Rocky Series Release Notes

17.0.1

Known Issues

  • The show_multiple_locations configuration option remains deprecated in this release, but it has not been removed. (It had been scheduled for removal in the Pike release.) Please keep a watch on the Glance release notes and the glance-specs repository to stay informed about developments on this issue.

    The plan is to eliminate the option and use only policies to control image locations access. This, however, requires some major refactoring. See the draft Policy Refactor spec for more information.

    There is no projected timeline for this change, as no one has been able to commit time to it. The Glance team would be happy to discuss this more with anyone interested in working on it.

    The workaround is to continue to use the show_multiple_locations option in a dedicated “internal” Glance node that is not accessible to end users. We continue to recommend that image locations not be exposed to end users. See OSSN-0065 for more information.

17.0.0

Prelude

Removed the deprecated ‘enable_image_import’ config option. Image import will be always enabled from this release onwards as designed.

This release of OpenStack Glance introduces 2 new API versions. Images API v2.7 adds support and modifications for the Hidden Images and Multihash features introduced during Rocky cycle. Version 2.8 is included as an optional EXPERIMENTAL API for testing and preparing for multiple back-end support.

Rocky development cycle marks long waited milestone on Glance work. The Images API v1 which has been deprecated for years is finally removed and not available at all in Glance version 17.0.0 forward.

Some security aspects were tackled for this release. Multihash, providing secure hashing for image data with future proof options marks the end of relying upon MD5 checksums when verifying image payloads. OSSN-0075 migitation lessens the risk of ID reusability on those very rare cases when a database purge is necessary.

When delayed delete is enabled operators are able to recover image records if the scrubber has been stopped before the data removal interval. While the image metadata is still not preserved in these cases, this provides a way to save the image data on accidental deletes.

When using Interoperable Image Import workflow, the cloud operators can now enable automatic image conversion to desired format. When the plugin is enabled end-users do not have any input to its operation but their local checksum might not match with checksums recorded in Glance.

New Features

  • This release provides an EXPERIMENTAL implementation of the Glance spec Multi-Store Backend Support, which allows an operator to configure multiple backing stores so that end users may direct image data to be stored in a specific backend. See Multi Store Support in the Glance Administration Guide for more information.

    This experimental feature is optionally exposed as the EXPERIMENTAL Image Service API version 2.8. Its use in production systems is currently not supported. We encourage people to use this feature for testing purposes and report any issues so that it can be made stable and fully supported in the Stein release.

  • Automatic image conversion plugin for Interoperable Image Import. With this release operators can specify target image format and get all images created via the Image Import methods introduced in the Images API v2.6 converted automatically to that format. The feautre uses qemu-img under the hood which limits the source image formats that users can upload. Any image that fails the conversion when this plugin is enabled will fail the image creation.

  • This release implements the Glance spec Secure Hash Algorithm Support (also known as “multihash”). This feature supplements the current ‘checksum’ image property with a self-describing secure hash. The self-description consists of two new image properties:

    • os_hash_algo - this contains the name of the secure hash algorithm used to generate the value on this image

    • os_hash_value - this is the hexdigest computed by applying the secure hash algorithm named in the os_hash_algo property to the image data

    These are read-only image properties and are not user-modifiable.

    The secure hash algorithm used is an operator-configurable setting. See the help text for ‘hashing_algorithm’ in the sample Glance configuration file for more information.

    The default secure hash algorithm is SHA-512. It should be suitable for most applications.

    The legacy ‘checksum’ image property, which provides an MD5 message digest of the image data, is preserved for backward compatibility.

  • glance-scrubber now support to restore the image’s status from pending_delete to active. The usage is glance-scrubber –restore <image-id>. Please make sure the glance-scrubber daemon is stopped before restoring the image to avoid image data inconsistency.

Known Issues

  • The os_hash_value image property, introduced as part of the Secure Hash Algorithm Support (“multihash”) feature, is limited to 128 characters. This is sufficient to store 512 bits as a hexadecimal numeral.

  • The “multihash” implemented in this release (Secure Hash Algorithm Support) is computed only for new images. There is no provision for computing the multihash for existing images. Thus, users should expect to see JSON ‘null’ values for the os_hash_algo and os_hash_value image properties on images created prior to the installation of the Rocky release at your site.

  • The Pike release notes pointed out that although support had been added to run Glance as a WSGI application hosted by a web server, the Glance team recommended that Glance be run in its normal standalone configuration, particularly in production environments.

    We renew that recommendation for the Queens release. In particular, Glance tasks (which are required for the interoperable image import functionality) do not execute when Glance is run under uWSGI (which is the OpenStack recommended way to run WSGI applications hosted by a web server).

    This is in addition to the chunked transfer encoding problems addressed by Bug 1703856 and will be more difficult to fix. (Additionally, as far as we are aware, the fix for Bug 1703856 has never been tested at scale.) Briefly, Glance tasks are run by the API service and would have to be split out into a different service so that API alone would run under uWSGI. The Glance project team did not have sufficient testing and development resources during the Queens cycle to attempt this (or even to discuss whether this is in fact a good idea).

    The Glance project team is committed to the stability of Glance. As part of OpenStack, we are committed to The Four Opens. If the ability to run Glance under uWSGI is important to you, feel free to participate in the Glance community to help coordinate and drive such an effort. (We gently remind you that “participation” includes providing testing and development resources.)

  • Due to the bug in the glance_store implementation of multihash feature the first stable Rocky release (0.26.0) of glance_store does not work with Glance 17.0.0. Please note that version 0.26.1+ of the store library is required. Image creations will fail when the data is tried to be uploaded to the back-end due to missing wrapping of the function used.

Upgrade Notes

  • As Image Import will be always enabled, care needs to be taken that it is configured properly from this release forward. The ‘enable_image_import’ option is silently ignored.

  • The following metadata definitions have been modified in the Rocky release:

    • There was a typographical error in the properties target for the OS:::Nova::Server resource type association in the CIM::ProcessorAllocationSettingData namespace. It has been been corrected to scheduler_hints.

    You may upgrade these definitions using:

    glance-manage db load_metadefs [--path <path>] [--merge] [--prefer_new]

  • Ensure that the version 0.26.1 or higher of glance_store library is used.

Deprecation Notes

  • The Glance API configuration option owner_is_tenant is deprecated in this release and is subject to removal at the beginning of the ‘S’ development cycle, following the OpenStack standard deprecation policy.

Security Issues

  • The glance-manage tool has been updated to address OSSN-0075. Please see the Database Maintenance section of the Glance Administration Guide for details.

  • This release implements the Glance spec Secure Hash Algorithm Support, which introduces a self-describing “multihash” to the image-show response. This feature supplements the current ‘checksum’ image property with a self-describing secure hash. The default hashing algorithm is SHA-512, which is currently considered secure. In the event that algorithm is compromised, you will immediately be able to begin using a different algorithm (as long as it’s supported by the Python ‘hashlib’ library and has output that fits in 128 characters) by modifying the value of the ‘hashing_algorithm’ configuration option and either restarting or issuing a SIGHUP to Glance.

Bug Fixes

  • On top of testing and documentation fixes following bugs were addressed

    • Bug 1695299: Support RFC1738 quoted chars in passwords

    • Bug 1734832: Fix unreachable ‘ImageSizeLimitExceeded’ exception in image-upload

    • Bug 1765748: Prepare for WebOb 1.8.1

Other Notes

  • The Multi-Store Backend Support feature is introduced on an experimental basis in the EXPERIMENTAL Image Service API version 2.8:

    Please keep in mind that as version 2.8 of the Image Service API is EXPERIMENTAL, we reserve the right to make modifications to these aspects of the API should user feedback indicate that a change is required.