Hi Srujana,
If setting location for file were re-enabled and someone did this for example:
glance image-create --name=<image-name> --is-public=true
--container-format=<container-format> --disk-format=qcow2
--location=file://etc/glance/glance-api.conf
they would subsequently be able to download the glance configuration file --
which potentially contains things such as your mysql password,
swift admin user password etc. Similary they could specify any file on the
glance server and would be able to download it (provided the
process running the glance-api has permissions to read it).
This may be too big a security risk.
-Stuart
On Tue, 1 Oct 2013, Srujana C P wrote:
Hi Stuart,
Thanks for the immediate response.
We need to refer file store for the image content without copying into
configured glance image store. So, we would like to specify the source via
location attribute while creating an image.
Command: glance image-create --name=<image-name> --is-public=true
--container-format=<container-format> --disk-format=qcow2 --location=<some-location>
We found following are the supported non-local store types.
1. S3
2. Swift
3. Http
4. Rbd
5. Sheepdog
6. Cinder
But we need to have file as a reference store.
Regards,
Srujana C P
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, October 01, 2013 5:18 PM
To: Srujana C P
Cc: [email protected]
Subject: Re: [Openstack] [openstack][glance]glance image location
Hi Srujana,
From looking at the source I think 'file' is disallowed only for image uploads
using the mechanisms where you specify either a location or copy_from (ie where
you do not include the image bytes in your request). This is to prevent users
accessing arbitrary files on the glance server.
For standard image uploads (where you include the image data in the request)
the 'file' backend should work as is I think.
-Stuart
On Tue, 1 Oct 2013, Srujana C P wrote:
Hello All,
We have a requirement wherein we want to access stored images as
file:// URIs. However, we have noticed that file:// option has been removed for
security reasons. It is mentioned in
usr/lib/python2.6/site-packages/glance/api/v1/images.py .
References :
Line number : 380
https://github.com/openstack/glance/blob/master/glance/api/v1/images.p
y
Launchpad : bug #942118
We are planning to include a configurable parameter in glance.conf and a flag
in openstack python code, which enables the usage of file option according to
configurable parameter. Can we go ahead with this ?
Thanks,
Srujana C P
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
