This is generally considered insecure because it may reveal
sensitive data [1].
Furthermore, it happens that the default Ceph perms cause fatal
ERRORs with this setting:
1) when Glance wants to remove an image, it cannot list children
because Cinder or Nova might have created a linked volume clone
behind the scenes and it is put in another pool (volumes/vms)
which Glance cannot normally access;
2) when Nova wants to create an image, it lacks permissions
to write to the images pool.
Thus, I propose that Kolla Ansible stops setting this by default
and relies on the working defaults.
The downside is that this disables optimisations in Cinder and Nova.
On the other hand, these optimisations have nasty behaviour of
being linked directly to the original image, preventing its removal.
Reviewed: https:/ /review. opendev. org/c/openstack /kolla- ansible/ +/860097 /opendev. org/openstack/ kolla-ansible/ commit/ da292982b179d69 0778fbaaedbe3f9 775261150f
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit da292982b179d69 0778fbaaedbe3f9 775261150f
Author: Radosław Piliszek <email address hidden>
Date: Mon Oct 3 16:49:27 2022 +0200
Stop showing image locations
This is generally considered insecure because it may reveal
sensitive data [1].
Furthermore, it happens that the default Ceph perms cause fatal
ERRORs with this setting:
1) when Glance wants to remove an image, it cannot list children
because Cinder or Nova might have created a linked volume clone
behind the scenes and it is put in another pool (volumes/vms)
which Glance cannot normally access;
2) when Nova wants to create an image, it lacks permissions
to write to the images pool.
Thus, I propose that Kolla Ansible stops setting this by default
and relies on the working defaults.
The downside is that this disables optimisations in Cinder and Nova.
On the other hand, these optimisations have nasty behaviour of
being linked directly to the original image, preventing its removal.
[1] https:/ /docs.openstack .org/glance/ yoga/configurat ion/glance_ api.html# DEFAULT. show_multiple_ locations
Change-Id: I63ee9a6eefd859 3f2169bba34dbb6 99f413d7cf8 /review. opendev. org/c/openstack /kolla- ansible/ +/860093 /review. opendev. org/c/openstack /kolla- ansible/ +/860291
Depends-On: https:/
Depends-On: https:/
Closes-Bug: #1992153