Red Hat SummitChapter 6. Customizing the Image service (glance) import workflow
You can configure the Image service (glance) import workflow to control image uploads and processing. Enable import methods like glance-direct, web-download, or copy-image, monitor staged images, and use plugins for metadata injection and format conversion.
Users can upload their own images to the Image service by using the default glance-direct or web-download import methods. If you have multiple Red Hat Ceph Storage back ends for the Image service, you can also enable the copy-image import method. You can monitor uploaded images in a staging area before they go active in a storage back end, and you can configure the import workflow to run plugins to make user images discoverable, for example, the Inject Image Metadata plugin for metadata or the Image Conversion plugin for image formats.
6.1. Prerequisites
-
You have the
occommand line tool installed on your workstation. -
You are logged on to a workstation that has access to the RHOSO control plane as a user with
cluster-adminprivileges. -
To use Image service
glanceCLI commands, source thecloudrcfile with the command$ source ./cloudrcbefore using them. If thecloudrcfile does not exist, then you need to create it. For more information, see Creating thecloudrcfile.
6.2. Distributed image import
Distributed image import works with the glance-direct image import method, and it is enabled by default in Red Hat OpenStack Services on OpenShift (RHOSO).
When using the glance-direct image import method, users can upload local images to the Image service (glance) without any requirement for a shared storage area where API worker nodes (or replicas) stage images. Instead, staging is distributed because individual API workers have their own local and unshared staging directory. The API worker that owns the image data is the same API worker that performs the image import.
When the image is created and staged, the Image service records the URL of the staging API worker in a database. With this URL, other API workers can proxy image import requests from clients to the worker that has the image data and can perform the import operation. This workflow allows API worker nodes to be isolated for High Availability (HA) and distributed geographically for a distributed compute node (DCN) environment.
6.3. URI allowlist and blocklist for web-download sources
You can limit the sources of web-download image imports by specifying a URI allowlist and blocklist in the glance template in your OpenStackControlPlane custom resource (CR) file.
You can allow or block image source URIs at three levels:
- scheme (allowed_schemes, disallowed_schemes)
- host (allowed_hosts, disallowed_hosts)
- port (allowed_ports, disallowed_ports)
If you specify both an allowlist and a blocklist at any level, the allowlist is honored and the blocklist is ignored. For an example of a URI allowlist, see Configuring a URI allowlist for web-import sources.
6.3.1. Decision logic for URI validation
The Image service applies the following decision logic to validate image source URIs:
The scheme is checked.
- Missing scheme: reject
- If there is an allowlist, and the scheme is not present in the allowlist: reject. Otherwise, skip C and continue on to 2.
- If there is a blocklist, and the scheme is present in the blocklist: reject.
The host name is checked.
- Missing host name: reject
- If there is an allowlist, and the host name is not present in the allowlist: reject. Otherwise, skip C and continue on to 3.
- If there is a blocklist, and the host name is present in the blocklist: reject.
If there is a port in the URI, the port is checked.
- If there is a allowlist, and the port is not present in the allowlist: reject. Otherwise, skip B and continue on to 4.
- If there is a blocklist, and the port is present in the blocklist: reject.
- The URI is accepted as valid.
If you allow a scheme, either by adding it to an allowlist or by not adding it to a blocklist, any URI that uses the default port for that scheme by not including a port is allowed. If the URI does include a port, the URI is validated according to the default decision logic.
6.3.2. Default settings for the URI allowlist and blocklist
The following allowlist and blocklist values are the default settings for the web-download image import method in your Red Hat OpenStack Services on OpenShift (RHOSO) deployment.
- allowed_schemes - [http, https]
- disallowed_schemes - empty list
- allowed_hosts - empty list
- disallowed_hosts - empty list
- allowed_ports - [80, 443]
- disallowed_ports - empty list
If you use the default values, users can only access URIs by using the http or https scheme, and they can only specify ports 80 and 443. Users do not have to specify a port, but if they do, it must be either 80 or 443.
6.3.3. Configuring a URI allowlist for web-import sources
You configure the sources of web-import image downloads by specifying URI allowlists and blocklists in the glance template in your OpenStackControlPlane custom resource (CR) file.
In this example, you are using an FTP server for image upload. The default port for FTP is 21.
Procedure
Open your
OpenStackControlPlanecustom resource CR file,openstack_control_plane.yaml, and add the following parameters to theglancetemplate:Example
Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Because
ftpis in the list forallowed_schemes, this URL to the image resource is allowed: ftp://example.org/some/resource. -
Because 21 is not in the list for
allowed_ports, this URL to the same image resource is rejected: ftp://example.org:21/some/resource.
-
Because
Update the control plane:
oc apply -f openstack_control_plane.yaml -n openstack
$ oc apply -f openstack_control_plane.yaml -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow Wait until RHOCP creates the resources related to the
OpenStackControlPlaneCR. Run the following command to check the status:oc get openstackcontrolplane -n openstack
$ oc get openstackcontrolplane -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow TipAppend the
-woption to the end of thegetcommand to track deployment progress.
6.4. Configuring the copy-image import method for images
You can configure the Image service (glance) to copy existing images to multiple Red Hat Ceph Storage stores.
Procedure
Open your
OpenStackControlPlaneCR file,openstack_control_plane.yaml, and add the following parameters to thecustomServiceConfigin theglancetemplate:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Update the control plane:
oc apply -f openstack_control_plane.yaml -n openstack
$ oc apply -f openstack_control_plane.yaml -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow Wait until RHOCP creates the resources related to the
OpenStackControlPlaneCR. Run the following command to check the status:oc get openstackcontrolplane -n openstack
$ oc get openstackcontrolplane -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow The
OpenStackControlPlaneresources are created when the status is "Setup complete".TipAppend the
-woption to the end of thegetcommand to track deployment progress.
6.5. Enabling or rejecting virtual machine image disk formats
You can configure the Image service (glance) to enable or reject disk formats. For example, you can enable only RAW and ISO disk formats or reject images in QCOW2 disk format.
Procedure
Open your
OpenStackControlPlaneCR file,openstack_control_plane.yaml, and add the following parameters to theglancetemplate:Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
<raw>and<iso>with the formats you want to enable from the following supported supported disk formats: none, ami, ari, aki, vhd, vhdx, vmdk, raw, qcow2, vdi, iso, ploop.
-
Replace
Update the control plane:
oc apply -f openstack_control_plane.yaml -n openstack
$ oc apply -f openstack_control_plane.yaml -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow Wait until RHOCP creates the resources related to the
OpenStackControlPlaneCR. Run the following command to check the status:oc get openstackcontrolplane -n openstack
$ oc get openstackcontrolplane -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow The
OpenStackControlPlaneresources are created when the status is "Setup complete".TipAppend the
-woption to the end of thegetcommand to track deployment progress.
6.6. Enabling plugins for the image import workflow
You can enable plugins for the image import workflow by configuring the image_import_plugins option in the glance-image-import.conf file. The plugins do not run in parallel; they run in the order in which they appear in the image_import_plugins list.
Image conversion is enabled by default when you use Red Hat Ceph Storage as the back end for the Image service.
Procedure
Configure plugins in the
glance-image-import.conffile. In this example, you convert the images to RAW format before you inject metadata properties.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
6.6.1. Injecting metadata to control instance placement
You can enable the Inject Image Metadata plugin to apply metadata properties to images that are imported by cloud users so that instances that are launched from the images are located on specific Compute nodes.
The Inject Image Metadata plugin contains two parameters:
-
ignore_user_rolesis a comma-separated list of Identity service (keystone) roles that the plugin will ignore. If the user making the image import call has any of these roles, the plugin will not inject any properties into the image. -
injectis a comma-separated list of properties and values that will be injected into the image record for the imported image.
Procedure
Open your
OpenStackControlPlaneCR file,openstack_control_plane.yaml, and add the following parameters to theglancetemplate:Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
<backend_name>with the name of the default back end. -
Replace
<admin>with the user roles you want the plugin to ignore. -
Replace
<property1>,<value1>,<property2>,<value2>, and so on with the properties and values that you want to inject to the image.
-
Replace
Update the control plane:
oc apply -f openstack_control_plane.yaml -n openstack
$ oc apply -f openstack_control_plane.yaml -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow Wait until RHOCP creates the resources related to the
OpenStackControlPlaneCR. Run the following command to check the status:oc get openstackcontrolplane -n openstack
$ oc get openstackcontrolplane -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow The
OpenStackControlPlaneresources are created when the status is "Setup complete".TipAppend the
-woption to the end of thegetcommand to track deployment progress.
6.7. Enabling Image service change notifications
You can enable notifications in the Image service (glance) for various events that occur during the image lifecycle. These notifications provide telemetry data that you can use for the following:
- Auditing, troubleshooting, and monitoring operations
- Integrating with other services such as Ceilometer for metrics collection and processing
The Image service uses the RabbitMQ message broker software for notification delivery to a configured message queue. When you specify a RabbitMQ instance to use for notifications, the glance-operator automatically updates the oslo_notifications section in the 00-config.conf file. This update switches the notification driver from noop (no notifications) to messagingv2 (notifications).
To enable notifications in the Image service, you add the notificationsBusInstance parameter to the glance template in your OpenStackControlPlane custom resource (CR) file. You use this parameter to specify the RabbitMQ instance name to use for requesting a transport URL.
Procedure
Open your
OpenStackControlPlaneCR file,openstack_control_plane.yaml, and add thenotificationsBusInstanceparameter to theglancetemplate:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Update the control plane:
oc apply -f openstack_control_plane.yaml -n openstack
$ oc apply -f openstack_control_plane.yaml -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow Wait until Red Hat OpenShift Container Platform (RHOCP) creates the resources related to the
OpenStackControlPlaneCR. Run the following command to check the status:oc get openstackcontrolplane -n openstack
$ oc get openstackcontrolplane -n openstackCopy to Clipboard Copied! Toggle word wrap Toggle overflow The
OpenStackControlPlaneresources are created when the status is "Setup complete".TipAppend the
-woption to the end of thegetcommand to track deployment progress.Optional: Check the
00-config.conffile to verify the notification settings have been updated:Example:
oc rsh -c glance-httpd <glance-default-external-api-0> grep "oslo_messaging_notifications" /etc/glance/glance.conf.d/00-config.conf -A 2
$ oc rsh -c glance-httpd <glance-default-external-api-0> grep "oslo_messaging_notifications" /etc/glance/glance.conf.d/00-config.conf -A 2Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<glance-default-external-api-0>with the pod name.Example output:
[oslo_messaging_notifications] driver=messagingv2 transport_url = rabbit://<user>:<pwd>@rabbitmq.openstack.svc:5671/?ssl=1
[oslo_messaging_notifications] driver=messagingv2 transport_url = rabbit://<user>:<pwd>@rabbitmq.openstack.svc:5671/?ssl=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can turn off notifications by removing the
notificationsBusInstanceparameter from theglancetemplate and updating the control plane.
6.8. Creating the cloudrc file
The Image service (glance) uses both openstack and glance client commands, within the openstackclient pod. When glance client commands are required, then the cloudrc file must be created on the openstackclient pod to enable their usage. Once created, the cloudrc file persists for the lifetime of the openstackclient pod.
Procedure
If the
cloudrcdoes not exist, for instance it cannot be sourced, then use the following command to create it:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}