Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Image import and shared staging
The default settings for the OpenStack Image service (glance) are determined by the heat templates that you use when you install Red Hat OpenStack Platform (RHOSP). The Image service heat template is deployment/glance/glance-api-container-puppet.yaml.
You can import images by using the following methods:
-
web-download: Use theweb-downloadmethod to import an image from a URL. -
glance-direct: Use theglance-directmethod to import an image from a local volume.
3.1. Creating and deploying the glance-settings.yaml file
Use a custom environment file to configure the import parameters. These parameters override the default values that are present in the core heat template collection. The example environment content contains parameters for the interoperable image import.
parameter_defaults: # Configure NFS backend GlanceBackend: file GlanceNfsEnabled: true GlanceNfsShare: 192.168.122.1:/export/glance # Enable glance-direct import method GlanceEnabledImportMethods: glance-direct,web-download # Configure NFS staging area (required for glance-direct import method) GlanceStagingNfsShare: 192.168.122.1:/export/glance-staging
parameter_defaults:
# Configure NFS backend
GlanceBackend: file
GlanceNfsEnabled: true
GlanceNfsShare: 192.168.122.1:/export/glance
# Enable glance-direct import method
GlanceEnabledImportMethods: glance-direct,web-download
# Configure NFS staging area (required for glance-direct import method)
GlanceStagingNfsShare: 192.168.122.1:/export/glance-staging
The GlanceBackend, GlanceNfsEnabled, and GlanceNfsShare parameters are defined in the Overcloud Parameters guide.
Use two new parameters for interoperable image import to define the import method and a shared NFS staging area.
- GlanceEnabledImportMethods
- Defines the available import methods, web-download (default) and glance-direct. This parameter is necessary only if you want to enable additional methods besides web-download.
- GlanceStagingNfsShare
-
Configures the NFS staging area that the glance-direct import method uses. This space can be shared among nodes in a high-availability cluster configuration. If you want to use this parameter, you must also set the
GlanceNfsEnabledparameter totrue.
Procedure
-
Create a new file, for example,
glance-settings.yaml. Use the syntax from the example to populate this file. Include the
glance-settings.yamlfile in theopenstack overcloud deploycommand, as well as any other environment files that are relevant to your deployment:openstack overcloud deploy --templates -e glance-settings.yaml
$ openstack overcloud deploy --templates -e glance-settings.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
For more information about using environment files, see the Director Installation and Usage guide.
3.2. Controlling image web-import sources
You can limit the sources of web-import image downloads by adding URI blocklists and allowlists to the optional glance-image-import.conf file.
You can allow or block image source URIs at three levels:
- scheme (allowed_schemes, disallowed_schemes)
- host (allowed_hosts, disallowed_hosts)
- port (allowed_ports, disallowed_ports)
If you specify both allowlist and blocklist at any level, the allowlist is honored and the blocklist is ignored.
The Image service (glance) applies the following decision logic to validate image source URIs:
The scheme is checked.
- Missing scheme: reject
- If there is an allowlist, and the scheme is not present in the allowlist: reject. Otherwise, skip C and continue on to 2.
- If there is a blocklist, and the scheme is present in the blocklist: reject.
The host name is checked.
- Missing host name: reject
- If there is an allowlist, and the host name is not present in the allowlist: reject. Otherwise, skip C and continue on to 3.
- If there is a blocklist, and the host name is present in the blocklist: reject.
If there is a port in the URI, the port is checked.
- If there is a allowlist, and the port is not present in the allowlist: reject. Otherwise, skip B and continue on to 4.
- If there is a blocklist, and the port is present in the blocklist: reject.
- The URI is accepted as valid.
If you allow a scheme, either by adding it to an allowlist or by not adding it to a blocklist, any URI that uses the default port for that scheme by not including a port in the URI is allowed. If it does include a port in the URI, the URI is validated according to the default decision logic.
3.3. Image import example
For example, the default port for FTP is 21. Because ftp is an allowlisted scheme, this URL is allowed: ftp://example.org/some/resource. However, because 21 is not in the port allowlist, this URL to the same resource is rejected: ftp://example.org:21/some/resource.
allowed_schemes = [http,https,ftp] disallowed_schemes = [] allowed_hosts = [] disallowed_hosts = [] allowed_ports = [80,443] disallowed_ports = []
allowed_schemes = [http,https,ftp]
disallowed_schemes = []
allowed_hosts = []
disallowed_hosts = []
allowed_ports = [80,443]
disallowed_ports = []3.4. Default image import blocklist and allowlist settings
The glance-image-import.conf file is an optional file that contains the following default options:
- allowed_schemes - [http, https]
- disallowed_schemes - empty list
- allowed_hosts - empty list
- disallowed_hosts - empty list
- allowed_ports - [80, 443]
- disallowed_ports - empty list
If you use the defaults, end users can access URIs by using only the http or https scheme. The only ports that users can specify are 80 and 443. Users do not have to specify a port, but if they do, it must be either 80 or 443.
You can find the glance-image-import.conf file in the etc/ subdirectory of the Image service source code tree. Ensure that you are looking in the correct branch for your release of Red Hat OpenStack Platform.
3.5. Injecting metadata on image import to control where VMs launch
End users can upload images to the Image service and use these images to launch VMs. These user-provided (non-admin) images must be launched on a specific set of compute nodes. The assignment of an instance to a compute node is controlled by image metadata properties.
The Image Property Injection plugin injects metadata properties to images during import. Specify the properties by editing the [image_import_opts] and [inject_metadata_properties] sections of the glance-image-import.conf file.
To enable the Image Property Injection plugin, add the following line to the [image_import_opts] section:
[image_import_opts] image_import_plugins = [inject_image_metadata]
[image_import_opts]
image_import_plugins = [inject_image_metadata]
To limit the metadata injection to images provided by a certain set of users, set the ignore_user_roles parameter. For example, use the following configuration to inject one value for property1 and two values for property2 into images downloaded by any non-admin user.
[DEFAULT] [image_conversion] [image_import_opts] image_import_plugins = [inject_image_metadata] [import_filtering_opts] [inject_metadata_properties] ignore_user_roles = admin inject = PROPERTY1:value,PROPERTY2:value;another value
[DEFAULT]
[image_conversion]
[image_import_opts]
image_import_plugins = [inject_image_metadata]
[import_filtering_opts]
[inject_metadata_properties]
ignore_user_roles = admin
inject = PROPERTY1:value,PROPERTY2:value;another value
The parameter ignore_user_roles is a comma-separated list of the Identity service (keystone) roles that the plugin ignores. This means that if the user that makes the image import call has any of these roles, the plugin does not inject any properties into the image.
The parameter inject is a comma-separated list of properties and values that are injected into the image record for the imported image. Each property and value must be quoted and separated by a colon (‘:’).
You can find the glance-image-import.conf file in the etc/ subdirectory of the Image service source code tree. Ensure that you are looking in the correct branch for your release of Red Hat OpenStack Platform.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}