2023.1 Series Release Notes

26.1.0-5

Bug Fixes

  • Bug #2073945: Fixed issue with VM creation in DCN cases with RBD backend where an edge node doesn’t have the store defined which is part of the image locations and the operation fails.

  • Bug #2054575: Fixed the issue when Cinder uploads a volume to Glance in the optimised path and Glance rejects the request with invalid location. Now we convert the old location format sent by Cinder into the new location format supported by multi store, hence allowing volumes to be uploaded in an optimised way.

26.1.0

Security Issues

  • Images in the qcow2 format with an external data file are now rejected from glance because such images could be used in an exploit to expose host information. See Bug #2059809 for details.

Bug Fixes

  • Bug #2059809: Fixed issue where a qcow2 format image with an external data file could expose host information. Such an image format with an external data file will be rejected from Glance. To achieve the same, format_inspector has been extended by adding safety checks for qcow2 and VMDK files in Glance. Unsafe qcow and VMDK files will be rejected by pre-examining them with a format inspector to ensure safe configurations prior to any qemu-img operations.

26.0.0

Prelude

In this cycle Glance enabled the API policies (RBAC) new defaults and scope by default and removed the deprecated enforce_secure_rbac option which is no longer needed after switching to new defaults. The Default value of config options [oslo_policy] enforce_scope and [oslo_policy] oslo_policy.enforce_new_defaults have been changed to True. Old policies are still there but they are disabled by default.

Upgrade Notes

  • The Glance service enables the API policies (RBAC) new defaults and scope by default. The Default value of config options [oslo_policy] enforce_scope and [oslo_policy] oslo_policy.enforce_new_defaults have been changed to True.

    If you want to disable them then modify the below config options value in glance-api.conf file:

    [oslo_policy]
    enforce_new_defaults=False
    enforce_scope=False
    
  • As per the revised SRBAC community goals, the Glance service is switching to new defaults by default in the Antelope cycle, hence removing the deprecated enforce_secure_rbac option which is no longer needed. The enforce_secure_rbac option was introduced EXPERIMENTAL in the Wallaby release for operators to opt into enforcing authorisation based on common RBAC personas.

    Now operator can control the scope and new defaults flag with the below config options in glance-api.conf file:

    [oslo_policy]
    enforce_new_defaults=True
    enforce_scope=True
    

Bug Fixes

  • Bug 1990854: oslo_limit section not clear

  • Bug 1779781: virt/vmware not support VirtualSriovEthernetCard

  • Bug 1647491: Missing documentation for glance-manage db_purge command

  • Bug 1983279: Cannot upload VMDK images due to unsupported VMDK format

  • Bug 1989268: Wrong assertion method

  • Bug 1996188: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)

  • Bug 1939690: The api-ref response and the actual response returned from the Create Tags API does not match

  • Bug 1983279: Cannot upload VMDK images due to unsupported VMDK format