"Note that this exposes the back end location via Glance’s API, so the endpoint with this option enabled should not be publicly accessible."
What I do to mitigate this concern is run two sets of glance containers, both tied to the same RBD cluster/database behind my load balancers. The public endpoints route to a set of glance containers that does not have show_image_direct_url enabled. The "backend" containers bind to the internal LB endpoint and have show_image_direct_url enabled to allow for ceph rbd copy on write.
Regarding the security implications of exposing the direct image URL via endpoints, this is documented in the Ceph Openstack integration docs. docs.ceph. com/docs/ jewel/rbd/ rbd-openstack/ #any-openstack- version
http://
"Note that this exposes the back end location via Glance’s API, so the endpoint with this option enabled should not be publicly accessible."
What I do to mitigate this concern is run two sets of glance containers, both tied to the same RBD cluster/database behind my load balancers. The public endpoints route to a set of glance containers that does not have show_image_ direct_ url enabled. The "backend" containers bind to the internal LB endpoint and have show_image_ direct_ url enabled to allow for ceph rbd copy on write.