After creating a cinder volume, setting the --read-only flag (either by cinder readonly-mode-update vol2 True or openstack volume set vol2 --read-only) only a user with the admin role can attach such a volume to an instance. If a user that has a _member_ role tries to attach the volume to an instance the command appears to run correctly but volume attach will eventually fail. Looking in the nova-compute log the error:
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/cinderclient/client.py", line 155, in _cs_request
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server return self.request(url, method, **kwargs)
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/cinderclient/client.py", line 144, in request
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server raise exceptions.from_response(resp, body)
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server InvalidInput: Invalid input received: Invalid attaching mode 'rw' for volume a4ffe9b3-a9ba-450a-8809-e874a74a79f9. (HTTP 400)
(Request-ID: req-8fada1a9-8657-4881-b99b-254415894af3)
show several time as nova-compute attempts to attach the volume to the instance. If a user with the admin role attaches the same volume to an instance it succeeds.
I also notice that the only time the read only tag is followed is when it is set in the cinder table: volume_admin_metadata. If it is set in the volume_metadata table it is ignored.
Phil
This would likely be resolved by this nova spec: https:/