[SRU] It's not possible to upload a volume that was build from an image back to glance, if multistore (glance) is enabled.

Could anybody please confirm this is a bug?

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/cinder/+/812685

Greetings,
Do you mind sharing the next information:
- backends you are using for cinder and for glance
- c-vol logs with the erros.
Thanks in advance.

Hi, I am facing same issue. Version: Ubuntu focal and Openstack Xena.

bugs report: (in my view)

step 1: create a image, and upload the image by "web-download" method. in glance code, it will add two property "os_glance_failed_import" and "os_glance_importing_to_stores".

step 2: in glance code , it will execute /v2/images.py and os_glance_import_task(), I guess it a sign, to sign a import-image task status. and it can force clean "the last task" and reimport image. whatever,I don't care it anymore

step 3: so, when I use a web-download method to upload a image , it will contains property "os_glance_failed_import" and "os_glance_failed_import". if create a volume by this image, It is also included in the volume_image_metadata property of the volume.

step 4: If i use "os-volume_upload_image" action of cinder, in cinder code. "os_glance_failed_import" and "os_glance_failed_import" will be param and rejected by glance, that's so bad.

Reviewed: https://review.opendev.org/c/openstack/cinder/+/812685
Committed: https://opendev.org/openstack/cinder/commit/c43fb490b204aadf41a32bcb5eb075b1656e2af4
Submitter: "Zuul (22348)"
Branch: master

commit c43fb490b204aadf41a32bcb5eb075b1656e2af4
Author: Rafael Weingärtner <email address hidden>
Date: Wed Oct 6 10:57:00 2021 -0300

    Filter reserved image properties

    Cinder is currently not able to upload a volume that is based on an
    image back to glance. This bug is triggered if glance multistore is
    enabled (devstack in this example).

    When enabling multistore, the following properties will be stored in Cinder:
    * os_glance_failed_import=''
    * os_glance_importing_to_stores=''

    Those properties will cause problems when Cinder tries to perform some
    actions with Glance. Error msg:
    ```
    cinderclient.exceptions.BadRequest: HTTP 403 Forbidden: Access was denied to this resource.: Attribute &#x27;os_glance_failed_import&#x27; is reserved. (HTTP 400)
    ```

    Nova had the same issue and solved it with:
    https://github.com/openstack/nova/blob/50fdbc752a9ca9c31488140ef2997ed59d861a41/releasenotes/notes/absolutely-non-inheritable-image-properties-85f7f304fdc20b61.yaml

    and

    https://github.com/openstack/nova/commit/dda179d3f901e4f23091f3095f1af58bc26e222e

    Therefore, this patch is intended to apply a similar solution in Cinder.

    Change-Id: I79d70543856c01a45e2d8c083ab8df6b9c047ebc
    Closes-Bug: #1945500

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/cinder/+/872581

Reviewed: https://review.opendev.org/c/openstack/cinder/+/872581
Committed: https://opendev.org/openstack/cinder/commit/826b40281123d700b3aeba5dcf076544982973a3
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 826b40281123d700b3aeba5dcf076544982973a3
Author: Rafael Weingärtner <email address hidden>
Date: Wed Oct 6 10:57:00 2021 -0300

    Filter reserved image properties

    Cinder is currently not able to upload a volume that is based on an
    image back to glance. This bug is triggered if glance multistore is
    enabled (devstack in this example).

    When enabling multistore, the following properties will be stored in Cinder:
    * os_glance_failed_import=''
    * os_glance_importing_to_stores=''

    Those properties will cause problems when Cinder tries to perform some
    actions with Glance. Error msg:
    ```
    cinderclient.exceptions.BadRequest: HTTP 403 Forbidden: Access was denied to this resource.: Attribute &#x27;os_glance_failed_import&#x27; is reserved. (HTTP 400)
    ```

    Nova had the same issue and solved it with:
    https://github.com/openstack/nova/blob/50fdbc752a9ca9c31488140ef2997ed59d861a41/releasenotes/notes/absolutely-non-inheritable-image-properties-85f7f304fdc20b61.yaml

    and

    https://github.com/openstack/nova/commit/dda179d3f901e4f23091f3095f1af58bc26e222e

    Therefore, this patch is intended to apply a similar solution in Cinder.

    Change-Id: I79d70543856c01a45e2d8c083ab8df6b9c047ebc
    Closes-Bug: #1945500
    (cherry picked from commit c43fb490b204aadf41a32bcb5eb075b1656e2af4)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/cinder/+/873145

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/cinder/+/874428

Change abandoned by "Rodrigo Barbieri <email address hidden>" on branch: stable/yoga
Review: https://review.opendev.org/c/openstack/cinder/+/874428

Reviewed: https://review.opendev.org/c/openstack/cinder/+/873145
Committed: https://opendev.org/openstack/cinder/commit/f2faf7d70f5cd3ace461d9de9fdfe448d78a0107
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit f2faf7d70f5cd3ace461d9de9fdfe448d78a0107
Author: Rafael Weingärtner <email address hidden>
Date: Wed Oct 6 10:57:00 2021 -0300

    Filter reserved image properties

    Cinder is currently not able to upload a volume that is based on an
    image back to glance. This bug is triggered if glance multistore is
    enabled (devstack in this example).

    When enabling multistore, the following properties will be stored in Cinder:
    * os_glance_failed_import=''
    * os_glance_importing_to_stores=''

    Those properties will cause problems when Cinder tries to perform some
    actions with Glance. Error msg:
    ```
    cinderclient.exceptions.BadRequest: HTTP 403 Forbidden: Access was denied to this resource.: Attribute &#x27;os_glance_failed_import&#x27; is reserved. (HTTP 400)
    ```

    Nova had the same issue and solved it with:
    https://github.com/openstack/nova/blob/50fdbc752a9ca9c31488140ef2997ed59d861a41/releasenotes/notes/absolutely-non-inheritable-image-properties-85f7f304fdc20b61.yaml

    and

    https://github.com/openstack/nova/commit/dda179d3f901e4f23091f3095f1af58bc26e222e

    Therefore, this patch is intended to apply a similar solution in Cinder.

    Change-Id: I79d70543856c01a45e2d8c083ab8df6b9c047ebc
    Closes-Bug: #1945500
    (cherry picked from commit c43fb490b204aadf41a32bcb5eb075b1656e2af4)
    (cherry picked from commit 826b40281123d700b3aeba5dcf076544982973a3)
    Conflicts: cinder/image/image_utils.py
       - Changed syntax from "dict[str, str]" to "Dict[str, str]" for
         Python <3.8 compatibility

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/cinder/+/874831

This issue was fixed in the openstack/cinder 22.0.0.0rc1 release candidate.

Uploaded to kinetic and jammy unapproved:
https://launchpad.net/ubuntu/kinetic/+queue?queue_state=1&queue_text=cinder
https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=cinder

Hello Florian, or anyone else affected,

Accepted cinder into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cinder/2:21.1.0-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Florian, or anyone else affected,

Accepted cinder into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cinder/2:20.1.0-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Florian, or anyone else affected,

Accepted cinder into zed-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:zed-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-zed-needed to verification-zed-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-zed-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Florian, or anyone else affected,

Accepted cinder into yoga-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:yoga-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-yoga-needed to verification-yoga-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-yoga-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I will be performing verification on this soon

Validation failed. The fix did not work. See example below:

[{'container_format': 'bare', 'disk_format': 'raw', 'name': 'image-from-vol-from-image', 'visibility': 'private', 'protected': False, 'properties': {'owner_specified.openstack.object': 'images/cirros2', 'os_glance_importing_to_stores': '', 'signature_verified': 'False', 'os_glance_failed_import': '', 'architecture': 'x86_64', 'owner_specified.openstack.sha256': '', 'owner_specified.openstack.md5': ''}}]

 was filtered using the reserved name spaces [['os_glance', 'img_signature']], and the result is

[{'container_format': 'bare', 'disk_format': 'raw', 'name': 'image-from-vol-from-image', 'visibility': 'private', 'protected': False, 'properties': {'owner_specified.openstack.object': 'images/cirros2', 'os_glance_importing_to_stores': '', 'signature_verified': 'False', 'os_glance_failed_import': '', 'architecture': 'x86_64', 'owner_specified.openstack.sha256': '', 'owner_specified.openstack.md5': ''}}]

The algorithm is:

for k, v in metadata.items():
____if any(k.startswith(reserved_name_space)
________for reserved_name_space in reserved_name_spaces):
______continue
____new_metadata[k] = v

LOG.debug("The metadata set [%s] was filtered using the reserved name "
                       "spaces [%s], and the result is [%s].", metadata,
                        reserved_name_spaces, new_metadata)

The os_glance properties are not filtered because they are under "properties" dict property. The bug will have to be reopened and reworked.

After a brief conversation with Brian Rosmaita over IRC that pointed me towards [1], I found out that tweaking the config option "glance_core_properties" to:

glance_core_properties = checksum, container_format, disk_format, image_name, image_id, min_disk, min_ram, name, size, os_glance_failed_import,os_glance_importing_to_stores

enables the fix to work, as a workaround. This is because at [1] the function is separating glance's properties into "core properties" at the base level, and "custom properties" inside a dict named "properties", there this "properties" dict gets overlooked by the fix logic which only goes through the base dict level that only includes the "core properties".

[1] https://opendev.org/openstack/cinder/src/commit/c0133da5914bfcdbc48270860d5941f33531a05a/cinder/volume/api.py#L1432

As per the workaround described above, we will proceed with the SRU, I will adjust the template and perform validation again

This issue was fixed in the openstack/cinder 21.2.0 release.

This issue was fixed in the openstack/cinder 20.2.0 release.

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/cinder/+/882087

I have another update that will flip things over with regards to the SRU (again).

I performed validation for jammy-yoga following the update SRU template, therefore applying the config option change after upgrading the package with the original failed fix, following my previous understanding from reading the code that the original failed fix enabled this config option workaround. This worked fine.

However, I proceeded to validate jammy-zed, but I decided to apply the config option change before the upgrade package and retry the image-create command, just to test. To my surprise, it worked. I performed lots of testing following this and concluded that the config option would have worked from the start and not need the original fix in the first place.

Therefore, I am once again aborting this SRU because the original failed fix as it is it is not adding anything useful, and the workaround works without it.

Talking to Brian Rosmaita a few minutes ago and sharing the new findings we agreed that the new fix is still very desirable so to "do things correctly" and avoid having to do this config option workaround approach that is not ideal.

For SRU purposes, the new fix will eventually be included in a point release SRU and no longer need a specific SRU for this. So, again, aborting this SRU.

This bug was fixed in the package cinder - 2:20.1.0-0ubuntu2.1

---------------
cinder (2:20.1.0-0ubuntu2.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access
    - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
      attachment calls.
    - CVE-2023-2088

 -- Corey Bryant <email address hidden> Thu, 04 May 2023 15:55:29 +0200

This bug was fixed in the package cinder - 2:21.1.0-0ubuntu2.1

---------------
cinder (2:21.1.0-0ubuntu2.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: Unauthorized File Access
    - debian/patches/CVE-2023-2088.patch: Reject unsafe delete
      attachment calls.
    - CVE-2023-2088

 -- Corey Bryant <email address hidden> Thu, 04 May 2023 15:30:12 +0200

Reviewed: https://review.opendev.org/c/openstack/cinder/+/882087
Committed: https://opendev.org/openstack/cinder/commit/b3d3f31fa325533cf8130533e955ef43b8f38189
Submitter: "Zuul (22348)"
Branch: master

commit b3d3f31fa325533cf8130533e955ef43b8f38189
Author: Rodrigo Barbieri <email address hidden>
Date: Tue May 2 13:28:31 2023 -0300

    Fix glance metadata properties filtering

    Previous patch I79d70543856c01a45e2d8c083ab8df6b9c047ebc
    implemented filtering of glance "os_glance..." metadata
    but its logic overlooked the fact that the glance metadata
    to be filtered are actually in a "properties" sub-dict
    as adjusted by the "_merge_volume_image_meta" method in
    cinder/volume/api.py.

    This patch re-invokes the filtering loop on
    the "properties" sub-dict when it is present.

    New unit test covers filtering in both cases.

    Closes-bug: #1945500
    Change-Id: I06b8c363c4017adfa1ad134ad7a8a0954c005e62

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/cinder/+/885255

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/cinder/+/885256

Reviewed: https://review.opendev.org/c/openstack/cinder/+/885256
Committed: https://opendev.org/openstack/cinder/commit/f542dd07b07162f39325a83fae67cda166e36798
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit f542dd07b07162f39325a83fae67cda166e36798
Author: Rodrigo Barbieri <email address hidden>
Date: Tue May 2 13:28:31 2023 -0300

    Fix glance metadata properties filtering

    Previous patch I79d70543856c01a45e2d8c083ab8df6b9c047ebc
    implemented filtering of glance "os_glance..." metadata
    but its logic overlooked the fact that the glance metadata
    to be filtered are actually in a "properties" sub-dict
    as adjusted by the "_merge_volume_image_meta" method in
    cinder/volume/api.py.

    This patch re-invokes the filtering loop on
    the "properties" sub-dict when it is present.

    New unit test covers filtering in both cases.

    Closes-bug: #1945500
    Change-Id: I06b8c363c4017adfa1ad134ad7a8a0954c005e62
    (cherry picked from commit b3d3f31fa325533cf8130533e955ef43b8f38189)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/885255
Committed: https://opendev.org/openstack/cinder/commit/7dad93bff14c8966d81ea164f1c400b02747e1db
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 7dad93bff14c8966d81ea164f1c400b02747e1db
Author: Rodrigo Barbieri <email address hidden>
Date: Tue May 2 13:28:31 2023 -0300

    Fix glance metadata properties filtering

    Previous patch I79d70543856c01a45e2d8c083ab8df6b9c047ebc
    implemented filtering of glance "os_glance..." metadata
    but its logic overlooked the fact that the glance metadata
    to be filtered are actually in a "properties" sub-dict
    as adjusted by the "_merge_volume_image_meta" method in
    cinder/volume/api.py.

    This patch re-invokes the filtering loop on
    the "properties" sub-dict when it is present.

    New unit test covers filtering in both cases.

    Closes-bug: #1945500
    Change-Id: I06b8c363c4017adfa1ad134ad7a8a0954c005e62
    (cherry picked from commit b3d3f31fa325533cf8130533e955ef43b8f38189)
    (cherry picked from commit f542dd07b07162f39325a83fae67cda166e36798)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/cinder/+/885822

This issue was fixed in the openstack/cinder 22.1.1 release.

This issue was fixed in the openstack/cinder 20.3.1 release.

This issue was fixed in the openstack/cinder 21.3.1 release.

This issue was fixed in the openstack/cinder 23.0.0.0rc1 release candidate.