Jump to: navigation, search



Note this is a big spec and where possible it is broken down into sub-specs to make it easier to share work.

Release Note


User stories

The purpose is to provide the ability to attach volumes in the read-only mode.

immutable volumes

cinder as a backend for glance


shared volume



How can you use Read Only volumes

Option "permissions" represents volume permissions like file permissions in Unix-like systems in the format: [0-7][0-7][0-7]

  • first digit - user permissions (for the owner)
  • second - group permissions (when there will be opportunity to create user groups in keystone)
  • third - permissions for others;

digit represents rwx permissions and here:

  • r means read permissions as usual,
  • w means write permissions as usual,
  • x might means permissions to boot from volume.

While multi-RW-attaching is not available, secondary-attach is available in only R/O mode, despite any permissions.


Create a volume is available in Read/Write mode for the owner and Read Only mode for others.

POST /v1/<tenant_id>/volumes

        "permissions": "644", 


Read Only volumes Blueprint: https://blueprints.launchpad.net/cinder/+spec/read-only-volumes

Add volume permissions support and support of Read Only volume mode (for libvirt initially, i.e. libvirt+KVM, libvirt+xen hypervisors)

  • an ability to create volume with defined permissions and show volume permissions from CLI and Dashboard, an ability to update volume permissions from CLI;
  • an ability to connect to volume in R/O mode and to see is volume available only in R/O mode or not from CLI and Dashboard.

Add support of Read Only mode for other hypervisors.


Add ability to configure a user group with group permissions for a volume.



  • Add new field "permissions" in cinder database..
  • Add columns "Permissions" and "Read Only" in CLI and Dashboard.
  • Add "Permissions" field in volume creation form.
  • Add 'readonly' flag in attaching connection conf if volume is Read Only available.

Code Changes

On review

Is volume available in only R/O mode checking functionality:

def volume_read_only_get(context, vol):
    perms = vol.get('permissions')
    RW, RO = False, True

    # While no multi-RW-attach,
    # if volume is attached, only R/O mode is available
    if vol.get('attach_status') == 'attached':
        if vol.get('rw_attached_user') == context.user_id:
            return RW
        return RO

    if context.user_id == vol.get('user_id'):
        return int(perms[0]) < 6

    # TODO(aguzikova): when there will be groups for volumes' users,
    # check user in group and if it's true use group permissions

    # User in "others"
    return int(perms[2]) < 6



  • data migration, if any
  • how users will be pointed to the new way of doing things, if necessary.


As soon as there will be opportunity to use user groups from keystone, we'll be able to implement functionality with group permissions easily.

Test/Demo Plan

This need not be added or completed until the specification is nearing beta.

Unresolved issues