From 93e45c3b2c0a25c1c1bcb8477f337e686e62e8e9 Mon Sep 17 00:00:00 2001 From: Gorka Eguileor Date: Wed, 30 Aug 2023 16:23:56 +0200 Subject: [PATCH 1/2] Allow cloning when glance uses cinder as backend When Glance use Cinder as a backend we want create volume from image to be more efficient and clone the original glance volume where the image is instead of downloading the Glance image to local disk and then copy the data to the new volume. For that we need to tell Cinder that it's OK to do that with the Cinder volumes using the `allowed_direct_url_schemes` configuration option. --- templates/cinder/config/00-config.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/cinder/config/00-config.conf b/templates/cinder/config/00-config.conf index 6d887ef4..1355bff6 100644 --- a/templates/cinder/config/00-config.conf +++ b/templates/cinder/config/00-config.conf @@ -6,6 +6,7 @@ auth_strategy = keystone # For now rely on checking the catalog info # glance_api_servers=http://glanceapi.openstack.svc:9292/ glance_catalog_info = image:glance:internalURL +allowed_direct_url_schemes = cinder storage_availability_zone = nova default_availability_zone = nova # TODO: should we create our own default type? From 03d26475989961f7a4ae5d28d01002a83c8bb3cf Mon Sep 17 00:00:00 2001 From: Gorka Eguileor Date: Wed, 30 Aug 2023 16:34:35 +0200 Subject: [PATCH 2/2] Make keystone check the service tokens When Cinder receives a service token in the header KeyStone middleware checks that the token is valid, but it doesn't automatically check that the role of the token is actually that of a service, for that it needs to be explicitly told so. This patch instructs KeyStone middleware to check the role of the service token when it is present in a request using the `service_token_roles_required` configuration option. --- templates/cinder/config/00-config.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/cinder/config/00-config.conf b/templates/cinder/config/00-config.conf index 1355bff6..f3565f63 100644 --- a/templates/cinder/config/00-config.conf +++ b/templates/cinder/config/00-config.conf @@ -63,7 +63,7 @@ user_domain_name = Default project_name = service username = {{ .ServiceUser }} password = {{ .ServicePassword }} -#service_token_roles_required = true +service_token_roles_required = true interface = internal [nova]