← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #93145

[Bug 2045158] [NEW] Glance requires read permissions on RBD volumes pool to check for children

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When Glance tries to delete an image from the RBD/Ceph backend, it
checks if any children exist for that image (see
https://opendev.org/openstack/glance_store/src/branch/master/glance_store/_drivers/rbd.py#L459).

However, if we create a volume from an image, the children are part of the 'volumes' pool.
If we follow the Glance setup guide, we only grant permissions for the 'images' pool, but not for the 'volumes' pool (see https://docs.openstack.org/glance/latest/configuration/configuring.html#configuring-the-rbd-storage-backend).
This causes image deletion to fail with an internal server error due to missing permissions:
rbd.PermissionError: [errno 1] RBD permission error (error listing children.).

To circumvent this issue, the glance client requires read access on the 'volumes' pool. There may also be more finely tuned permissions, that allow glance to check for existing children, that I am not aware of.
Either way, the documentation should reflect this.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/2045158

Title:
  Glance requires read permissions on RBD volumes pool to check for
  children

Status in Glance:
  New

Bug description:
  When Glance tries to delete an image from the RBD/Ceph backend, it
  checks if any children exist for that image (see
  https://opendev.org/openstack/glance_store/src/branch/master/glance_store/_drivers/rbd.py#L459).

  However, if we create a volume from an image, the children are part of the 'volumes' pool.
  If we follow the Glance setup guide, we only grant permissions for the 'images' pool, but not for the 'volumes' pool (see https://docs.openstack.org/glance/latest/configuration/configuring.html#configuring-the-rbd-storage-backend).
  This causes image deletion to fail with an internal server error due to missing permissions:
  rbd.PermissionError: [errno 1] RBD permission error (error listing children.).

  To circumvent this issue, the glance client requires read access on the 'volumes' pool. There may also be more finely tuned permissions, that allow glance to check for existing children, that I am not aware of.
  Either way, the documentation should reflect this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/2045158/+subscriptions
  Thread PreviousDate PreviousThread Next