diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 507051cfc6..c33c761aa9 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -823,6 +823,8 @@ enable_glance_image_cache: "no" glance_backend_swift: "{{ enable_swift | bool }}" glance_file_datadir_volume: "glance" glance_enable_rolling_upgrade: "no" +glance_enable_property_protection: "no" +glance_enable_interoperable_image_import: "no" glance_api_hosts: "{{ [groups['glance-api']|first] if glance_backend_file | bool and glance_file_datadir_volume == 'glance' else groups['glance-api'] }}" ####################### diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml index 7043d74ebc..43a9e1cdbf 100644 --- a/ansible/roles/glance/tasks/config.yml +++ b/ansible/roles/glance/tasks/config.yml @@ -123,6 +123,36 @@ notify: - Restart glance-api container +- name: Copying over glance-image-import.conf + vars: + glance_api: "{{ glance_services['glance-api'] }}" + copy: + src: "{{ node_custom_config }}/glance/glance-image-import.conf" + dest: "{{ node_config_directory }}/glance-api/glance-image-import.conf" + mode: "0660" + become: true + when: + - glance_api.enabled | bool + - inventory_hostname in groups[glance_api.group] + - glance_enable_interoperable_image_import | bool + notify: + - Restart glance-api container + +- name: Copying over property-protections-rules.conf + vars: + glance_api: "{{ glance_services['glance-api'] }}" + copy: + src: "{{ node_custom_config }}/glance/property-protections-rules.conf" + dest: "{{ node_config_directory }}/glance-api/property-protections-rules.conf" + mode: "0660" + become: true + when: + - glance_api.enabled | bool + - inventory_hostname in groups[glance_api.group] + - glance_enable_property_protection | bool + notify: + - Restart glance-api container + - name: Copying over existing policy file vars: glance_api: "{{ glance_services['glance-api'] }}" diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2 index 25ccaa72db..76968ec7ed 100644 --- a/ansible/roles/glance/templates/glance-api.conf.j2 +++ b/ansible/roles/glance/templates/glance-api.conf.j2 @@ -21,6 +21,10 @@ enabled_backends = {% for key in glance_store_backends %}{{ key.name }}:{{ key.t show_multiple_locations = True {% endif %} +{% if glance_enable_property_protection | bool %} +property_protection_file = /etc/glance/property-protections-rules.conf +{% endif %} + cinder_catalog_info = volume:cinder:internalURL transport_url = {{ rpc_transport_url }} diff --git a/ansible/roles/glance/templates/glance-api.json.j2 b/ansible/roles/glance/templates/glance-api.json.j2 index bfe9cbe989..6774a6bc87 100644 --- a/ansible/roles/glance/templates/glance-api.json.j2 +++ b/ansible/roles/glance/templates/glance-api.json.j2 @@ -36,6 +36,18 @@ "dest": "/etc/glance/glance-cache.conf", "owner": "glance", "perm": "0600" + }{% endif %}{% if glance_enable_interoperable_image_import | bool %}, + { + "source": "{{ container_config_directory }}/glance-image-import.conf", + "dest": "/etc/glance/glance.conf.d/glance-image-import.conf", + "owner": "glance", + "perm": "0600" + }{% endif %}{% if glance_enable_property_protection | bool %}, + { + "source": "{{ container_config_directory }}/property-protections-rules.conf", + "dest": "/etc/glance/property-protections-rules.conf", + "owner": "glance", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/doc/source/reference/shared-services/glance-guide.rst b/doc/source/reference/shared-services/glance-guide.rst index 4896a50175..89b82bb6f0 100644 --- a/doc/source/reference/shared-services/glance-guide.rst +++ b/doc/source/reference/shared-services/glance-guide.rst @@ -146,3 +146,32 @@ Glance caches are not cleaned up automatically, the glance team recommends to use a cron service to regularly clean cached images. In the future kolla will deploy a cron container to manage such clean ups. Please refer to :glance-doc:`Glance image cache `. + +Property protection +~~~~~~~~~~~~~~~~~~~ + +`Property protection `_ +is disabled by default, it can be enabled by: + +.. code-block:: yaml + + glance_enable_property_protection: "yes" + + +and defining ``property-protections-rules.conf`` under +``{{ node_custom_config }}/glance/``. The default +``property_protection_rule_format`` is ``roles`` but it can be overwritten. + + +Interoperable image import +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The `interoperable image import `_ +is disabled by default, it can be enabled by: + +.. code-block:: yaml + + glance_enable_interoperable_image_import: "yes" + +and defining ``glance-image-import.conf`` under +``{{ node_custom_config }}/glance/``. diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 4d5348728e..83de76644a 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -430,6 +430,8 @@ #glance_backend_swift: "no" #glance_backend_vmware: "no" #enable_glance_image_cache: "no" +#glance_enable_property_protection: "no" +#glance_enable_interoperable_image_import: "no" # Configure glance upgrade option. # Due to this feature being experimental in glance, # the default value is "no". diff --git a/releasenotes/notes/bug-1889272-c929d21a94d657fa.yaml b/releasenotes/notes/bug-1889272-c929d21a94d657fa.yaml new file mode 100644 index 0000000000..0b68311040 --- /dev/null +++ b/releasenotes/notes/bug-1889272-c929d21a94d657fa.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Add functionality to the glance role to add extra config file for image + property protection and interoperable image import + `LP#1889272 `__