Fix Glance rootwrap dependencies

This commit adds the oslo.rootwrap package to the Glance Docker image.
This package is required for Glance to elevate user permissions when using os-brick.

Additionally, the packages nfs-common, udev, and lsscsi were added to ensure compatibility with NetApp backends.

TEST PLAN:

PASS - build-pkgs -a -l openstack
PASS - build stx-openstack tarball
PASS - application upload, apply and remove
PASS – Build docker images using updated stable_docker_image;
       verified successful image build and absence of missing runtime dependencies.
PASS - Ceph applied as the highest priority backend: bootstrapped;
       configured as default; other backends applied if available.
PASS - Cinder applied as the highest priority backend: bootstrapped;
       configured as default; other backends applied if available.
PASS - Glance images created successfully on the configured Cinder backend;
       verified image availability and proper association with storage.
       Cinder backends: netapp-fc | netapp-iscsi | netapp-nfs
PASS - Create Glance image (netapp-iscsi | netapp-nfs)
       `openstack image create --disk-format qcow2 \
        --shared --file images/my-image.img my-image`
PASS - Create Cinder volume from Glance image (netapp-iscsi)
       `openstack volume create --size 1 --image my-image my-vol-iscsi`
PASS - Create Cinder volume from Glance image (netapp-nfs)
       `openstack volume create --size 1 --image my-image my-vol-nfs`
PASS - Launch VM from bootable volume (netapp-iscsi)
       `openstack server create \
        --flavor my-flavor \
        --network "my-network" \
        --block-device uuid=$VOLUME_UUID,source_type=volume,destination_type=volume,boot_index=0\
            --wait vm-netapp-iscsi`
PASS - Launch VM from bootable volume (netapp-nfs)
       `openstack server create \
        --flavor my-flavor \
        --network "my-network" \
        --block-device uuid=$VOLUME_UUID,source_type=volume,destination_type=volume,boot_index=0\
            --wait vm-netapp-nfs`

Closes-Bug: #2137271
Change-Id: I99d3fa6a95a360e9dfd90af70346e61077f25bee
Signed-off-by: Thiago Miranda <tmarques@windriver.com>
(cherry picked from commit 1393ce0828)

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py

@@ -232,10 +232,7 @@ class GlanceHelm(openstack.OpenstackBaseHelm):
                         path="v3"
                     ),
                     'cinder_store_user_name': self._get_admin_user_name(),
-                    'cinder_store_password': self._get_identity_password(
-                        app_constants.HELM_CHART_KEYSTONE,
-                        self._get_admin_user_name()
-                    ),
+                    'cinder_store_password': self._get_admin_password(),
                     'cinder_store_project_name': self._get_admin_project_name(),
                     'cinder_store_user_domain_name': self._get_admin_user_domain(),
                     'cinder_store_project_domain_name': self._get_admin_project_domain(),

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py

@@ -124,6 +124,10 @@ class OpenstackBaseHelm(FluxCDBaseHelm):
         keystone_operator = self._get_chart_operator(app_constants.HELM_CHART_KEYSTONE)
         return keystone_operator.get_admin_user_domain()
 
+    def _get_admin_password(self):
+        keystone_operator = self._get_chart_operator(app_constants.HELM_CHART_KEYSTONE)
+        return keystone_operator.get_admin_password()
+
     def _get_identity_password(self, service, user):
         passwords = self.context.setdefault('_service_passwords', {})
         if service not in passwords:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/glance/glance-static-overrides.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2023-2025 Wind River Systems, Inc.
+# Copyright (c) 2023-2026 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -204,6 +204,7 @@ conf:
     Defaults !requiretty
     Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
     glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *, /var/lib/openstack/bin/glance-rootwrap /etc/glance/rootwrap.conf *
+    keystone ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *, /var/lib/openstack/bin/glance-rootwrap /etc/glance/rootwrap.conf *
   rootwrap: |
     # Configuration for glance-rootwrap
     # This file should be owned by (and only-writable by) the root user

upstream/openstack/python-glance/debian/stx-glance.stable_docker_image

@@ -8,10 +8,15 @@ UPDATE_SYSTEM_ACCOUNT="yes"
 NON_UNIQUE_SYSTEM_ACCOUNT="yes"
 PIP_PACKAGES="\
   os-brick \
+  oslo.rootwrap \
   pycryptodomex \
   python-cinderclient \
   python-swiftclient \
   psutil
 "
-DIST_PACKAGES="libpq5"
+DIST_PACKAGES="libpq5 \
+               nfs-common \
+               udev \
+               lsscsi
+"
 PROFILES="fluent glance ceph"