yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1885928] Re: Unable to spawn VM from community image

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1885928@xxxxxxxxxxxxxxxxxx>
Date: Fri, 03 Sep 2021 00:42:19 -0000
Reply-to: Bug 1885928 <1885928@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/glance/+/800221
Committed: https://opendev.org/openstack/glance/commit/f0d891a3edbf9978f8c427df05e8c912fce54cf4
Submitter: "Zuul (22348)"
Branch:    master

commit f0d891a3edbf9978f8c427df05e8c912fce54cf4
Author: Erno Kuvaja <jokke@xxxxxx>
Date:   Fri Jul 9 13:48:45 2021 +0100

    'community' images need to be treated as public
    
    Even though 'community' images are not listed by default their
    behaviour is like public images otherwise. This means that
    the image data needs to be available for everyone and thus
    the acls for the file/object should be like public too.
    
    Change-Id: I79683c81233b35f2399119128a63d33d69c50eeb
    Closes-bug: #1885928


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1885928

Title:
  Unable to spawn VM from community image

Status in Glance:
  Fix Released
Status in Glance ussuri series:
  Triaged
Status in Glance victoria series:
  Triaged
Status in Glance wallaby series:
  Triaged
Status in Glance xena series:
  Fix Released

Bug description:
  Hi,

  I am planning to introduce community images in my production.

  Release : Train
  Backend : Swift

  I can spawn images from Public, private and shared images. The logs
  point me to HTTP 403 from swift :

  2020-06-30T11:16:03.522021578+00:00 - api - 2020-06-30 11:16:03,093.093 42 WARNING glance.location [req-4d5aede4-0d3a-4dd7-bc2b-055de4f60dbc 3eda6592ccadd54d787c8d58c2c7c3e7ba0236ddb339c08eba531b056ae9e50e 606094098b04421b8041ef54c734b664 - 41aac04ce58c428b9ed2262798d0d336 41aac04ce58c428b9ed2262798d0d336] Get image b833841e-f92a-4495-8e8e-bfc6f68f9f31 data failed: Object GET failed: https://XXXX
  :443/v1/AUTH_51edc18acfca49099e77dc66e8dc2f48/glance_b833841e-f92a-4495-8e8e-bfc6f68f9f31/b833841e-f92a-4495-8e8e-bfc6f68f9f31 403 Forbidden  [first 60 chars of response] b'<html><h1>Forbidden</h1><p>Access was denied to this resourc'.: swiftclient.exceptions.ClientException: Object GET failed: https://XXXX:443/v1/AUTH_51edc18acfca49099e77dc66e8dc2f48/glance_b833841e-f92a-4495-8e8e-bfc6f68f9f31/b
  833841e-f92a-4495-8e8e-bfc6f68f9f31 403 Forbidden  [first 60 chars of response] b'<html><h1>Forbidden</h1><p>Access was denied to this resourc'
  2020-06-30T11:16:03.522032543+00:00 - api - 2020-06-30 11:16:03,093.093 42 ERROR glance.location [req-4d5aede4-0d3a-4dd7-bc2b-055de4f60dbc 3eda6592ccadd54d787c8d58c2c7c3e7ba0236ddb339c08eba531b056ae9e50e 606094098b04421b8041ef54c734b664 - 41aac04ce58c428b9ed2262798d0d336 41aac04ce58c428b9ed2262798d0d336] Glance tried all active locations/stores to get data for image b833841e-f92a-4495-8e8e-bfc6f68f9f31 but all have failed

  I did refer all the available documents :

  https://specs.openstack.org/openstack/glance-specs/specs/ocata/implemented/glance/community_visibility.html
  https://blueprints.launchpad.net/glance/+spec/community-level-v2-image-sharing
  https://wiki.openstack.org/wiki/Glance-v2-community-image-sharing#Accepting_a_.27Community.27_Image,

  Is this issue related to ACL's ?

  https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/swift/store.py#L1524

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1885928/+subscriptions

References

[Bug 1885928] [NEW] Unable to spawn VM from community image
From: Rajiv Mucheli, 2020-07-01