Bug 896115 - Allow nova to directly copy a file out of glance
Allow nova to directly copy a file out of glance
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity unspecified
: snapshot3
: 2.1
Assigned To: John Bresnahan
Kashyap Chamarthy
: FutureFeature, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-16 11:30 EST by John Bresnahan
Modified: 2016-04-26 11:55 EDT (History)
6 users (show)

See Also:
Fixed In Version: openstack-nova-2012.2.3-1.el6ost
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-05 13:30:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 19408 None None None Never

  None (edit)
Description John Bresnahan 2013-01-16 11:30:46 EST
Description of problem:

When glance presents a direct_url with a file:// scheme in an image's meta data nova-compute should be able to copy this file without routing it through glance.  An initial solution to this problem will allow the admin to make the assumption that glance and nova share the same file system namespace.  An upstream patch has been submitted here:

https://review.openstack.org/#/c/19408/

This bug can be used to track its progress.
Comment 2 John Bresnahan 2013-01-22 12:37:26 EST
A patch has been accepted upstream.
Comment 5 John Bresnahan 2013-01-22 14:15:38 EST
Glance has some safe guards in place for this:

https://bugs.launchpad.net/glance/+bug/942118
https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L256

However, I agree that nova should protect itself and not rely on Glance to provide safe information.  I will create a new bug that allows the user to configure a whitelisted of acceptable base paths.
Comment 8 Mark McLoughlin 2013-01-30 12:06:18 EST
Need to document how to use this, i.e. enable show_image_direct_url in glance-api.conf and add 'file' to allowed_direct_url_schemes in nova.conf
Comment 12 Mark McLoughlin 2013-02-19 09:58:52 EST
Looks like docs got sorted for 2.1
Comment 13 Kashyap Chamarthy 2013-02-20 05:45:07 EST

Hi, I'm trying to test this, can someone provide a bit more detail here on the usage.

(Also, can someone point to the 2.1 docs alluded to in Comment #12 ? Thanks.)


Build info. (I'm using nightly repo)
#-----------------------------------------#
[tuser1@interceptor ~(keystone_admin)]$ rpm -qi openstack-nova
Name        : openstack-nova               Relocations: (not relocatable)
Version     : 2012.2.3                          Vendor: Red Hat, Inc.
Release     : 1.el6ost                      Build Date: Tue 12 Feb 2013 02:14:12 AM IST
#-----------------------------------------#
[tuser1@interceptor ~(keystone_admin)]$ rpm -qi openstack-glance
Name        : openstack-glance             Relocations: (not relocatable)
Version     : 2012.2.3                          Vendor: Red Hat, Inc.
Release     : 1.el6ost                      Build Date: Wed 13 Feb 2013 04:51:47 PM IST
#-----------------------------------------#


#-----------------------------------------#
[tuser1@interceptor ~(keystone_admin)]$ sudo grep show_image_direct_url  /usr/share/glance/glance-api-dist.conf
[tuser1@interceptor ~(keystone_admin)]$  sudo grep show_image_direct_url  /etc/glance/glance-api.conf 
[tuser1@interceptor ~(keystone_admin)]$ sudo grep allowed_direct_url_schemes /etc/nova/nova.conf
[tuser1@interceptor ~(keystone_admin)]$ sudo grep allowed_direct_url_schemes /usr/share/nova/nova-dist.conf
[tuser1@interceptor ~(keystone_admin)]$ 
#-----------------------------------------#
[tuser1@interceptor ~(keystone_admin)]$ sudo grep -A3  allowed /usr/lib/python2.6/site-packages/nova/flags.py
    cfg.ListOpt('allowed_direct_url_schemes',
                default=[],
#-----------------------------------------#
Comment 14 John Bresnahan 2013-02-20 13:48:16 EST
What happens here is hard to test from a black box perspective.  Behind the scenes what happens here is that instead of having nova download the image via HTTP, it simply copies the image with a system call.

The first means of testing it would be to verify that a boot happens as normal when this behavior is enabled.  However, that does still leave the question: how do we know the new feature is activated.

Unfortunately there is no log statement where the copy is made in nova.  However, you should be able to verify in the glance logs that a download to the given image was *not* made.
Comment 15 Kashyap Chamarthy 2013-02-21 08:22:25 EST
VERIFIED.

Version Info:
#=========================================#
[tuser1@interceptor ~(keystone_admin)]$ rpm -qa | grep -i glance ; arch ; cat /etc/redhat-release 
python-glanceclient-0.5.1-2.el6ost.noarch
python-glance-2012.2.3-1.el6ost.noarch
openstack-glance-2012.2.3-1.el6ost.noarch
x86_64
Red Hat Enterprise Linux Server release 6.4 (Santiago)
[tuser1@interceptor ~(keystone_admin)]$ 
#=========================================#

Verification Procedure:

[1] Ensure to have these flags enabled in nova.conf & glance-api.conf
#=========================================#
[tuser1@interceptor nova(keystone_user1)]$ sudo grep allowed_direct_url_schemes /etc/nova/nova.conf
allowed_direct_url_schemes=[file]
#=========================================#
[tuser1@interceptor nova(keystone_user1)]$ sudo grep show_image_direct_url  /etc/glance/glance-api.conf
show_image_direct_url = True
[tuser1@interceptor nova(keystone_user1)]$ 
#=========================================#
Note: I had to set the "show_image_direct_url = True" directive in Default section for Glance (Thanks fpercoco).

[2] Restart all Openstack services
#=========================================#
$ for j in `for i in $(ls -1 /etc/init.d/openstack-*) ; do $i status | grep running ; done | awk '{print $1}'` ; do service $j restart ; done
#=========================================#


[3] List existing images:
#=========================================#
[tuser1@interceptor nova(keystone_admin)]$ glance image-list
+--------------------------------------+-----------+-------------+------------------+------------+--------+
| ID                                   | Name      | Disk Format | Container Format | Size       | Status |
+--------------------------------------+-----------+-------------+------------------+------------+--------+
| 1e6292f9-82bd-4cdb-969e-c863cb1c6692 | fedora-17 | qcow2       | bare             | 251985920  | active |
| acc4c853-9153-4e80-b3c8-e253451ae983 | rhel63    | qcow2       | bare             | 1074135040 | active |
+--------------------------------------+-----------+-------------+------------------+------------+--------+
[tuser1@interceptor nova(keystone_admin)]$ 
#=========================================#

[4] Get information about the fedora-17 image: 

NOTE: The --os-image-api-version has to be version 2, so that, it provides all the debug info:
#=========================================#
$ glance --debug --os-image-api-version 2 image-show 1e6292f9-82bd-4cdb-969e-c863cb1c6692
.
.
.
.
{"status": "active", "name": "fedora-17", "tags": [], "container_format": "bare", "created_at": "2012-01-12T23:04:40Z", "size": 251985920, "disk_format": "qcow2", "updated_at": "2012-01-12T23:04:42Z", "visibility": "public", "id": "1e6292f9-82bd-4cdb-969e-c863cb1c6692", "protected": false, "min_ram": 0, "file": "/v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692/file", "checksum": "1f104b5667768964d5df8c4ad1d7cd27", "min_disk": 0, "direct_url": "file:///var/lib/glance/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692", "self": "/v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692", "schema": "/v2/schemas/image"}
#=========================================#

You can see direct_url o/p : (which shows the path to the disk image)

"direct_url": "file:///var/lib/glance/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692"



[5] And, the given image was /not/ downloaded via HTTP. From  /var/log/glance/api.log :
#=========================================#
.
.
.
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Determining version of request: GET /v2/schemas/image Accept:  process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:45
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Using url versioning process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:58
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Matched version: v2 process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:70
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] new uri /v2/schemas/image process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:71
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Determining version of request: GET /v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692 Accept:  process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:45
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Using url versioning process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:58
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] Matched version: v2 process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:70
2013-02-21 18:50:30 71603 DEBUG glance.api.middleware.version_negotiation [-] new uri /v2/images/1e6292f9-82bd-4cdb-969e-c863cb1c6692 process_request /usr/lib/python2.6/site-packages/glance/api/middleware/version_negotiation.py:71
2013-02-21 18:50:30 DEBUG glance.api.policy [60120f14-304d-4788-8e31-84233e7cc8ca e34da0f70aaa4b86b97857299d66155f 5aaa100a372248dd9c658f8b7775784c] Loaded policy rules: {u'default': [], u'manage_image_cache': [[u'role:admin']]} load_rules /usr/lib/python2.6/site-packages/glance/api/policy.py:63
#=========================================#

Per above information, turning the bug to VERIFIED
Comment 17 errata-xmlrpc 2013-03-05 13:30:52 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0593.html

Note You need to log in before you can comment on or make changes to this bug.