5.5. Configuring the Image Service

⁠5.5. Configuring the Image Service

⁠5.5.1. Configuration Overview

To configure the Image service, the following must be completed:

Configure TLS/SSL.
Configure the Identity service for Image service authentication (create database entries, set connection strings, and update configuration files).
Configure the disk-image storage backend (this guide uses the Object Storage service).
Configure the firewall for Image service access.
Populate the Image service database.

⁠5.5.2. Create the Image Identity Records

This section outlines the steps for creating and configuring Identity service records required by the Image service.

Create the glance user, who has the admin role in the services tenant.
Create the glance service entry and assign it an endpoint.

These entries assist other OpenStack services attempting to locate and access the volume functionality provided by the Image service.

In order to proceed, you should have already performed the following (through the Identity service):

Created an Administrator role named admin (refer to Section 3.8, “Create an Administrator Account” for instructions)
Created the services tenant (refer to Section 3.10, “Create the Services Tenant” for instructions)

Note

The Deploying OpenStack: Learning Environments guide uses one tenant for all service users. For more information, refer to Section 3.10, “Create the Services Tenant”.

You can perform this procedure from your Identity service host or on any machine where you've copied the keystonerc_admin file (which contains administrator credentials) and the keystone command-line utility is installed.

⁠

Procedure 5.2. Configuring the Image Service to authenticate through the Identity Service

Authenticate as the administrator of the Identity service by running the source command on the keystonerc_admin file:
```
# source ~/keystonerc_admin
```

Create a user named glance for the Image Service to use:

# keystone user-create --name glance --pass PASSWORD
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | 8091eaf121b641bf84ce73c49269d2d1 |
|   name   |              glance              |
| tenantId |                                  |
+----------+----------------------------------+

Replace PASSWORD with a secure password that will be used by the Image Service when authenticating with the Identity service.

Use the keystone user-role-add command to link the glance user and the admin role together within the context of the services tenant:
```
# keystone user-role-add --user glance --role admin --tenant services
```

Create the glance service entry:

# keystone service-create --name glance \
        --type image \
        --description "Glance Image Service"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |       Glance Image Service       |
|      id     | 7461b83f96bd497d852fb1b85d7037be |
|     name    |              glance              |
|     type    |               image              |
+-------------+----------------------------------+

Create the glance endpoint entry:

#keystone endpoint-create \
        --service glance \
        --publicurl "http://IP:9292" \ 
        --adminurl "http://IP:9292" \  
        --internalurl "http://IP:9292"

Replace IP with the IP address or host name of the system hosting the Image Service.

All supporting Identity service entries required by the Image Service have been created.

⁠5.5.3. Configure the Image Service Database Connection

The database connection string used by the Image service is defined in the /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf files. It must be updated to point to a valid database server before starting the service.

All commands in this procedure must be run while logged in as the root user on the server hosting the Image service.

⁠

Procedure 5.3. Configuring the Image Service SQL database connection

Use the openstack-config command to set the value of the sql_connection configuration key in the /etc/glance/glance-api.conf file.
```
# openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT sql_connection mysql://USER:PASS@IP/DB
```
Replace:
- USER with the database user name the Image service is to use, usually glance.
- PASS with the password of the chosen database user.
- IP with the IP address or host name of the database server.
- DB with the name of the database that has been created for use by the Image service, usually glance.
Use the openstack-config command to set the value of the sql_connection configuration key in the /etc/glance/glance-registry.conf file.
```
# openstack-config --set /etc/glance/glance-registry.conf \
   DEFAULT sql_connection mysql://USER:PASS@IP/DB
```
Replace the placeholder values USER, PASS, IP, and DB with the same values used in the previous step.

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the glance database user was granted access when creating the glance database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the glance database, you must enter 'localhost'.

The database connection string has been set and will be used by the Image service.

⁠5.5.4. Configure Image Service Authentication

To update the Image configuration files for Identity usage, execute the following commands as the root user on each node hosting the Image service:

⁠

Procedure 5.4. Configuring the Image Service to authenticate through the Identity Service

Configure the glance-api service:

# openstack-config --set /etc/glance/glance-api.conf \
   paste_deploy flavor keystone
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken auth_host IP
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken auth_port 35357
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken auth_protocol http
# openstack-config --set /etc/glance/glance-api.conf \      
   keystone_authtoken admin_tenant_name services
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken admin_user glance
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken admin_password PASSWORD

Configure the glance-registry service:

    # openstack-config --set /etc/glance/glance-registry.conf \
   paste_deploy flavor keystone
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken auth_host IP
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken auth_port 35357   
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken auth_protocol http
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken admin_tenant_name services
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken admin_user glance
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken admin_password PASSWORD

where:

IP - The IP address or host name of the Identity server.
services - The name of the tenant that was created for the use of the Image service (previous examples set this to services).
glance - The name of the service user that was created for the Image service (previous examples set this to glance).
PASSWORD - The password associated with the service user.

⁠5.5.5. Using the Object Storage Service for Image Storage

By default, the Image service uses the local file system (file) for its storage backend. However, either of the following storage backends can be used to store uploaded disk images:

file - Local file system of the Image server (/var/lib/glance/images/ directory)
swift - OpenStack Object Storage service

Note

The configuration procedure below uses the openstack-config command. However, the /etc/glance/glance-api.conf file can also be manually updated. If manually updating the file:

Ensure that the default_store parameter is set to the correct backend (for example, 'default_store=rbd').
Update the parameters in that backend's section (for example, under 'RBD Store Options').

To change the configuration to use the Object Storage service, execute the following steps as the root user:

Set the default_store configuration key to swift:

#openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT default_store swift

Set the swift_store_auth_address configuration key to the public endpoint for the Identity service:

#openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT swift_store_auth_address http://IP:5000/v2.0/

Add the container for storing images in the Object Storage Service:

#openstack-config --set /etc/glance/glance-api.conf \
 DEFAULT swift_store_create_container_on_put True

Set the swift_store_user configuration key to contain the tenant and user to use for authentication in the format TENANT:USER:
```
#openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT swift_store_user services:swift
```
- If you followed the instructions in this guide to deploy Object Storage, these values must be replaced with the services tenant and the swift user respectively (as shown in the command example above).
- If you did not follow the instructions in this guide to deploy Object Storage, these values must be replaced with the appropriate Object Storage tenant and user for your environment.
Set the swift_store_key configuration key to the password of the user to be used for authentication (that is, the password that was set for the swift user when deploying the Object Storage service.
```
#openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT swift_store_key PASSWORD
```

⁠5.5.6. Configure the Firewall to Allow Image Service Traffic

The Image Service should be accessible over the network through port 9292.

To allow this, the Image service should be configured to recognize the 9292 port, and the firewall on the system hosting the image storage service should also allow network traffic on the port. All steps in this procedure must be run while logged in to the server hosting the image storage service as the root user.

⁠

Procedure 5.5. Configuring the firewall to allow Image Service traffic (for Red Hat Enterprise Linux 6-based systems)

Open the /etc/glance/glance-api.conf file in a text editor, and remove any comment characters preceding the following parameters:
```
bind_host = 0.0.0.0
bind_port = 9292
```
Open the /etc/sysconfig/iptables file in a text editor.
Add an INPUT rule allowing TCP traffic on port 9292 to the file. The new rule must appear before any INPUT rules that REJECT traffic.
```
-A INPUT -p tcp -m multiport --dports 9292 -j ACCEPT
```
Save the changes to the /etc/sysconfig/iptables file.
Restart the iptables service to ensure that the change takes effect.
```
# service iptables restart
```

⁠

Procedure 5.6. Configuring the firewall to allow Image Service traffic (for Red Hat Enterprise Linux 7-based systems)

Open the /etc/glance/glance-api.conf file in a text editor, and remove any comment characters preceding the following parameters:
```
bind_host = 0.0.0.0
bind_port = 9292
```
Add a rule allowing TCP traffic on port 9292 to the file.
```
# firewall-cmd --permanent --add-port=9292/tcp
```
For the change to take immediate effect, add the rule to the runtime mode:
```
# firewall-cmd --add-port=9292/tcp
```

The firewall is now configured to allow incoming connections to the Image Service on port 9292.

⁠5.5.7. Configure the Image Service to Use SSL

Use the following options in the glance-api.conf file to configure SSL.

⁠

Table 5.2. SSL options for Image Service

Configuration Option	Description
`cert_file`	Path to certificate file to use when starting API server securely.
`key_file`	Path to private key file to use when starting API server securely.
`ca_file`	Path to CA certificate file to use to verify connecting clients.

⁠5.5.8. Populate the Image Service Database

You can populate the Image Service database after you have successfully configured the Image Service database connection string (refer to Section 5.5.3, “Configure the Image Service Database Connection”).

⁠

Procedure 5.7. Populating the Image Service database

Log in to the system hosting the Image service.
Use the su command to switch to the glance user.
```
# su glance -s /bin/sh
```
Run the glance-manage db_sync command to initialize and populate the database identified in /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf.
```
# glance-manage db_sync
```

The Image service database has been initialized and populated.

⁠5.5.9. Enable Image Loading Through the Local File System

By default, the Image service provides images to instances using the HTTP protocol. That is, image data is transmitted from the image store to the local disk of the Compute node using HTTP.

This process is typical for most deployments where the Image and Compute services are installed on different hosts.

Note

You can use direct image access even if Image and Compute services are not installed on the same hosts, but are sharing a shared file system. The only requirement in this case would be to have the file system mounted in the same location.

In deployments where both services are installed on the same host (and, consequently, share the same file system), it is more efficient to skip the HTTP steps altogether. Instead, you will need to configure both Image and Compute services to send and receive images using the local file system.

To do this:

⁠

Procedure 5.8. Configuring Image and Compute services to send/receive images through the local file system

Important

The Image file system metadata to be generated for this procedure will only apply to new images. Any existing images will not use this metadata.

Create a JSON document that exposes the Image file system metadata required by openstack-nova-compute.
Configure the Image service to use the JSON document.
Configure openstack-nova-compute to use the file system metadata provided by the Image service.

Note

If both Image and Compute services are hosted on different nodes, you can emulate local file system sharing through Gluster.

The following sections describe this in more detail.

⁠5.5.9.1. Configure File System Sharing Across Different Image and Compute Nodes

If both the Image and Compute services are hosted on different nodes, you can still enable them to share images locally. To do so, you will have to use Gluster (Red Hat Storage shares).

With this configuration, both Image and Compute services will have to share the same Gluster volume. For this, the same volume must be mounted on their respective nodes. Doing so will allow both services to access the same volume locally, thereby allowing image loading through local file system.

This configuration requires that you:

Install and configure the packages required for Gluster on the nodes hosting Image and Compute services.
Create the GlusterFS volume to be shared by both Image and Compute services.
Mount the GlusterFS volume on the Image and Compute service nodes.

Note

For instructions on this procedure, refer to the latest version of the Configuring Red Hat OpenStack with Red Hat Storage guide available from:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Storage/

Once you have configured the GlusterFS volume and mounted it on the Image service node, you will also have to configure the Compute service node to use the mounted Gluster volume. To do so:

⁠

Procedure 5.9. Configuring the Compute service node to use a mounted Gluster volume

Log in to the Compute service node.
From there, install the packages required for Gluster:
```
# yum install -y glusterfs glusterfs-fuse
```
Ensure that the drivers required to load the Gluster volume are enabled. To do so:
1. Open the /etc/nova/nova.conf configuration file.
2. Search for the Libvirt handlers for remote volumes (specifically, volume_drivers). The value for this parameter should be a comma-delimited list of drivers for different types of volumes.
3. Depending on your Compute service deployment, the volume_drivers may already be enabled (as in, uncommented). If so, ensure that the Gluster volume driver (namely glusterfs=nova.virt.libvirt.volume.LibvirtGlusterfsVolumeDriver) is also listed.
  If the volume_drivers parameter is disabled or is not listed, edit the file accordingly.
Configure the Compute service to use the mounted Gluster volume:
```
# openstack-config --set /etc/nova/nova-conf \
	DEFAULT glusterfs_mount_point_base GLUSTER_MOUNT
```
Replace GLUSTER_MOUNT with the directory where the Gluster volume is mounted.

Restart the Compute service.

# service openstack-nova-compute restart

After completing these procedures, both Image and Compute services can now emulate accessing the same file system as if it were a local file system. You can then enable image loading through the local file system as normal.

⁠5.5.9.2. Configure the Image Service to Provide Images Through the Local File System

In order to enable image loading through the local file system (as opposed to HTTP), the Image service needs to first expose its local file-system metadata to the openstack-nova-compute service. To do so:

⁠

Procedure 5.10. Configuring the Image service to expose local file system metadata to the Compute service

Determine the mount point of the file system used by the Image service:

# df
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/sda3       51475068 10905752  37947876  23% /
devtmpfs         2005504        0   2005504   0% /dev
tmpfs            2013248      668   2012580   1% /dev/shm

For example, if the Image service uses the /dev/sda3 file system, then its corresponding mount point is /.

Create a unique ID for the mount point using:
```
# uuidgen
ad5517ae-533b-409f-b472-d82f91f41773
```
Note the output of the uuidgen, as this will be used in the next step.
Create a file with the .json extension.
Open the file and add the following information:
```
{
"id": "UID",
"mountpoint": "MOUNTPT"
}
```
Where:
- UID is the unique ID created in the previous step.
- MOUNTPT is the mount point of the Image service's file system (as determined in the first step).

Configure the Image service to use this JSON file:

# openstack-config --set /etc/glance/glance-api.conf \
	DEFAULT show_multiple_locations True

# openstack-config --set /etc/glance/glance-api.conf \
	DEFAULT filesystem_store_metadata_file JSON_PATH

Replace JSON_PATH with the full path to the JSON file.

Restart the Image service (if already running).

# service openstack-glance-registry restart
# service openstack-glance-api restart

Important

The Image file-system metadata generated for this procedure only applies to new images. Any image that exists (that is, prior to this procedure) will not use this metadata.

⁠5.5.9.3. Configure the Compute Service to Use Local File System Metadata

After configuring the Image Service to expose local file system metadata (as part of Section 5.5.9.2, “Configure the Image Service to Provide Images Through the Local File System”), you can then configure the Compute service to use this metadata. Doing so allows openstack-nova-compute to load images from the local file system.

To do so:

⁠

Procedure 5.11. Configuring the Compute service to use file system metadata provided by the Image Service

Configure openstack-nova-compute to enable the use of direct URLs that have the file:// scheme:
```
# openstack-config --set /etc/nova/nova.conf \
	DEFAULT allowed_direct_url_schemes file
```
Create an entry for the Image service's file system:
```
# openstack-config --set /etc/nova/nova.conf \
	image_file_url filesystems FSENTRY
```
Replace FSENTRY with the name you wish to assign to the Image service's file system.
Open the .json file used by the Image service to expose its local file system metadata. The information in this file will be used in the next step.
Associate the entry created in the previous step to the file system metadata exposed by the Image service:
```
# openstack-config --set /etc/nova/nova.conf \
	image_file_url:FSENTRY id UID
```
```
# openstack-config --set /etc/nova/nova.conf \
	image_file_url:FSENTRY mountpoint MOUNTPT
```
Where:
- UID is the unique ID used by the Image service. In the .json file used by the Image service, the UID is the "id": value.
- MOUNTPT is the mount point used by the Image service's file system. In the .json file used by the Image service, the MOUNTPT is the "mountpoint": value.