2023.1 Series Release Notes¶
26.1.0-5¶
Bug Fixes¶
Bug #2073945: Fixed issue with VM creation in DCN cases with RBD backend where an edge node doesn’t have the store defined which is part of the image locations and the operation fails.
Bug #2054575: Fixed the issue when Cinder uploads a volume to Glance in the optimised path and Glance rejects the request with invalid location. Now we convert the old location format sent by Cinder into the new location format supported by multi store, hence allowing volumes to be uploaded in an optimised way.
26.1.0¶
Security Issues¶
Images in the qcow2 format with an external data file are now rejected from glance because such images could be used in an exploit to expose host information. See Bug #2059809 for details.
Bug Fixes¶
Bug #2059809: Fixed issue where a qcow2 format image with an external data file could expose host information. Such an image format with an external data file will be rejected from Glance. To achieve the same, format_inspector has been extended by adding safety checks for qcow2 and VMDK files in Glance. Unsafe qcow and VMDK files will be rejected by pre-examining them with a format inspector to ensure safe configurations prior to any qemu-img operations.
26.0.0¶
Prelude¶
In this cycle Glance enabled the API policies (RBAC) new defaults and scope by default and removed the deprecated enforce_secure_rbac
option which is no longer needed after switching to new defaults. The Default value of config options [oslo_policy] enforce_scope
and [oslo_policy] oslo_policy.enforce_new_defaults
have been changed to True
. Old policies are still there but they are disabled by default.
Upgrade Notes¶
The Glance service enables the API policies (RBAC) new defaults and scope by default. The Default value of config options
[oslo_policy] enforce_scope
and[oslo_policy] oslo_policy.enforce_new_defaults
have been changed toTrue
.If you want to disable them then modify the below config options value in
glance-api.conf
file:[oslo_policy] enforce_new_defaults=False enforce_scope=False
As per the revised SRBAC community goals, the Glance service is switching to new defaults by default in the Antelope cycle, hence removing the deprecated
enforce_secure_rbac
option which is no longer needed. Theenforce_secure_rbac
option was introduced EXPERIMENTAL in the Wallaby release for operators to opt into enforcing authorisation based on common RBAC personas.Now operator can control the scope and new defaults flag with the below config options in
glance-api.conf
file:[oslo_policy] enforce_new_defaults=True enforce_scope=True
Bug Fixes¶
Bug 1990854: oslo_limit section not clear
Bug 1779781: virt/vmware not support VirtualSriovEthernetCard
Bug 1647491: Missing documentation for glance-manage db_purge command
Bug 1983279: Cannot upload VMDK images due to unsupported VMDK format
Bug 1989268: Wrong assertion method
Bug 1996188: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)
Bug 1939690: The api-ref response and the actual response returned from the Create Tags API does not match
Bug 1983279: Cannot upload VMDK images due to unsupported VMDK format