Make OpenStack Glance Images Accessible to Selective Tenants

Recently I needed to make a Glance image available to a specific user but not make it public. In this example an image needed to be available only to the services tenant and owner. There’s a facility for this inside the native Glance CLI client tool called glance member-create. This works by associating a list of tenants who can access the image.

Obtain the ID and Info of your Image

# glance image-list
+--------------------------------------+----------------------+-------------+------------------+------------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+----------------------+-------------+------------------+------------+--------+
| 194b15f1-b8cb-4c67-90df-19771e85e03d | centos6 | qcow2 | bare | 1151533056 | active |
| 5e60cdfd-d6a5-47bb-8b8a-b2bd7f7177f1 | centos7 | qcow2 | bare | 1004994560 | active |
| 5cc06ee6-10ea-4696-87e4-e9ef0c0691ce | cirros | qcow2 | bare | 9761280 | active |
| 2189d1bb-36e9-4989-a59a-800ad95e10d4 | fedora21 | qcow2 | bare | 158443520 | active |
| d281ed21-e336-4842-a56a-7274e8ca3a85 | fedora22 | qcow2 | bare | 228599296 | active |
| c6afa1cf-72c2-407c-87e6-8d5c76b82dce | manila-service-image | qcow2 | bare | 320733184 | active |
| acd08d90-91a3-4488-9990-728f91eb0d95 | opensuse13.2 | qcow2 | bare | 411755008 | active |
| cb6b7936-d2c5-4901-8678-c88b3a6ed84c | ubuntu14.04-LTS | qcow2 | bare | 258540032 | active |
| 66a14661-2dfb-4370-b6d4-87aaefcffdce | ubuntu15.10 | qcow2 | bare | 288752128 | active |
+--------------------------------------+----------------------+-------------+------------------+------------+--------+

Query Your Image for more Detail
Obtain the owner of the image, just to make sure it needs modifying with glance member-create.

# glance --os-image-api-version 1 image-show c6afa1cf-72c2-407c-87e6-8d5c76b82dce
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | fe8868345ff35508f58e1f1518c17413 |
| container_format | bare |
| created_at | 2015-05-14T18:58:46.000000 |
| deleted | False |
| disk_format | qcow2 |
| id | c6afa1cf-72c2-407c-87e6-8d5c76b82dce |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | manila-service-image |
| owner | 974209cea9c3402e977120b5d02d500b |
| protected | False |
| size | 320733184 |
| status | active |
| updated_at | 2015-05-14T19:17:55.000000 |
+------------------+--------------------------------------+

Update the Image
Notice the image owner ID above, if they don’t match up with the user we want to share we’ll need to modify it.

# keystone tenant-list | egrep "974209cea9c3402e977120b5d02d500b|services"
| 974209cea9c3402e977120b5d02d500b | admin | True |
| f68e039b76a6462aa4a622d9308c0bfd | services | True |

Share Image with the Tenant
We’re going to be sharing this image with the services tenant.

# glance member-create --can-share c6afa1cf-72c2-407c-87e6-8d5c76b82dce f68e039b76a6462aa4a622d9308c0bfd

Mark Image as Private
Since we want only the existing owner and services tenant access now mark it as private

# glance image-update c6afa1cf-72c2-407c-87e6-8d5c76b82dce --is-public False

Query Image Again
You should see that the services tenant has access to the image

# glance member-list --image-id c6afa1cf-72c2-407c-87e6-8d5c76b82dce
+--------------------------------------+----------------------------------+-----------+
| Image ID | Member ID | Can Share |
+--------------------------------------+----------------------------------+-----------+
| c6afa1cf-72c2-407c-87e6-8d5c76b82dce | f68e039b76a6462aa4a622d9308c0bfd | True |
+--------------------------------------+----------------------------------+-----------+