Glance

Unable to spawn VM from community image

Bug #1885928 reported by Rajiv Mucheli on 2020-07-01

This bug affects 2 people

	Status	Importance	Assigned to
Glance	Fix Released	High	Erno Kuvaja
Ussuri	Triaged	High	Erno Kuvaja
Victoria	Triaged	High	Erno Kuvaja
Wallaby	Triaged	High	Erno Kuvaja
Xena	Fix Released	High	Erno Kuvaja

Bug Description

Hi,

I am planning to introduce community images in my production.

Release : Train
Backend : Swift

I can spawn images from Public, private and shared images. The logs point me to HTTP 403 from swift :

2020-06-30T11:16:03.522021578+00:00 - api - 2020-06-30 11:16:03,093.093 42 WARNING glance.location [req-4d5aede4-0d3a-4dd7-bc2b-055de4f60dbc 3eda6592ccadd54d787c8d58c2c7c3e7ba0236ddb339c08eba531b056ae9e50e 606094098b04421b8041ef54c734b664 - 41aac04ce58c428b9ed2262798d0d336 41aac04ce58c428b9ed2262798d0d336] Get image b833841e-f92a-4495-8e8e-bfc6f68f9f31 data failed: Object GET failed: https://XXXX
:443/v1/AUTH_51edc18acfca49099e77dc66e8dc2f48/glance_b833841e-f92a-4495-8e8e-bfc6f68f9f31/b833841e-f92a-4495-8e8e-bfc6f68f9f31 403 Forbidden [first 60 chars of response] b'<html><h1>Forbidden</h1><p>Access was denied to this resourc'.: swiftclient.exceptions.ClientException: Object GET failed: https://XXXX:443/v1/AUTH_51edc18acfca49099e77dc66e8dc2f48/glance_b833841e-f92a-4495-8e8e-bfc6f68f9f31/b
833841e-f92a-4495-8e8e-bfc6f68f9f31 403 Forbidden [first 60 chars of response] b'<html><h1>Forbidden</h1><p>Access was denied to this resourc'
2020-06-30T11:16:03.522032543+00:00 - api - 2020-06-30 11:16:03,093.093 42 ERROR glance.location [req-4d5aede4-0d3a-4dd7-bc2b-055de4f60dbc 3eda6592ccadd54d787c8d58c2c7c3e7ba0236ddb339c08eba531b056ae9e50e 606094098b04421b8041ef54c734b664 - 41aac04ce58c428b9ed2262798d0d336 41aac04ce58c428b9ed2262798d0d336] Glance tried all active locations/stores to get data for image b833841e-f92a-4495-8e8e-bfc6f68f9f31 but all have failed

I did refer all the available documents :

https://specs.openstack.org/openstack/glance-specs/specs/ocata/implemented/glance/community_visibility.html
https://blueprints.launchpad.net/glance/+spec/community-level-v2-image-sharing
https://wiki.openstack.org/wiki/Glance-v2-community-image-sharing#Accepting_a_.27Community.27_Image,

Is this issue related to ACL's ?

https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/swift/store.py#L1524

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2020-07-09:

Is it possible for you to share glance-api.conf (glance store section) and steps to reproduce like
create community image, boot the instance etc?

Revision history for this message

Rajiv Mucheli (rajiv.mucheli) wrote on 2020-07-09:

Hi Abhishek,

The glance-api.conf can be accessed https://github.com/sapcc/helm-charts/blob/master/openstack/glance/templates/etc/_glance-api.conf.tpl

we use the generic commands, openstack image create test.vmdk --community

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2021-03-29:

This issue is not reproducible with Train and swift backend, we need some additional information about the environment, glance and swift configurations etc to look into it further.

Revision history for this message

Rajiv Mucheli (rajiv.mucheli) wrote on 2021-03-29:

Hi Abhishek,

1. Were you able to spawn an instance from a community image in Train Release ?
2. I still have this issue in Glance on Victoria Release and Swift on Ussuri Release.
3. Could you tell me what other data can be provided ? i see similar logs as shared above while spawning an instance from a community image.

Regards,
Rajiv

Erno Kuvaja (jokke) on 2021-07-09

Changed in glance:
status:	New → Triaged
assignee:	nobody → Erno Kuvaja (jokke)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-07-09: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/glance/+/800221

Changed in glance:
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2021-08-16

Changed in glance:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-03: Fix merged to glance (master)

Reviewed: https://review.opendev.org/c/openstack/glance/+/800221
Committed: https://opendev.org/openstack/glance/commit/f0d891a3edbf9978f8c427df05e8c912fce54cf4
Submitter: "Zuul (22348)"
Branch: master

commit f0d891a3edbf9978f8c427df05e8c912fce54cf4
Author: Erno Kuvaja <email address hidden>
Date: Fri Jul 9 13:48:45 2021 +0100

'community' images need to be treated as public

    Even though 'community' images are not listed by default their
    behaviour is like public images otherwise. This means that
    the image data needs to be available for everyone and thus
    the acls for the file/object should be like public too.

Change-Id: I79683c81233b35f2399119128a63d33d69c50eeb
Closes-bug: #1885928

Changed in glance:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-09: Fix included in openstack/glance 23.0.0.0b3

This issue was fixed in the openstack/glance 23.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.