Image registration (ec2) is broken using deprecated auth

Bug #977765 reported by Adam Gandelman
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Won't Fix
Fix Released
nova (Ubuntu)
Fix Released

Bug Description

It seems image registration via ec2 no longer functions when using deprecated auth. Reproducible using Essex or deploying devstack, changing it to use deprecated auth (in both nova and glance), creating project/user/zipfile via nova-manage and running:

ubuntu@ip-10-252-35-183:~$ truncate -s 1M testimg.img
ubuntu@ip-10-252-35-183:~$ cloud-publish-image x86_64 testimg.img testbucket -vv
Tue Apr 10 06:49:01 UTC 2012: using testbucket/testimg.img for --name
[image ] testimg.img => testbucket/testimg.img
Tue Apr 10 06:49:01 UTC 2012: checking for existing registered image at testbucket/testimg.img.manifest.xml
Tue Apr 10 06:49:02 UTC 2012: bundling image testimg.img
Tue Apr 10 06:49:03 UTC 2012: upload testbucket/testimg.img.manifest.xml
Tue Apr 10 06:49:03 UTC 2012: register testbucket/testimg.img.manifest.xml
Tue Apr 10 06:49:04 UTC 2012: registered at testbucket/testimg.img.manifest.xml as ami-0000000a
Tue Apr 10 06:49:04 UTC 2012: ami-0000000a testbucket/testimg.img.manifest.xml
ami-0000000a testbucket/testimg.img.manifest.xml
ubuntu@ip-10-252-35-183:~$ euca-describe-images ami-0000000a
ImageNotFound: Image ami-0000000a could not be found.

In nova-api.log, after the intial upload appears to have completed,:

2012-04-10 06:49:04 INFO nova.api.ec2 [req-0ee2216b-15c5-4e2b-b0d3-e605ccf4b505 admin test] 0.175827s POST /services/Cloud/ CloudController:RegisterImage 200 [Boto/2.2.2 (linux2)] application/x-www-form-urlencoded text/xml
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/eventlet/hubs/", line 97, in wait
    readers.get(fileno, noop).cb(fileno)
  File "/opt/stack/nova/nova/image/", line 290, in delayed_create
    self.service.update(context, image_uuid, metadata)
  File "/opt/stack/nova/nova/image/", line 300, in update, image_id)
  File "/opt/stack/nova/nova/image/", line 244, in show
    raise exception.ImageNotFound(image_id=image_id)
ImageNotFound: Image c4e23453-0473-40e7-b2d6-8f485500b8da could not be found.
Removing descriptor: 7

The exception is coming from nova.image.glance._is_image_available() It appears the request never embeds the required data in the image properties during upload into glance to satisfy a call to _is_image_available() for the deprecated auth case, specifically user_id/project_id. The metadata prior to being sent to glance looks like:

{'container_format': 'ami',
 'disk_format': 'ami',
 'is_public': False,
 'name': u'testbucket/testimg.img',
 'properties': {'architecture': 'x86_64',
                'image_location': u'testbucket/testimg.img.manifest.xml',
                'image_state': 'pending'},
 'status': 'queued'}

Adding this information into the metadata for the deprecated_auth case as follows seems to get the job done, though I'm not sure this is expected to happen elsewhere.

Related branches

Changed in nova (Ubuntu):
importance: Undecided → High
tags: added: ubuntu-openstack-upgrade
Revision history for this message
Scott Moser (smoser) wrote :

  Thanks, I'm wondering what regressed this. just looking at git logs on nova/image/ nova/image/ (from the trace) and api/ec2/ (from your patch, nothing jumped out at me).

Revision history for this message
Vish Ishaya (vishvananda) wrote :

Here was the commit: a6ac8af69351cb39aa07f53e3327ff29b90383bc

We only left deprecated auth in essex for the purpose of migration, so running a production system of deprecatd auth is definitely not supported. That said, it is probably a pretty easy fix.

Add back in the project_id on register and default the ImageOwner field to properties.project_id

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/essex)

Fix proposed to branch: stable/essex

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/essex)

Submitter: Jenkins
Branch: stable/essex

commit 6e988ed75c5ba507d79818bc24a1bd2f8250ce2b
Author: Adam Gandelman <email address hidden>
Date: Tue Apr 10 16:44:27 2012 -0700

    Populate image properties with project_id again

    This allows ec2 image publishing to function on Essex for users
    who are still using deprecated auth. This isn't targetted toward
    master and is proposed to stable/essex for the sake of aiding
    users transition to Keystone during upgrades from diablo +

    Fixes bug 977765

    Change-Id: I809b669e88fe25234569d0c744d14aff6bbd4713

tags: added: in-stable-essex
Thierry Carrez (ttx)
Changed in nova:
status: New → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1-0ubuntu2

nova (2012.1-0ubuntu2) precise; urgency=low

  [ Adam Gandelman ]
  * debian/rules: Properly create empty doc/build/man dir for builds that
    skip doc building
  * debian/control: Set 'Conflicts: nova-compute-hypervisor' for the various
    nova-compute-$type packages. (LP: #975616)
  * debian/control: Set 'Breaks: nova-api' for the various nova-api-$service
    sub-packages. (LP: #966115)

  [ Chuck Short ]
  * Resynchronize with stable/essex:
    - b1d11b8 Use project_id in
    - 6e988ed Fixes image publication using deprecated auth. (LP: #977765)
    - 6e988ed Populate image properties with project_id again
    - 3b14c74 Fixed bug 962840, added a test case.
    - d4e96fe Allow unprivileged RADOS users to access rbd volumes.
    - 4acfab6 Stop libvirt test from deleting instances dir
    - 155c7b2 fix bug where nova ignores glance host in imageref
  * debian/nova.conf: Enabled ec2_private_dns_show_ip so that juju can
    connect to openstack instances.
  * debian/patches/fix-docs-build-without-network.patch: Fix docs build
    when there is no network access.
 -- Chuck Short <email address hidden> Thu, 12 Apr 2012 14:14:29 -0400

Changed in nova (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers