Glance Cinder backed images & multiple regions

Bug #1764200 reported by Ben O'Hara on 2018-04-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glance_store
High
Tomoki Sekiyama

Bug Description

When using the cinder backed images as per

https://docs.openstack.org/cinder/latest/admin/blockstorage-volume-backed-image.html

We have multiple locations, glance configured as

/etc/glance/glance-api.conf

[glance_store]
stores = swift, cinder
default_store = swift
-snip-
cinder_store_auth_address = https://hostname:5000/v3
cinder_os_region_name = Region
cinder_store_user_name = glance
cinder_store_password = Password
cinder_store_project_name = cinder-images
cinder_catalog_info = volume:cinder:internalURL

cinder clones the volume correctly, then talks to glance to add the location of cinder://

glance then talks to cinder to validate the volume id, however this step uses the wrong cinder endpoint and checks the other region.

From /usr/lib/python2.7/site-packages/glance_store/_drivers/cinder.py

It appears the region name is only used when not passing in the project/user/password.

Passing the os_region_name to the cinderclient.Client call on line 351 appears to fix this.

ie

    c = cinderclient.Client(username,
                            password,
                            project,
                            auth_url=url,
                            region_name=glance_store.cinder_os_region_name,
                            insecure=glance_store.cinder_api_insecure,
                            retries=glance_store.cinder_http_retries,
                            cacert=glance_store.cinder_ca_certificates_file)

Erno Kuvaja (jokke) on 2018-04-20
Changed in glance:
importance: Undecided → High
Changed in glance-store:
importance: Undecided → High
Changed in glance:
status: New → Triaged
Changed in glance-store:
status: New → Triaged
Brian Rosmaita (brian-rosmaita) wrote :

Need confirmation on this one. If it's confirmed, we need to get it into the next release, which is 18 July, so would need to get this fix in a bit ahead of that -- namely, as soon as possible.

Changed in glance-store:
status: Triaged → Incomplete
no longer affects: glance
Changed in glance-store:
milestone: none → 0.25.0

Peter Steele
<email address hidden>

> On Jul 9, 2018, at 6:43 AM, Brian Rosmaita <email address hidden> wrote:
>
> Need confirmation on this one. If it's confirmed, we need to get it
> into the next release, which is 18 July, so would need to get this fix
> in a bit ahead of that -- namely, as soon as possible.
>
> ** Changed in: glance-store
> Status: Triaged => Incomplete
>
> ** No longer affects: glance
>
> ** Changed in: glance-store
> Milestone: None => 0.25.0
>
> --
> You received this bug notification because you are subscribed to Glance.
> Matching subscriptions: peterbs
> https://bugs.launchpad.net/bugs/1764200
>
> Title:
> Glance Cinder backed images & multiple regions
>
> Status in glance_store:
> Incomplete
>
> Bug description:
> When using the cinder backed images as per
>
> https://docs.openstack.org/cinder/latest/admin/blockstorage-volume-
> backed-image.html
>
> We have multiple locations, glance configured as
>
> /etc/glance/glance-api.conf
>
> [glance_store]
> stores = swift, cinder
> default_store = swift
> -snip-
> cinder_store_auth_address = https://hostname:5000/v3
> cinder_os_region_name = Region
> cinder_store_user_name = glance
> cinder_store_password = Password
> cinder_store_project_name = cinder-images
> cinder_catalog_info = volume:cinder:internalURL
>
>
> cinder clones the volume correctly, then talks to glance to add the location of cinder://
>
> glance then talks to cinder to validate the volume id, however this
> step uses the wrong cinder endpoint and checks the other region.
>
> From /usr/lib/python2.7/site-packages/glance_store/_drivers/cinder.py
>
> It appears the region name is only used when not passing in the
> project/user/password.
>
> Passing the os_region_name to the cinderclient.Client call on line 351
> appears to fix this.
>
> ie
>
> c = cinderclient.Client(username,
> password,
> project,
> auth_url=url,
> region_name=glance_store.cinder_os_region_name,
> insecure=glance_store.cinder_api_insecure,
> retries=glance_store.cinder_http_retries,
> cacert=glance_store.cinder_ca_certificates_file)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/glance-store/+bug/1764200/+subscriptions

Tomoki Sekiyama (tsekiyama) wrote :

I have confirmed this issue using pseudo multi region setup (only cinder service is added as another region).
If cinder_store_{user_name,password,project_name} are set, or `cinder_endpoint_template` is provided, cinder client will be created without region information. This is why this issue is caused.

The proposed solution (adding `region_name=glance_store.cinder_os_region_name,`) looks good to me.

Changed in glance-store:
status: Incomplete → Confirmed
Tomoki Sekiyama (tsekiyama) wrote :
Changed in glance-store:
assignee: nobody → Tomoki Sekiyama (tsekiyama)
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/581069
Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=d50ab63e138d58ef96b302fc1a1cf56923a26c76
Submitter: Zuul
Branch: master

commit d50ab63e138d58ef96b302fc1a1cf56923a26c76
Author: Tomoki Sekiyama <email address hidden>
Date: Mon Jul 9 15:42:10 2018 +0000

    specify region on creating cinderclient

    If cinder_store_{user_name,password,project_name} are provided,
    cinder client will be created without region information.
    It may cause wrong region access on some multi-region setup.

    This fixes the issue by always passing `cinder_os_region_name`
    value to cinderclient.

    Change-Id: I835b2f0da03f29245c26c9c531b04de737d8ef5b
    Closes-Bug: #1764200

Changed in glance-store:
status: In Progress → Fix Released

This issue was fixed in the openstack/glance_store 0.25.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers