Newton Series Release Notes

13.0.0

Prelude

  • Addvhdx to list of supported disk format.

  • Glance APIminor version bumped to 2.4.

  • Deprecate theshow_multiple_locations configurationoption in favor of the existing Role Based AccessControl (RBAC) for Image locations which usespolicy.json file to define the appropriate rules.

  • The Images (Glance) version 1 API has been DEPRECATED.Please see deprecations section for more information.

  • Improved configuration option descriptions and handling.

  • Adding locations to a non-active or non-queued imageis no longer allowed.

  • Glance no longer returns a 500 when 4 byte unicodecharacters are passed to the metadefs API.

  • Deprecated “sign-the-hash” approach for image signing.Old run_tests and related scripts have been removed.

  • Database downgrades have been removed from the Glancesource tree.

  • Thes3 store driver has been removed.

  • Sample configuration file shipped with Glance source nowhas reordered store drivers configuration options forfuture consistent ordering.

  • Expired tasks are now deleted.

New Features

  • The identifiervhdx has been added to the list of supported disk formats in Glance. The respective configuration option has been updated and the default list showsvhdx as a supported format.

Upgrade Notes

  • Added additional metadata for CPU thread pinning policies to ‘compute-cpu-pinning.json’. Use theglance_manage tool to upgrade.

  • Thedisk_format config option enablesvhdx as supported by default.

  • Thedefault policy inpolicy.json now uses the admin role rather than any role. This is to make the policy file restrictive rather than permissive and tighten security.

  • Glance APICURRENTminor version is now2.4.

    • To partially fix an important image locationsbug 1587985, an API impacting change has been mergedinto Glance.

    • This will result into a non-backward compatibleexperience before and afterNewton release, forusers usingadd feature to image locations.

  • Some backend store names were inconsistent between glanceand glance_store. This meant that operators of theVMware datastore or file system store were required to usestore names inglance-api.conf that did not correspondto any valid identifier in glance_store. As this situationencouraged misconfiguration and operator unhappiness, wehave made the store names consistent in the Newtonrelease. What this means for you:

    • This change applies only to operators who are usingmultiple image locations

    • This change applies only to operators using the VMwaredatastore or filesystem stores

    • This change applies only to thestore_type_preferenceoption

    • VMware datastore operators: The old name, nowDEPRECATED, wasvmware_datastore. Thenewname, used in both glance and glance_store, isvmware

    • File system store operators: the old name, nowDEPRECATED, wasfilesystem. Thenew name,used in both glance and glance_store, isfile

    • This change is backward compatible, that is, the oldnames will be recognized by the code during the deprecationperiod. Support for the deprecated names will be removed inthePike release

    • We strongly encourage operators to modify theirglance-api.conf files immediately to use thenewnames

  • Some additional points aboutshow_multiple_locationsconfiguration option deprecation.

    • Maintaining two different ways to configure, enableand/or disable a feature is painful for developers andoperators, so the less granular means of controllingthis feature will be eliminated in theOcatarelease.

    • For the Newton release, this option will still behonored. However, it is important to updatepolicy.json file for glance-api nodes. Inparticular, please consider updating the policiesdelete_image_location,get_image_location andset_image_location as per your requirements. Asthis is an advanced option and prone to expose somerisks, please check the policies to ensure securityand privacy of your cloud.

    • Future releases will ignore this option and justfollow the policy rules. It is recommended that thisoption is disabled for public endpoints and is usedonly internally for service-to-service communication.

    • As mentioned above, the same recommendation appliesto the policy-based configuration for exposingmultiple image locations.

  • The image signature verification feature has been updated to follow the “sign-the-data” approach, which uses a signature of the image data directly. The prior deprecated “sign-the-hash” approach, which uses a signature of an MD5 hash of the image data, has been removed.

  • Thedb_downgrade command has been removed from theglance-manage utility and all database downgrade scripts have been removed. In accord with OpenStack policy, Glance cannot be downgraded any more. Operators are advised to make a full database backup of their production data before attempting any upgrade.

  • The latest release of glance_store library does not have the support for thes3 driver. All code references of the same have been removed from the library. As this release of Glance uses the updated glance_store library, you will find thes3 driver support removed from Glance too. For example the Glance image location strategy modules no longer offer thes3 driver support.

Deprecation Notes

  • With the deprecation of the Images (Glance) version 1 API in the Newton release, it is subject to removal on or after the Pike release. The configuration options specific to the Images (Glance) v1 API have also been deprecated and are subject to removal. An indirectly related configuration option enable_v2_api has been deprecated too as it becomes redundant once the Images (Glance) v1 API is removed. Appropriate warning messages have been setup for the deprecated configuration options and when the Images (Glance) v1 API is enabled (being used). Operators are advised to deploy the Images (Glance) v2 API. The standard OpenStack deprecation policy will be followed for the removals.

Critical Issues

  • Attempting to set image locations to an imagenot inactive orqueued status will now result in aHTTP Conflict (HTTP status code 409) to the user.

    • Until now, no image status checks were in place whileadding a location on it. In some circumstances,this may result in a bad user experience. It may alsocause problems for a security team evaluating thecondition of an image indeactivated status.

    • Adding locations is disallowed on the followingimage statuses -saving,deactivated,deleted,pending_delete,killed.

    • Note that there are race conditions associated withadding a location to an image in theactive,queued,saving, ordeactivated status.Because these are non-terminal image statuses, it ispossible that when a user attempts to add a location,a status transition could occur that might block theadd (or might appear to allow an add that shouldnot be allowed).

    • For example, a user is not allowed to add a locationto an image insaving status. Suppose a userdecides to add a location anyway. It is possible thatbefore the user’s request is processed, thetransmission of data being saved is completed and theimage transitioned intoactive status, in whichcase the user’s add location request will succeed. Tothe user, however, this success will appear anomalousbecause in most cases, an attempt to add a location toan image insaving status will fail.

    • We mention this so that you can be aware of thissituation in your own testing.

Security Issues

  • Allqemu-imginfo calls are now run under resource limitations that limit the CPU time and address space usage of the process running the command to 2 seconds and 1 GB respectively. This addresses the bughttps://bugs.launchpad.net/glance/+bug/1449062Current usage of “qemu-img” is limited to Glance tasks, which by default (since the Mitaka release) are only available to admin users. We continue to recommend that tasks only be exposed to trusted users

  • The initial implementation of the image signature verification feature in Glance was insecure, because it relied on an MD5 hash of the image data. More details can be found in bug 1516031. This “sign-the-hash” approach was deprecated in Mitaka, and has been removed in Newton. Related CVE-2015-8234.

Bug Fixes

  • Here is a list of other important bugs that have beenfixed (or partially fixed) along with theirdescriptions.

    • bug 1617258: Image signature base64 needs to wraplines

    • bug 1612341: Add cpu thread pinning flavor metadef

    • bug 1609571: version negotiation api middleware wasNOT up to date to include v2.3

    • bug 1602081: Glance needs to use oslo.context’spolicy dict

    • bug 1599169: glance-replicator size raises object oftype ‘NoneType’ has no len() exception when no argsprovided

    • bug 1599192: glance-replicator needs to displayhuman-readable size

    • bug 1585917: member-create will raise 500 error ifmember-id is greater than 255 characters

    • bug 1598985: glance-replicator compare output shouldshow image name in addition to image id for missingimages

    • bug 1533949: Glance tasks missing configuration item“conversion_format”

    • bug 1593177: The default policy needs to be admin forsafer default deployment scenarios

    • bug 1584076: Swift ACLs disappears on v1 Glanceimages

    • bug 1591004: Unable to download image with nochecksum when cache is enabled

    • bug 1584415: Listing images with the created_at andupdated_at filters fails if an operator is notspecified

    • bug 1590608: Services should use http_proxy_to_wsgimiddleware from oslo.middleware library

    • bug 1584350: etc/glance-registry.conf sample file hasredundant store section

    • bug 1543937: db-purge fails for very large number

    • bug 1580848: There’s no exception when import task iscreated without properties

    • bug 1585584: Glare v0.1 is unable to create publicartifact draft

    • bug 1582304: Allow tests to run when http proxy is set

    • bug 1570789: Metadefs API returns 500 error when 4byte unicode character is passed

    • bug 1532243: glance fails silently if a task flowcan not be loaded

    • bug 1568894: glance_store options missing inglance-scrubber.conf and glance-cache.conf samplefiles

    • bug 1568723: secure_proxy_ssl_header not in sampleconfiguration files

    • bug 1535231: md-meta with case insensitive string hasproblem during creating

    • bug 1555275: Tags set changes on delete

    • bug 1558683: Versions endpoint does not supportX-Forwarded-Proto

    • bug 1557495: Possible race conditions during statuschange

Other Notes

  • The glance configuration options have been improved withdetailed help texts, defaults for sample configurationfiles, explicit choices of values for operators tochoose from, and a strict range defined withmin andmax boundaries.

    • It must be noted that the configuration options thattake integer values now have a strict range definedwithmin and/ormax boundaries whereappropriate.

    • This renders the configuration options incapable oftaking certain values that may have been acceptedbefore but were actually invalid.

    • For example, configuration options specifying counts,where a negative value was undefined, would have stillaccepted the supplied negative value. Such optionswill no longer accept negative values.

    • Options where a negative value was previously defined(for example, -1 to mean unlimited) will remainunaffected by this change.

    • Values which do not comply with the new restrictionswill prevent the service from starting. The logs willcontain a message indicating the problematicconfiguration option and the reason why the suppliedvalue has been rejected.

  • The sample configuration files autogenerated using theoslo-config-generator tool now give consistent orderingof the store drivers configurations.

    • Some operators have reported issues with reorderingobserved in the sample configurations shipped withGlance release tarballs. This reordering may resultinto a incorrect “diff” of the configurations useddownstream vs. newly introduced upstream.

    • Latest release ofglance_store library (usedin theNewton release of Glance) will include fixfor theglance_store bug 1619487.

    • Until now every run of the oslo-config-generatorresulted in random ordering of the store driversconfiguration. AfterNewton release this orderwill remain consistent.

    • The store drivers configuration order in the sample orautogenerated files should be expected to bealphabetical as -cinder,filesystem,http,rbd,sheepdog,swift,vmware.

    • Note the code name for the “ceph” driver isrbd.

    • Note the ordering of the options within a store is notalphabetical.

  • Expired tasks are now deleted in Glance. As with other Glance resources, this is a “soft” deletion, that is, a deleted task is marked asdeleted in the database so that the task will not appear in API responses, but the information associated with the task persists in the database.

  • Glance and Nova contain nearly identical digitalsignature modules. In order to better maintain andevolve this code and to eliminate the possibility thatthe modules diverge, we have replaced the digitalsignature module in Glance with the newcursivelibrary.

    • Thecursive library is an OpenStack project whichimplements OpenStack-specific verification of digitalsignatures.

    • In Newton, the majority of the signature verificationcode was removed from Glance.cursive has beenadded to Glance as a dependency and will be installedby default.

    • Glance uses thecursive library’s functionality toverify digital signatures. To familiarize yourselfwith this new dependency and see the list oftransitive dependencies visithttp://git.openstack.org/cgit/openstack/cursive