Last active
December 14, 2015 10:19
-
-
Save vkmc/5071491 to your computer and use it in GitHub Desktop.
Private images, members and tenants
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| So, here are my tenant list... I'll be playing around with admin and demo | |
| [vkmc@thermalx2 ~]$ keystone tenant-list | |
| +----------------------------------+--------------------+---------+ | |
| | id | name | enabled | | |
| +----------------------------------+--------------------+---------+ | |
| | 2b3a40fe165d4a4aa6ac6ec2694bbaba | admin * | True | | |
| | f22c5f491c174eb0b33a6ed0ccdf3995 | alt_demo | True | | |
| | 9fa49fa0c1964636a40e8a5ce9e65401 | demo * | True | | |
| | 5a7b918b5ff6480daf4b8fd394bcd15c | invisible_to_admin | True | | |
| | a85bf53fddd74d22a29d791f0a8a1ceb | service | True | | |
| +----------------------------------+--------------------+---------+ | |
| I've added the CentOS image from admin. CentOS is a private image, so when default is OS_TENANT_NAME=demo and we try to list images, CentOS won't pop up | |
| [vkmc@thermalx2 ~]$ glance image-list | |
| +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ | |
| | ID | Name | Disk Format | Container Format | Size | Status | | |
| +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ | |
| | cb279e2e-31c3-4e41-af8b-c514cc38585b | cirros-0.3.1-x86_64-uec | ami | ami | 25165824 | active | | |
| | 9370bf96-86f6-44e4-8741-8dbb26a55675 | cirros-0.3.1-x86_64-uec-kernel | aki | aki | 4955792 | active | | |
| | 16046707-963d-4053-bef3-eb6b11c24e6c | cirros-0.3.1-x86_64-uec-ramdisk | ari | ari | 3714968 | active | | |
| +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ | |
| Now, if we change OS_TENANT_NAME=admin, we can see there it is | |
| [vkmc@thermalx2 ~]$ glance --os-tenant-id=2b3a40fe165d4a4aa6ac6ec2694bbaba image-list | |
| +--------------------------------------+---------------------------------+-------------+------------------+-----------+--------+ | |
| | ID | Name | Disk Format | Container Format | Size | Status | | |
| +--------------------------------------+---------------------------------+-------------+------------------+-----------+--------+ | |
| | 80ffa232-095a-4bb9-8ee9-b341942ef08f | CentOS | qcow2 | bare | 557121536 | active | | |
| | cb279e2e-31c3-4e41-af8b-c514cc38585b | cirros-0.3.1-x86_64-uec | ami | ami | 25165824 | active | | |
| | 9370bf96-86f6-44e4-8741-8dbb26a55675 | cirros-0.3.1-x86_64-uec-kernel | aki | aki | 4955792 | active | | |
| | 16046707-963d-4053-bef3-eb6b11c24e6c | cirros-0.3.1-x86_64-uec-ramdisk | ari | ari | 3714968 | active | | |
| +--------------------------------------+---------------------------------+-------------+------------------+-----------+--------+ | |
| But, wait, previously I've been playing with members. Our beloved image CentOS have two members... admin and demo. | |
| According membership definition right here http://docs.openstack.org/developer/glance/glanceapi.html#add-a-member-to-an-image, you add a tenant as member of an image if you *want to authorize a tenant to access a private image*. | |
| So, why it didn't show up when I list all the images? | |
| [vkmc@thermalx2 ~]$ glance member-list --image-id 80ffa232-095a-4bb9-8ee9-b341942ef08f | |
| +--------------------------------------+----------------------------------+-----------+ | |
| | Image ID | Member ID | Can Share | | |
| +--------------------------------------+----------------------------------+-----------+ | |
| | 80ffa232-095a-4bb9-8ee9-b341942ef08f | 2b3a40fe165d4a4aa6ac6ec2694bbaba | | (admin) | |
| | 80ffa232-095a-4bb9-8ee9-b341942ef08f | 9fa49fa0c1964636a40e8a5ce9e65401 | | (demo) | |
| +--------------------------------------+----------------------------------+-----------+ | |
| Here is associated metadata to the CentOS image. | |
| [vkmc@thermalx2 ~]$ glance image-show 80ffa232-095a-4bb9-8ee9-b341942ef08f (CentOS) | |
| +------------------+--------------------------------------+ | |
| | Property | Value | | |
| +------------------+--------------------------------------+ | |
| | checksum | 78f76fcb3bf2708ad47b754c289d57bd | | |
| | container_format | bare | | |
| | created_at | 2013-03-02T13:47:41 | | |
| | deleted | False | | |
| | disk_format | qcow2 | | |
| | id | 80ffa232-095a-4bb9-8ee9-b341942ef08f | | |
| | is_public | False | | |
| | min_disk | 0 | | |
| | min_ram | 0 | | |
| | name | CentOS | | |
| | owner | 2b3a40fe165d4a4aa6ac6ec2694bbaba | (admin) | |
| | protected | False | | |
| | size | 557121536 | | |
| | status | active | | |
| | updated_at | 2013-03-02T14:55:12 | | |
| +------------------+--------------------------------------+ | |
| Obviously the members idea is not behaving as expected. | |
| My concern: What happens... if we delete the tenant that *owns* the image and that image is private? Kaboom! | |
| Let's try it | |
| Delete admin tenant... | |
| [vkmc@thermalx2 ~]$ keystone tenant-delete 2b3a40fe165d4a4aa6ac6ec2694bbaba | |
| Check that it's deleted | |
| [vkmc@thermalx2 ~]$ keystone tenant-list | |
| +----------------------------------+--------------------+---------+ | |
| | id | name | enabled | | |
| +----------------------------------+--------------------+---------+ | |
| | f22c5f491c174eb0b33a6ed0ccdf3995 | alt_demo | True | | |
| | 9fa49fa0c1964636a40e8a5ce9e65401 | demo | True | | |
| | 5a7b918b5ff6480daf4b8fd394bcd15c | invisible_to_admin | True | | |
| | a85bf53fddd74d22a29d791f0a8a1ceb | service | True | | |
| +----------------------------------+--------------------+---------+ | |
| Show image metadata | |
| [vkmc@thermalx2 ~]$ glance image-show 80ffa232-095a-4bb9-8ee9-b341942ef08f | |
| +------------------+--------------------------------------+ | |
| | Property | Value | | |
| +------------------+--------------------------------------+ | |
| | checksum | 78f76fcb3bf2708ad47b754c289d57bd | | |
| | container_format | bare | | |
| | created_at | 2013-03-02T13:47:41 | | |
| | deleted | False | | |
| | disk_format | qcow2 | | |
| | id | 80ffa232-095a-4bb9-8ee9-b341942ef08f | | |
| | is_public | False | | |
| | min_disk | 0 | | |
| | min_ram | 0 | | |
| | name | CentOS | | |
| | owner | 2b3a40fe165d4a4aa6ac6ec2694bbaba | | |
| | protected | False | | |
| | size | 557121536 | | |
| | status | active | | |
| | updated_at | 2013-03-02T14:55:12 | | |
| +------------------+--------------------------------------+ | |
| It looks like we have a private image orphan... inaccessible and consuming resources. | |
| Apparently, images are not that independent of tenants as thought in the first place. | |
| So, if there are private images and member list is not updated on creation, we won’t be able to delete them on tenant deletion. | |
| Ideas to solve this | |
| - Implement --tenant-id when listing images and list all the images, including private ones | |
| - Add the tenant as a member on the image/snapshot creation for later removal, and remove the image/snapshot only if the list has one entry and that entry is the tenant to be removed. This can be done on Horizon, but I think it's better if this is added in Glance. I guess that if a tenant owns an image, it should be listed in members list. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment