[feature] allow for glance to install in a privileged container

From a security perspective, this is a big change that should be discussed further before proceeding. The impact is that all glance deployments, whether they need it or not, would run in privileged containers. That seems like a lot of added risk, especially given a corner case use case.

I think that, if mounting NFS is required, FUSE NFS should be used if in a container or the glance units should be placed on bare metal. I will argue fairly strongly against making the glance API service be run in a privileged container just because sometimes NFS is required.

FUSE NFS is not in any package repo, so it would be an unsupported method at any handover time.

I'm open to any other suggestions on using NFS with clustered glance.

In addition to suggesting FUSE, I did propose another solution in my initial response: put Glance on metal if it needs access to true NFS. Removing security controls for the world to ease deployment placing seems like a bad trade-off to me.

The trilio-wlm charm uses NFS via the kernel:

config:
  raw.apparmor: mount fstype=nfs,
  security.privileged: "true"

that appears to work fine and if there are deployment scenarios where glance may need to access an NFS share I'm not against adding this generally to the glance charm.

My concern with adding it to the charm is that it removes any potential security gains that the glance application gains by being contained

Is there a specific benefit to enable this as a charm feature, or is it enough to use a custom lxd profile, only when needed, as Juju allows us to do?

Would it be sufficient to document the NFS use case for Glance, as a combination of using https://jaas.ai/u/bootstack-charmers/fstab-config/ for handling the NFS share and the appropriate
lxd-profile.yaml?

RE: Comment #5, This MR was submitted earlier this week:

https://review.opendev.org/#/c/737366/

@michael.iatrou

"use a custom lxd profile, only when needed, as Juju allows us to do?"
Unfortunately I believe this to be incorrect. [0][1]

To my knowledge and by those bugs still being open I believe the options are all or nothing for every deploy. That being the case I think the suggesting in comment #5 above is the most sensible approach to supporting NFS for glance.

[0]: https://bugs.launchpad.net/juju/+bug/1844937
[1]: https://bugs.launchpad.net/juju/+bug/1822016

Change abandoned by "James Page <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/charm-glance/+/737366