma52 ~]$ glance image-update b9c23a81-af68-4b0c-b9f9-17472720d5f4 --visibility public [stack@puma52 ~]$ glance image-update b9c23a81-af68-4b0c-b9f9-17472720d5f4 --property cinder_img_volume_type="3parfc" +------------------------+-----------------------------------------------------------------+ | Property | Value | +------------------------+-----------------------------------------------------------------+ | checksum | 7316af7358dd32ca1956d72ac2c9e147 | | cinder_img_volume_type | 3parfc | | container_format | bare | | created_at | 2019-04-08T11:52:54Z | | direct_url | swift+config://ref1/glance/b9c23a81-af68-4b0c-b9f9-17472720d5f4 | | disk_format | qcow2 | | id | b9c23a81-af68-4b0c-b9f9-17472720d5f4 | | min_disk | 0 | | min_ram | 0 | | name | Cirros3par | | owner | 5e3b5a1473184ba2801fcb0ba948ca07 | | protected | False | | size | 12528640 | | status | active | | tags | [] | | updated_at | 2019-04-08T11:54:53Z | | virtual_size | None | | visibility | public | +------------------------+-----------------------------------------------------------------+ Return to hal/nimda overcloudrc-hal file [stack@puma52 ~]$ cinder create 1 --image b9c23a81-af68-4b0c-b9f9-17472720d5f4 --name 3arHal +------------------------------+--------------------------------------+ | Property | Value | +------------------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2019-04-08T11:56:47.000000 | | description | None | | encrypted | False | | id | de705a22-5a67-40ed-8d0d-2ea501f21031 | | metadata | {} | | multiattach | False | | name | 3arHal | | os-vol-tenant-attr:tenant_id | e148e5c21c254dc3b5f739b4693c395e | | replication_status | disabled | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | 2019-04-08T11:56:48.000000 | | user_id | b375d2233cd24402bdd25cab0db60ad0 | | volume_type | 3parfc | +------------------------------+--------------------------------------+ Both volumes under a none admin project/user are created as expected: [stack@puma52 ~]$ cinder list +--------------------------------------+-----------+----------------------+------+---------------+----------+-------------+ | ID | Status | Name | Size | Volume Type | Bootable | Attached to | +--------------------------------------+-----------+----------------------+------+---------------+----------+-------------+ | a7668444-da05-40c3-b36d-3699794392b3 | available | TestingNoneAdminUser | 1 | tripleo_iscsi | true | | | de705a22-5a67-40ed-8d0d-2ea501f21031 | available | 3arHal | 1 | 3parfc | true | | +--------------------------------------+-----------+----------------------+------+---------------+----------+-------------+ Gorka for your sharp eyes, catching my typo :)
thanks Gorka I meant.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0917