Newton Series Release Notes

13.0.0

Prelude

  • Add vhdx to list of supported disk format.

  • Glance API minor version bumped to 2.4.

  • Deprecate the show_multiple_locations configuration option in favour of the existing Role Based Access Control (RBAC) for Image locations which uses policy.json file to define the appropriate rules.

  • The Images (Glance) version 1 API has been DEPRECATED. Please see deprecations section for more information.

  • Improved configuration option descriptions and handling.

  • Adding locations to a non-active or non-queued image is no longer allowed.

  • Glance no longer returns a 500 when 4 byte Unicode characters are passed to the metadefs API.

  • Deprecated “sign-the-hash” approach for image signing. Old run_tests and related scripts have been removed.

  • Database downgrades have been removed from the Glance source tree.

  • The s3 store driver has been removed.

  • Sample configuration file shipped with Glance source now has reordered store drivers configuration options for future consistent ordering.

  • Expired tasks are now deleted.

New Features

  • The identifier vhdx has been added to the list of supported disk formats in Glance. The respective configuration option has been updated and the default list shows vhdx as a supported format.

Upgrade Notes

  • Added additional metadata for CPU thread pinning policies to ‘compute-cpu-pinning.json’. Use the glance_manage tool to upgrade.

  • The disk_format config option enables vhdx as supported by default.

  • The default policy in policy.json now uses the admin role rather than any role. This is to make the policy file restrictive rather than permissive and tighten security.

  • Glance API CURRENT minor version is now 2.4.

    • To partially fix an important image locations bug 1587985, an API impacting change has been merged into Glance.

    • This will result into a non-backward compatible experience before and after Newton release, for users using add feature to image locations.

  • Some backend store names were inconsistent between glance and glance_store. This meant that operators of the VMware datastore or file system store were required to use store names in glance-api.conf that did not correspond to any valid identifier in glance_store. As this situation encouraged misconfiguration and operator unhappiness, we have made the store names consistent in the Newton release. What this means for you:

    • This change applies only to operators who are using multiple image locations

    • This change applies only to operators using the VMware datastore or filesystem stores

    • This change applies only to the store_type_preference option

    • VMware datastore operators: The old name, now DEPRECATED, was vmware_datastore. The new name, used in both glance and glance_store, is vmware

    • File system store operators: the old name, now DEPRECATED, was filesystem. The new name, used in both glance and glance_store, is file

    • This change is backward compatible, that is, the old names will be recognized by the code during the deprecation period. Support for the deprecated names will be removed in the Pike release

    • We strongly encourage operators to modify their glance-api.conf files immediately to use the new names

  • Some additional points about show_multiple_locations configuration option deprecation.

    • Maintaining two different ways to configure, enable and/or disable a feature is painful for developers and operators, so the less granular means of controlling this feature will be eliminated in the Ocata release.

    • For the Newton release, this option will still be honoured. However, it is important to update policy.json file for glance-api nodes. In particular, please consider updating the policies delete_image_location, get_image_location and set_image_location as per your requirements. As this is an advanced option and prone to expose some risks, please check the policies to ensure security and privacy of your cloud.

    • Future releases will ignore this option and just follow the policy rules. It is recommended that this option is disabled for public endpoints and is used only internally for service-to-service communication.

    • As mentioned above, the same recommendation applies to the policy-based configuration for exposing multiple image locations.

  • The image signature verification feature has been updated to follow the “sign-the-data” approach, which uses a signature of the image data directly. The prior deprecated “sign-the-hash” approach, which uses a signature of an MD5 hash of the image data, has been removed.

  • The db_downgrade command has been removed from the glance-manage utility and all database downgrade scripts have been removed. In accord with OpenStack policy, Glance cannot be downgraded any more. Operators are advised to make a full database backup of their production data before attempting any upgrade.

  • The latest release of glance_store library does not have the support for the s3 driver. All code references of the same have been removed from the library. As this release of Glance uses the updated glance_store library, you will find the s3 driver support removed from Glance too. For example the Glance image location strategy modules no longer offer the s3 driver support.

Deprecation Notes

  • With the deprecation of the Images (Glance) version 1 API in the Newton release, it is subject to removal on or after the Pike release. The configuration options specific to the Images (Glance) v1 API have also been deprecated and are subject to removal. An indirectly related configuration option enable_v2_api has been deprecated too as it becomes redundant once the Images (Glance) v1 API is removed. Appropriate warning messages have been setup for the deprecated configuration options and when the Images (Glance) v1 API is enabled (being used). Operators are advised to deploy the Images (Glance) v2 API. The standard OpenStack deprecation policy will be followed for the removals.

Critical Issues

  • Attempting to set image locations to an image not in active or queued status will now result in a HTTP Conflict (HTTP status code 409) to the user.

    • Until now, no image status checks were in place while adding a location on it. In some circumstances, this may result in a bad user experience. It may also cause problems for a security team evaluating the condition of an image in deactivated status.

    • Adding locations is disallowed on the following image statuses - saving, deactivated, deleted, pending_delete, killed.

    • Note that there are race conditions associated with adding a location to an image in the active, queued, saving, or deactivated status. Because these are non-terminal image statuses, it is possible that when a user attempts to add a location, a status transition could occur that might block the add (or might appear to allow an add that should not be allowed).

    • For example, a user is not allowed to add a location to an image in saving status. Suppose a user decides to add a location anyway. It is possible that before the user’s request is processed, the transmission of data being saved is completed and the image transitioned into active status, in which case the user’s add location request will succeed. To the user, however, this success will appear anomalous because in most cases, an attempt to add a location to an image in saving status will fail.

    • We mention this so that you can be aware of this situation in your own testing.

Security Issues

  • All qemu-img info calls are now run under resource limitations that limit the CPU time and address space usage of the process running the command to 2 seconds and 1 GB respectively. This addresses the bug https://bugs.launchpad.net/glance/+bug/1449062 Current usage of “qemu-img” is limited to Glance tasks, which by default (since the Mitaka release) are only available to admin users. We continue to recommend that tasks only be exposed to trusted users

  • The initial implementation of the image signature verification feature in Glance was insecure, because it relied on an MD5 hash of the image data. More details can be found in bug 1516031. This “sign-the-hash” approach was deprecated in Mitaka, and has been removed in Newton. Related CVE-2015-8234.

Bug Fixes

  • Here is a list of other important bugs that have been fixed (or partially fixed) along with their descriptions.

    • bug 1617258: Image signature base64 needs to wrap lines

    • bug 1612341: Add CPU thread pinning flavour metadef

    • bug 1609571: version negotiation API middleware was NOT up to date to include v2.3

    • bug 1602081: Glance needs to use oslo.context’s policy dict

    • bug 1599169: glance-replicator size raises object of type ‘NoneType’ has no len() exception when no args provided

    • bug 1599192: glance-replicator needs to display human-readable size

    • bug 1585917: member-create will raise 500 error if member-id is greater than 255 characters

    • bug 1598985: glance-replicator compare output should show image name in addition to image id for missing images

    • bug 1533949: Glance tasks missing configuration item “conversion_format”

    • bug 1593177: The default policy needs to be admin for safer default deployment scenarios

    • bug 1584076: Swift ACLs disappears on v1 Glance images

    • bug 1591004: Unable to download image with no checksum when cache is enabled

    • bug 1584415: Listing images with the created_at and updated_at filters fails if an operator is not specified

    • bug 1590608: Services should use http_proxy_to_wsgi middleware from oslo.middleware library

    • bug 1584350: etc/glance-registry.conf sample file has redundant store section

    • bug 1543937: db-purge fails for very large number

    • bug 1580848: There’s no exception when import task is created without properties

    • bug 1585584: Glare v0.1 is unable to create public artifact draft

    • bug 1582304: Allow tests to run when HTTP proxy is set

    • bug 1570789: Metadefs API returns 500 error when 4 byte Unicode character is passed

    • bug 1532243: glance fails silently if a task flow can not be loaded

    • bug 1568894: glance_store options missing in glance-scrubber.conf and glance-cache.conf sample files

    • bug 1568723: secure_proxy_ssl_header not in sample configuration files

    • bug 1535231: md-meta with case insensitive string has problem during creating

    • bug 1555275: Tags set changes on delete

    • bug 1558683: Versions endpoint does not support X-Forwarded-Proto

    • bug 1557495: Possible race conditions during status change

Other Notes

  • The glance configuration options have been improved with detailed help texts, defaults for sample configuration files, explicit choices of values for operators to choose from, and a strict range defined with min and max boundaries.

    • It must be noted that the configuration options that take integer values now have a strict range defined with min and/or max boundaries where appropriate.

    • This renders the configuration options incapable of taking certain values that may have been accepted before but were actually invalid.

    • For example, configuration options specifying counts, where a negative value was undefined, would have still accepted the supplied negative value. Such options will no longer accept negative values.

    • Options where a negative value was previously defined (for example, -1 to mean unlimited) will remain unaffected by this change.

    • Values which do not comply with the new restrictions will prevent the service from starting. The logs will contain a message indicating the problematic configuration option and the reason why the supplied value has been rejected.

  • The sample configuration files autogenerated using the oslo-config-generator tool now give consistent ordering of the store drivers configurations.

    • Some operators have reported issues with reordering observed in the sample configurations shipped with Glance release tarballs. This reordering may result into a incorrect “diff” of the configurations used downstream vs. newly introduced upstream.

    • Latest release of glance_store library (used in the Newton release of Glance) will include fix for the glance_store bug 1619487.

    • Until now every run of the oslo-config-generator resulted in random ordering of the store drivers configuration. After Newton release this order will remain consistent.

    • The store drivers configuration order in the sample or autogenerated files should be expected to be alphabetical as - cinder, filesystem, http, rbd, sheepdog, swift, vmware.

    • Note the code name for the “Ceph” driver is rbd.

    • Note the ordering of the options within a store is not alphabetical.

  • Expired tasks are now deleted in Glance. As with other Glance resources, this is a “soft” deletion, that is, a deleted task is marked as deleted in the database so that the task will not appear in API responses, but the information associated with the task persists in the database.

  • Glance and Nova contain nearly identical digital signature modules. In order to better maintain and evolve this code and to eliminate the possibility that the modules diverge, we have replaced the digital signature module in Glance with the new cursive library.

    • The cursive library is an OpenStack project which implements OpenStack-specific verification of digital signatures.

    • In Newton, the majority of the signature verification code was removed from Glance. cursive has been added to Glance as a dependency and will be installed by default.

    • Glance uses the cursive library’s functionality to verify digital signatures. To familiarise yourself with this new dependency and see the list of transitive dependencies visit http://git.openstack.org/cgit/openstack/cursive