Coverage for nova/conf/glance.py: 92%
13 statements
« prev ^ index » next coverage.py v7.6.12, created at 2025-04-17 15:08 +0000
1# All Rights Reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
15from keystoneauth1 import loading as ks_loading
16from oslo_config import cfg
18from nova.conf import utils as confutils
21DEFAULT_SERVICE_TYPE = 'image'
23glance_group = cfg.OptGroup(
24 'glance',
25 title='Glance Options',
26 help='Configuration options for the Image service')
28glance_opts = [
29 # NOTE(sdague/efried): there is intentionally no default here. This
30 # requires configuration if ksa adapter config is not used.
31 cfg.ListOpt('api_servers',
32 deprecated_for_removal=True,
33 deprecated_since='21.0.0',
34 deprecated_reason="""
35Support for image service configuration via standard keystoneauth1 Adapter
36options was added in the 17.0.0 Queens release. The api_servers option was
37retained temporarily to allow consumers time to cut over to a real load
38balancing solution.
39""",
40 help="""
41List of glance api servers endpoints available to nova.
43https is used for ssl-based glance api servers.
45NOTE: The preferred mechanism for endpoint discovery is via keystoneauth1
46loading options. Only use api_servers if you need multiple endpoints and are
47unable to use a load balancer for some reason.
49Possible values:
51* A list of any fully qualified url of the form "scheme://hostname:port[/path]"
52 (i.e. "http://10.0.1.0:9292" or "https://my.glance.server/image").
53"""),
54 cfg.IntOpt('num_retries',
55 default=3,
56 min=0,
57 help="""
58Enable glance operation retries.
60Specifies the number of retries when uploading / downloading
61an image to / from glance. 0 means no retries.
62"""),
63 cfg.BoolOpt('verify_glance_signatures',
64 default=False,
65 help="""
66Enable image signature verification.
68nova uses the image signature metadata from glance and verifies the signature
69of a signed image while downloading that image. If the image signature cannot
70be verified or if the image signature metadata is either incomplete or
71unavailable, then nova will not boot the image and instead will place the
72instance into an error state. This provides end users with stronger assurances
73of the integrity of the image data they are using to create servers.
75Related options:
77* The options in the `key_manager` group, as the key_manager is used
78 for the signature validation.
79* Both enable_certificate_validation and default_trusted_certificate_ids
80 below depend on this option being enabled.
81"""),
82 cfg.BoolOpt('enable_certificate_validation',
83 default=False,
84 deprecated_for_removal=True,
85 deprecated_since='16.0.0',
86 deprecated_reason="""
87This option is intended to ease the transition for deployments leveraging
88image signature verification. The intended state long-term is for signature
89verification and certificate validation to always happen together.
90""",
91 help="""
92Enable certificate validation for image signature verification.
94During image signature verification nova will first verify the validity of the
95image's signing certificate using the set of trusted certificates associated
96with the instance. If certificate validation fails, signature verification
97will not be performed and the instance will be placed into an error state. This
98provides end users with stronger assurances that the image data is unmodified
99and trustworthy. If left disabled, image signature verification can still
100occur but the end user will not have any assurance that the signing
101certificate used to generate the image signature is still trustworthy.
103Related options:
105* This option only takes effect if verify_glance_signatures is enabled.
106* The value of default_trusted_certificate_ids may be used when this option
107 is enabled.
108"""),
109 cfg.ListOpt('default_trusted_certificate_ids',
110 default=[],
111 help="""
112List of certificate IDs for certificates that should be trusted.
114May be used as a default list of trusted certificate IDs for certificate
115validation. The value of this option will be ignored if the user provides a
116list of trusted certificate IDs with an instance API request. The value of
117this option will be persisted with the instance data if signature verification
118and certificate validation are enabled and if the user did not provide an
119alternative list. If left empty when certificate validation is enabled the
120user must provide a list of trusted certificate IDs otherwise certificate
121validation will fail.
123Related options:
125* The value of this option may be used if both verify_glance_signatures and
126 enable_certificate_validation are enabled.
127"""),
128 cfg.BoolOpt('enable_rbd_download',
129 default=False,
130 help="""
131Enable Glance image downloads directly via RBD.
133Allow non-rbd computes using local storage to download and cache images from
134Ceph via rbd rather than the Glance API via http.
136.. note:: This option should only be enabled when the compute itself is not
137 also using Ceph as a backing store. For example with the libvirt
138 driver it should only be enabled when
139 :oslo.config:option:`libvirt.images_type` is not set to ``rbd``.
141Related options:
143* :oslo.config:option:`glance.rbd_user`
144* :oslo.config:option:`glance.rbd_connect_timeout`
145* :oslo.config:option:`glance.rbd_pool`
146* :oslo.config:option:`glance.rbd_ceph_conf`
147* :oslo.config:option:`libvirt.images_type`
148"""),
149 cfg.StrOpt('rbd_user',
150 default='',
151 help="""
152The RADOS client name for accessing Glance images stored as rbd volumes.
154Related options:
156* This option is only used if :oslo.config:option:`glance.enable_rbd_download`
157 is set to ``True``.
158"""),
159 cfg.IntOpt('rbd_connect_timeout',
160 default=5,
161 help="""
162The RADOS client timeout in seconds when initially connecting to the cluster.
164Related options:
166* This option is only used if :oslo.config:option:`glance.enable_rbd_download`
167 is set to ``True``.
168"""),
169 cfg.StrOpt('rbd_pool',
170 default='',
171 help="""
172The RADOS pool in which the Glance images are stored as rbd volumes.
174Related options:
176* This option is only used if :oslo.config:option:`glance.enable_rbd_download`
177 is set to ``True``.
178"""),
179 cfg.StrOpt('rbd_ceph_conf',
180 default='',
181 help="""
182Path to the ceph configuration file to use.
184Related options:
186* This option is only used if :oslo.config:option:`glance.enable_rbd_download`
187 is set to ``True``.
189"""),
191 cfg.BoolOpt('debug',
192 default=False,
193 help='Enable or disable debug logging with glanceclient.')
194]
196deprecated_ksa_opts = {
197 'insecure': [cfg.DeprecatedOpt('api_insecure', group=glance_group.name)],
198 'cafile': [cfg.DeprecatedOpt('ca_file', group="ssl")],
199 'certfile': [cfg.DeprecatedOpt('cert_file', group="ssl")],
200 'keyfile': [cfg.DeprecatedOpt('key_file', group="ssl")],
201}
204def register_opts(conf):
205 conf.register_group(glance_group)
206 conf.register_opts(glance_opts, group=glance_group)
208 confutils.register_ksa_opts(
209 conf, glance_group, DEFAULT_SERVICE_TYPE, include_auth=False,
210 deprecated_opts=deprecated_ksa_opts)
213def list_opts():
214 return {glance_group: (
215 glance_opts +
216 ks_loading.get_session_conf_options() +
217 confutils.get_ksa_adapter_opts(DEFAULT_SERVICE_TYPE,
218 deprecated_opts=deprecated_ksa_opts))
219 }