[MIR]glance

- glance/common/config.py find_config_file() should not load config files from "." (e.g. imagine doing "sudo apt-get install glace" from /tmp and being surprised that ./glance-registry.conf gets loaded during the postinst, writing to arbitrary locations for SQL and logs)
- I don't see any packaging that replaces the "swift_store_key" or similar items in the default configs.
- packaging lacks a "purge" target that will clean up the added "glance" user from the glance.postinst
- should use SSL by default
- glance/common/utils.py creates dangerous "execute" function that uses the shell to run commands without filtering meta characters. Luckily nothing uses it's only user, fetchfile(). These should both be removed, along with the unused runthis().
- is the POSTed image data actually used? I can't find many references to "image_data"

Thanks for the review Kees. I have raised separate bugs for those identified:
bug 828719 - glance/common/config.py find_config_file() loads config files from "."
bug 828721 - When purged, the glance user is not removed
bug 829063 - should use SSL by default
bug 829064 - glance/common/utils.py creates dangerous "execute" function that uses the shell to run commands without filtering meta characters

"I don't see any packaging that replaces the "swift_store_key" or similar items in the default configs." -- is still being investigated, thanks.

Hi Kees,

"glance/common/utils.py creates dangerous "execute""

That function isn't used anywhere in the Glance source code. It can be removed; it was copies from early Nova source...

-jay

re: "is the POSTed image data actually used? I can't find many references to "image_data""

Not sure what you mean here. Glance passes storage of virtual disk images off to one of several backends. It doesn't execute/boot the virtual disk image; it merely stores it.

re: "should use SSL by default"

Not sure I agree with this... this is entirely dependent on the deployment environment. If you turn on SSL by default, environments that use Glance, say, behind a firewall, will unnecessarily turn on SSL. Turning on SSL has implications for caching (neither Squid nor Varnish can cache anything if HTTPS is used IIRC.

-jay

It strikes me that there doesn't seem to be a way to make the CLI client or server use SSL, though the internal API's have some options for it. So really we can't make it use SSL at all, much less by default.

Kees, is that a hard requirement for main inclusion, or can we mark it as wishlist?

It seems like running this over an open network without SSL would result in all of man-in-the-middle potential, credential theft, image changing, etc. Is there something I'm missing about this? It seems like a rather critical service to run without SSL.

SSL support is on the roadmap before release:
https://launchpad.net/glance/+milestone/diablo-rbp

recent upload ftbfs:

https://launchpad.net/ubuntu/+source/glance/2011.3~rc~20110831.1002-0ubuntu1

Thanks for pointing that out doko, it got hit by a recent python-greenlet change. Builds fine now.

I've been asked to comment on whether the lack of SSL for glance communications is blocking the MIR. Looking at the architecture documents for Nova and Glance, it seems like glance is typically not going to be used across an open network, but instead as a sort of backend for nova-compute and nova-api. As such, user facing tools like the dashboard or EC2/OpenStack API are all that would be used over the open network, and those should be designed for use in that scenario (and not relevant to this MIR). If this assumption about glance operating in a protected, private network is true, then the lack of SSL for glance-api and glance-registry communications should not be a blocker. It is highly recommended that SSL communications to glance-api and glance-registry be supported, especially in time for 12.04 LTS, and it is my understanding that is in the works.

I would like for our documentation to reflect that glance should be run on a private, trusted network at this time. Can the server team file a bug for this (whether it is in the server manual and/or the technical overview for oneiric doesn't matter to me)? Assuming we document this and the bugs for the issues Kees brought up are addressed, feel free to promote.

I see that Thierry mentioned SSL support is forthcoming, is this in a bug somewhere (sorry, I was unable to find it).

Yes:

https://bugs.launchpad.net/ubuntu/+source/glance/+bug/829063

2011-09-23 11:08:04 INFO Override Component to: 'main'
2011-09-23 11:08:04 INFO 'glance - 2011.3-0ubuntu1/universe/net' source overridden
2011-09-23 11:08:04 INFO 'glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/amd64
2011-09-23 11:08:04 INFO 'glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/armel
2011-09-23 11:08:04 INFO 'glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/i386
2011-09-23 11:08:05 INFO 'glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/powerpc
2011-09-23 11:08:05 INFO 'python-glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/amd64
2011-09-23 11:08:05 INFO 'python-glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/armel
2011-09-23 11:08:05 INFO 'python-glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/i386
2011-09-23 11:08:05 INFO 'python-glance-2011.3-0ubuntu1/universe/python/EXTRA' binary overridden in oneiric/powerpc
2011-09-23 11:08:05 INFO 'python-glance-doc-2011.3-0ubuntu1/universe/doc/EXTRA' binary overridden in oneiric/amd64
2011-09-23 11:08:05 INFO 'python-glance-doc-2011.3-0ubuntu1/universe/doc/EXTRA' binary overridden in oneiric/armel
2011-09-23 11:08:05 INFO 'python-glance-doc-2011.3-0ubuntu1/universe/doc/EXTRA' binary overridden in oneiric/i386
2011-09-23 11:08:05 INFO 'python-glance-doc-2011.3-0ubuntu1/universe/doc/EXTRA' binary overridden in oneiric/powerpc