Chapter 16. Configuring the image import method and shared staging area
The default settings for the OpenStack Image service (glance) are determined by the heat templates that you use when you install Red Hat OpenStack Platform. The Image service heat template is deployment/glance/glance-api-container-puppet.yaml
.
You can import images with the following methods:
- web-download
-
Use the
web-download
method to import an image from a URL. - glance-direct
-
Use the
glance-direct
method to import an image from a local volume.
16.1. Creating and deploying the glance-settings.yaml file
Use a custom environment file to configure the import parameters. These parameters override the default values that are present in the core heat template collection. The example environment content contains parameters for the interoperable image import.
parameter_defaults: # Configure NFS backend GlanceBackend: file GlanceNfsEnabled: true GlanceNfsShare: 192.168.122.1:/export/glance # Enable glance-direct import method GlanceEnabledImportMethods: glance-direct,web-download # Configure NFS staging area (required for glance-direct import method) GlanceStagingNfsShare: 192.168.122.1:/export/glance-staging
The GlanceBackend
, GlanceNfsEnabled
, and GlanceNfsShare
parameters are defined in the Storage Configuration section in the Advanced Overcloud Customization Guide.
Use two new parameters for interoperable image import to define the import method and a shared NFS staging area.
- GlanceEnabledImportMethods
- Defines the available import methods, web-download (default) and glance-direct. This parameter is necessary only if you want to enable additional methods besides web-download.
- GlanceStagingNfsShare
-
Configures the NFS staging area that the glance-direct import method uses. This space can be shared among nodes in a high-availability cluster configuration. If you want to use this parameter, you must also set the
GlanceNfsEnabled
parameter totrue
.
Procedure
-
Create a new file, for example,
glance-settings.yaml
. Use the syntax from the example to populate this file. Include the
glance-settings.yaml
file in theopenstack overcloud deploy
command, as well as any other environment files that are relevant to your deployment:$ openstack overcloud deploy --templates -e glance-settings.yaml
For more information about using environment files, see the Including Environment Files in Overcloud Creation section in the Advanced Overcloud Customization Guide.
16.2. Controlling image web-import sources
You can limit the sources of web-import image downloads by adding URI blocklists and allowlists to the optional glance-image-import.conf
file.
You can allow or block image source URIs at three levels:
- scheme (allowed_schemes, disallowed_schemes)
- host (allowed_hosts, disallowed_hosts)
- port (allowed_ports, disallowed_ports)
If you specify both allowlist and blocklist at any level, the allowlist is honored and the blocklist is ignored.
The Image service (glance) applies the following decision logic to validate image source URIs:
The scheme is checked.
- Missing scheme: reject
- If there is an allowlist, and the scheme is not present in the allowlist: reject. Otherwise, skip C and continue on to 2.
- If there is a blocklist, and the scheme is present in the blocklist: reject.
The host name is checked.
- Missing host name: reject
- If there is an allowlist, and the host name is not present in the allowlist: reject. Otherwise, skip C and continue on to 3.
- If there is a blocklist, and the host name is present in the blocklist: reject.
If there is a port in the URI, the port is checked.
- If there is a allowlist, and the port is not present in the allowlist: reject. Otherwise, skip B and continue on to 4.
- If there is a blocklist, and the port is present in the blocklist: reject.
- The URI is accepted as valid.
If you allow a scheme, either by adding it to an allowlist or by not adding it to a blocklist, any URI that uses the default port for that scheme by not including a port in the URI is allowed. If it does include a port in the URI, the URI is validated according to the default decision logic.
16.3. Image import example
For example, the default port for FTP is 21. Because ftp is an allowlisted scheme, this URL is allowed: ftp://example.org/some/resource But because 21 is not in the port allowlist, this URL to the same resource is rejected: ftp://example.org:21/some/resource
allowed_schemes = [http,https,ftp] disallowed_schemes = [] allowed_hosts = [] disallowed_hosts = [] allowed_ports = [80,443] disallowed_ports = []
16.4. Default image import blocklist and allowlist settings
The glance-image-import.conf
file is an optional file that contains the following default options:
- allowed_schemes - [http, https]
- disallowed_schemes - empty list
- allowed_hosts - empty list
- disallowed_hosts - empty list
- allowed_ports - [80, 443]
- disallowed_ports - empty list
If you use the defaults, end users can access URIs by using only the http
or https
scheme. The only ports that users can specify are 80
and 443
. Users do not have to specify a port, but if they do, it must be either 80
or 443
.
You can find the glance-image-import.conf
file in the etc/
subdirectory of the Image service source code tree. Ensure that you are looking in the correct branch for your release of Red Hat OpenStack Platform.
16.5. Injecting metadata on image import to control where VMs launch
End users can upload images to the Image service and use these images to launch VMs. These user-provided (non-admin) images must be launched on a specific set of compute nodes. The assignment of an instance to a compute node is controlled by image metadata properties.
The Image Property Injection plugin injects metadata properties to images during import. Specify the properties by editing the [image_import_opts] and [inject_metadata_properties] sections of the glance-image-import.conf
file.
To enable the Image Property Injection plugin, add the following line to the [image_import_opts]
section:
[image_import_opts] image_import_plugins = [inject_image_metadata]
To limit the metadata injection to images provided by a certain set of users, set the ignore_user_roles
parameter. For example, use the following configuration to inject one value for property1
and two values for property2
into images downloaded by any non-admin user.
[DEFAULT] [image_conversion] [image_import_opts] image_import_plugins = [inject_image_metadata] [import_filtering_opts] [inject_metadata_properties] ignore_user_roles = admin inject = PROPERTY1:value,PROPERTY2:value;another value
The parameter ignore_user_roles
is a comma-separated list of the Identity service (keystone) roles that the plugin ignores. This means that if the user that makes the image import call has any of these roles, the plugin does not inject any properties into the image.
The parameter inject
is a comma-separated list of properties and values that are injected into the image record for the imported image. Each property and value must be quoted and separated by a colon (‘:’)
.
You can find the glance-image-import.conf
file in the etc/
subdirectory of the Image service source code tree. Ensure that you are looking in the correct branch for your release of Red Hat OpenStack Platform.