Public bug reported: When Glance tries to delete an image from the RBD/Ceph backend, it checks if any children exist for that image (see https://opendev.org/openstack/glance_store/src/branch/master/glance_store/_drivers/rbd.py#L459).
However, if we create a volume from an image, the children are part of the 'volumes' pool. If we follow the Glance setup guide, we only grant permissions for the 'images' pool, but not for the 'volumes' pool (see https://docs.openstack.org/glance/latest/configuration/configuring.html#configuring-the-rbd-storage-backend). This causes image deletion to fail with an internal server error due to missing permissions: rbd.PermissionError: [errno 1] RBD permission error (error listing children.). To circumvent this issue, the glance client requires read access on the 'volumes' pool. There may also be more finely tuned permissions, that allow glance to check for existing children, that I am not aware of. Either way, the documentation should reflect this. ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/2045158 Title: Glance requires read permissions on RBD volumes pool to check for children Status in Glance: New Bug description: When Glance tries to delete an image from the RBD/Ceph backend, it checks if any children exist for that image (see https://opendev.org/openstack/glance_store/src/branch/master/glance_store/_drivers/rbd.py#L459). However, if we create a volume from an image, the children are part of the 'volumes' pool. If we follow the Glance setup guide, we only grant permissions for the 'images' pool, but not for the 'volumes' pool (see https://docs.openstack.org/glance/latest/configuration/configuring.html#configuring-the-rbd-storage-backend). This causes image deletion to fail with an internal server error due to missing permissions: rbd.PermissionError: [errno 1] RBD permission error (error listing children.). To circumvent this issue, the glance client requires read access on the 'volumes' pool. There may also be more finely tuned permissions, that allow glance to check for existing children, that I am not aware of. Either way, the documentation should reflect this. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/2045158/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
