| title | excerpt | updated |
|---|---|---|
Sharing images between Public Cloud projects |
Find out how to share images between Public Cloud projects using OpenStack |
2025-04-01 |
A situation may arise where you need to share an Instance backup image or a Volume backup image between several Public Cloud projects.
With OpenStack, it is possible to share an image between projects, even if they don't belong to the same account.
This feature offers many possibilities, but it also has its risks. It is therefore important to understand how it works.
For example, if we want to share an image from Project A with Project B (in the same or different account), the following rules apply:
- Images can only be shared within the same region. For example, an image created in Project A in the GRA11 region will only be available for Project B within the same GRA11 region.
- The image remains physically attached to Project A. Project B only has "access authorization" to this image.
- If Project A removes access to the image (like ACL, image deletion or if the project is deleted for unpaid invoices, etc.), the instances running from this image on Project B may not work anymore due to migration or rebuild issues.
It is therefore important to keep this in mind before engaging in this setup.
For more information, please consult the Official OpenStack documentation{.external}.
This guide will show you how to share images between one or more projects while preserving the configuration and state of the image.
Before following these steps, it is recommended that you first read this guide:
You will also need the following:
- a Public Cloud Instance in your OVHcloud account
- an OpenStack user
[!primary]
This guide references the use of the OpenStack command-line client{.external}.
First, run the following command to list your existing images:
$ openstack image list --private
| 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba | pfsense |Warning
In order to be shared, an image must first be set to "shared" visibility.
$ openstack image set --shared <Image_UUID>You can run the following command to list your images that can be shared with another project:
$ openstack image list --shared
9a0fbdc5-****-****-****-8d404a1313ba pfsenseThe next step is to add the UUID of a different project as a member of the image. In our example below, we add the UUID of "Project B" to the image.
$ openstack image add project 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba <UUID_Project_B>
+------------+--------------------------------------+
| Field | Value |
+------------+--------------------------------------+
| created_at | 2020-01-27T13:26:52Z |
| image_id | 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba |
| member_id | <UUID_Project_B> |
| schema | /v2/schemas/member |
| status | pending |
| updated_at | 2020-01-30T15:18:00Z |
+------------+--------------------------------------+Once this is done, check the request on project B:
$ openstack image member list <Image_UUID>
+--------------------------------------+----------------------------------+----------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+----------+
| 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba | <UUID_Project_B> | pending |
+--------------------------------------+----------------------------------+----------+If the sharing request is in pending status, you have to accept it:
$ openstack image set --accept 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba
+--------------------------------------+----------------------------------+----------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+----------+
| 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba | eff99684d8294dbe8c2d4dd7407073f1 | accepted |
+--------------------------------------+----------------------------------+----------+Once completed, check that you can see and access the image:
$ openstack image show 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba
+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| checksum | 1b19c9e5bdd36b9010de0164dd8b245e |
| container_format | bare |
| created_at | 2018-05-08T15:38:50Z |
| disk_format | raw |
| file | /v2/images/9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba/file |
| id | 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba |
| min_disk | 0 |
| min_ram | 0 |
| name | pfsense |
| owner | 35c9ee22e5c84c1097a5652b0abcbab3 |
| properties | direct_url='swift+config://ref1/glance/9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba', locations='[{'url': 'swift+config://ref1/glance/9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba', 'metadata': {}}]' |
| protected | False |
| schema | /v2/schemas/image |
| size | 10737418240 |
| status | active |
| tags | |
| updated_at | 2018-05-08T15:53:57Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+To see all the projects which have access to the image, from the source project (in this case project A), you can run this command:
$ openstack image member list 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba
+--------------------------------------+----------------------------------+----------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+----------+
| 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba | <project C> | pending |
| 9a0fbdc5-1f4a-4a1c-ad46-8d404a1313ba | <project B> | accepted |
+--------------------------------------+----------------------------------+----------+In the source project (project A), you can delete a member of the share:
$ openstack image remove project <image> <UUID_Project_To_Delete>Transfer an instance backup from one datacentre to another.
Join our community of users.