Newton Series Release Notes¶
13.0.0¶
Prelude¶
Add
vhdx
to list of supported disk format.
Glance API
minor
version bumped to 2.4.
Deprecate the
show_multiple_locations
configuration option in favour of the existing Role Based Access Control (RBAC) for Image locations which usespolicy.json
file to define the appropriate rules.
The Images (Glance) version 1 API has been DEPRECATED. Please see deprecations section for more information.
Improved configuration option descriptions and handling.
Adding locations to a non-active or non-queued image is no longer allowed.
Glance no longer returns a 500 when 4 byte Unicode characters are passed to the metadefs API.
Deprecated “sign-the-hash” approach for image signing. Old run_tests and related scripts have been removed.
Database downgrades have been removed from the Glance source tree.
The
s3
store driver has been removed.
Sample configuration file shipped with Glance source now has reordered store drivers configuration options for future consistent ordering.
Expired tasks are now deleted.
New Features¶
The identifier
vhdx
has been added to the list of supported disk formats in Glance. The respective configuration option has been updated and the default list showsvhdx
as a supported format.
Upgrade Notes¶
Added additional metadata for CPU thread pinning policies to ‘compute-cpu-pinning.json’. Use the
glance_manage
tool to upgrade.
The
disk_format
config option enablesvhdx
as supported by default.
The
default
policy inpolicy.json
now uses the admin role rather than any role. This is to make the policy file restrictive rather than permissive and tighten security.
Glance API CURRENT
minor
version is now2.4
.To partially fix an important image locations bug 1587985, an API impacting change has been merged into Glance.
This will result into a non-backward compatible experience before and after Newton release, for users using
add
feature to image locations.
Some backend store names were inconsistent between glance and glance_store. This meant that operators of the VMware datastore or file system store were required to use store names in
glance-api.conf
that did not correspond to any valid identifier in glance_store. As this situation encouraged misconfiguration and operator unhappiness, we have made the store names consistent in the Newton release. What this means for you:This change applies only to operators who are using multiple image locations
This change applies only to operators using the VMware datastore or filesystem stores
This change applies only to the
store_type_preference
optionVMware datastore operators: The old name, now DEPRECATED, was
vmware_datastore
. The new name, used in both glance and glance_store, isvmware
File system store operators: the old name, now DEPRECATED, was
filesystem
. The new name, used in both glance and glance_store, isfile
This change is backward compatible, that is, the old names will be recognized by the code during the deprecation period. Support for the deprecated names will be removed in the Pike release
We strongly encourage operators to modify their
glance-api.conf
files immediately to use the new names
Some additional points about
show_multiple_locations
configuration option deprecation.Maintaining two different ways to configure, enable and/or disable a feature is painful for developers and operators, so the less granular means of controlling this feature will be eliminated in the Ocata release.
For the Newton release, this option will still be honoured. However, it is important to update
policy.json
file for glance-api nodes. In particular, please consider updating the policiesdelete_image_location
,get_image_location
andset_image_location
as per your requirements. As this is an advanced option and prone to expose some risks, please check the policies to ensure security and privacy of your cloud.Future releases will ignore this option and just follow the policy rules. It is recommended that this option is disabled for public endpoints and is used only internally for service-to-service communication.
As mentioned above, the same recommendation applies to the policy-based configuration for exposing multiple image locations.
The image signature verification feature has been updated to follow the “sign-the-data” approach, which uses a signature of the image data directly. The prior deprecated “sign-the-hash” approach, which uses a signature of an MD5 hash of the image data, has been removed.
The
db_downgrade
command has been removed from theglance-manage
utility and all database downgrade scripts have been removed. In accord with OpenStack policy, Glance cannot be downgraded any more. Operators are advised to make a full database backup of their production data before attempting any upgrade.
The latest release of glance_store library does not have the support for the
s3
driver. All code references of the same have been removed from the library. As this release of Glance uses the updated glance_store library, you will find thes3
driver support removed from Glance too. For example the Glance image location strategy modules no longer offer thes3
driver support.
Deprecation Notes¶
With the deprecation of the Images (Glance) version 1 API in the Newton release, it is subject to removal on or after the Pike release. The configuration options specific to the Images (Glance) v1 API have also been deprecated and are subject to removal. An indirectly related configuration option enable_v2_api has been deprecated too as it becomes redundant once the Images (Glance) v1 API is removed. Appropriate warning messages have been setup for the deprecated configuration options and when the Images (Glance) v1 API is enabled (being used). Operators are advised to deploy the Images (Glance) v2 API. The standard OpenStack deprecation policy will be followed for the removals.
Critical Issues¶
Attempting to set image locations to an image not in
active
orqueued
status will now result in a HTTP Conflict (HTTP status code 409) to the user.Until now, no image status checks were in place while adding a location on it. In some circumstances, this may result in a bad user experience. It may also cause problems for a security team evaluating the condition of an image in
deactivated
status.Adding locations is disallowed on the following image statuses -
saving
,deactivated
,deleted
,pending_delete
,killed
.Note that there are race conditions associated with adding a location to an image in the
active
,queued
,saving
, ordeactivated
status. Because these are non-terminal image statuses, it is possible that when a user attempts to add a location, a status transition could occur that might block the add (or might appear to allow an add that should not be allowed).For example, a user is not allowed to add a location to an image in
saving
status. Suppose a user decides to add a location anyway. It is possible that before the user’s request is processed, the transmission of data being saved is completed and the image transitioned intoactive
status, in which case the user’s add location request will succeed. To the user, however, this success will appear anomalous because in most cases, an attempt to add a location to an image insaving
status will fail.We mention this so that you can be aware of this situation in your own testing.
Security Issues¶
All
qemu-img info
calls are now run under resource limitations that limit the CPU time and address space usage of the process running the command to 2 seconds and 1 GB respectively. This addresses the bug https://bugs.launchpad.net/glance/+bug/1449062 Current usage of “qemu-img” is limited to Glance tasks, which by default (since the Mitaka release) are only available to admin users. We continue to recommend that tasks only be exposed to trusted users
The initial implementation of the image signature verification feature in Glance was insecure, because it relied on an MD5 hash of the image data. More details can be found in bug 1516031. This “sign-the-hash” approach was deprecated in Mitaka, and has been removed in Newton. Related CVE-2015-8234.
Bug Fixes¶
Here is a list of other important bugs that have been fixed (or partially fixed) along with their descriptions.
bug 1617258: Image signature base64 needs to wrap lines
bug 1612341: Add CPU thread pinning flavour metadef
bug 1609571: version negotiation API middleware was NOT up to date to include v2.3
bug 1602081: Glance needs to use oslo.context’s policy dict
bug 1599169: glance-replicator size raises object of type ‘NoneType’ has no len() exception when no args provided
bug 1599192: glance-replicator needs to display human-readable size
bug 1585917: member-create will raise 500 error if member-id is greater than 255 characters
bug 1598985: glance-replicator compare output should show image name in addition to image id for missing images
bug 1533949: Glance tasks missing configuration item “conversion_format”
bug 1593177: The default policy needs to be admin for safer default deployment scenarios
bug 1584076: Swift ACLs disappears on v1 Glance images
bug 1591004: Unable to download image with no checksum when cache is enabled
bug 1584415: Listing images with the created_at and updated_at filters fails if an operator is not specified
bug 1590608: Services should use http_proxy_to_wsgi middleware from oslo.middleware library
bug 1584350: etc/glance-registry.conf sample file has redundant store section
bug 1543937: db-purge fails for very large number
bug 1580848: There’s no exception when import task is created without properties
bug 1585584: Glare v0.1 is unable to create public artifact draft
bug 1582304: Allow tests to run when HTTP proxy is set
bug 1570789: Metadefs API returns 500 error when 4 byte Unicode character is passed
bug 1532243: glance fails silently if a task flow can not be loaded
bug 1568894: glance_store options missing in glance-scrubber.conf and glance-cache.conf sample files
bug 1568723: secure_proxy_ssl_header not in sample configuration files
bug 1535231: md-meta with case insensitive string has problem during creating
bug 1555275: Tags set changes on delete
bug 1558683: Versions endpoint does not support X-Forwarded-Proto
bug 1557495: Possible race conditions during status change
Other Notes¶
The glance configuration options have been improved with detailed help texts, defaults for sample configuration files, explicit choices of values for operators to choose from, and a strict range defined with
min
andmax
boundaries.It must be noted that the configuration options that take integer values now have a strict range defined with
min
and/ormax
boundaries where appropriate.This renders the configuration options incapable of taking certain values that may have been accepted before but were actually invalid.
For example, configuration options specifying counts, where a negative value was undefined, would have still accepted the supplied negative value. Such options will no longer accept negative values.
Options where a negative value was previously defined (for example, -1 to mean unlimited) will remain unaffected by this change.
Values which do not comply with the new restrictions will prevent the service from starting. The logs will contain a message indicating the problematic configuration option and the reason why the supplied value has been rejected.
The sample configuration files autogenerated using the oslo-config-generator tool now give consistent ordering of the store drivers configurations.
Some operators have reported issues with reordering observed in the sample configurations shipped with Glance release tarballs. This reordering may result into a incorrect “diff” of the configurations used downstream vs. newly introduced upstream.
Latest release of
glance_store
library (used in the Newton release of Glance) will include fix for theglance_store
bug 1619487.Until now every run of the oslo-config-generator resulted in random ordering of the store drivers configuration. After Newton release this order will remain consistent.
The store drivers configuration order in the sample or autogenerated files should be expected to be alphabetical as -
cinder
,filesystem
,http
,rbd
,sheepdog
,swift
,vmware
.Note the code name for the “Ceph” driver is
rbd
.Note the ordering of the options within a store is not alphabetical.
Expired tasks are now deleted in Glance. As with other Glance resources, this is a “soft” deletion, that is, a deleted task is marked as
deleted
in the database so that the task will not appear in API responses, but the information associated with the task persists in the database.
Glance and Nova contain nearly identical digital signature modules. In order to better maintain and evolve this code and to eliminate the possibility that the modules diverge, we have replaced the digital signature module in Glance with the new
cursive
library.The
cursive
library is an OpenStack project which implements OpenStack-specific verification of digital signatures.In Newton, the majority of the signature verification code was removed from Glance.
cursive
has been added to Glance as a dependency and will be installed by default.Glance uses the
cursive
library’s functionality to verify digital signatures. To familiarise yourself with this new dependency and see the list of transitive dependencies visit http://git.openstack.org/cgit/openstack/cursive