Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

5.4. Configure the Image Service

To configure the Image service, the following tasks must be completed:
  • Configure the Identity service for Image service authentication (create database entries, set connection strings, and update configuration files).
  • Configure the disk-image storage back end (this guide uses the Object Storage service).
  • Configure the firewall for Image service access.
  • Configure TLS/SSL.
  • Populate the Image service database.

5.4.1. Configure the Image Service Database Connection

The database connection string used by the Image service is defined in the /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf files. It must be updated to point to a valid database server before starting the service.
All steps in this procedure must be performed on the server hosting the Image service, while logged in as the root user.

Procedure 5.2. Configuring the Image Service SQL Database Connection

  1. Set the value of the sql_connection configuration key in the glance-api.conf file:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT sql_connection mysql://USER:PASS@IP/DB
    Replace the following values:
    • Replace USER with the Image service database user name, usually glance.
    • Replace PASS with the password of the database user.
    • Replace IP with the IP address or host name of the server hosting the database service.
    • Replace DB with the name of the Image service database, usually glance.
  2. Set the value of the sql_connection configuration key in the glance-registry.conf file:
    # openstack-config --set /etc/glance/glance-registry.conf \
       DEFAULT sql_connection mysql://USER:PASS@IP/DB
    Replace USER, PASS, IP, and DB with the same values used in the previous step.

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the Image service database user was granted access when creating the Image service database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the Image service database, you must enter 'localhost'.

5.4.2. Create the Image Service Identity Records

Create and configure Identity service records required by the Image service. These entries assist other OpenStack services attempting to locate and access the volume functionality provided by the Image service.
This procedure assumes that you have already created an administrative user account and a services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 5.3. Creating Identity Records for the Image Service

  1. Set up the shell to access Keystone as the admin user:
    # source ~/keystonerc_admin
  2. Create the glance user:
    [(keystone_admin)]# openstack user create --password PASSWORD glance
    +----------+----------------------------------+
    | Field    | Value                            |
    +----------+----------------------------------+
    | email    | None                             |
    | enabled  | True                             |
    | id       | b1f665b15a7943ccb4668c9e78e98a7c |
    | name     | glance                           |
    | username | glance                           |
    +----------+----------------------------------+
    Replace PASSWORD with a secure password that will be used by the Image Service when authenticating with the Identity service.
  3. Link the glance user and the admin role together within the context of the services tenant:
    [(keystone_admin)]# openstack role add --project services --user glance admin
  4. Create the glance Image service entry:
    [(keystone_admin)]# openstack service create --name glance \
            --description "Glance Image Service" \
            image
  5. Create the glance endpoint entry:
    [(keystone_admin)]#openstack endpoint create \
            --publicurl 'http://IP:9292' \ 
            --adminurl 'http://IP:9292' \  
            --internalurl 'http://IP:9292' \
            --region RegionOne \
            glance
    Replace IP with the IP address or host name of the server hosting the Image service.

5.4.3. Configure Image Service Authentication

Configure the Image service to use the Identity service for authentication. All steps in this procedure must be performed on each node hosting the Image service, while logged in as the root user.

Procedure 5.4. Configuring the Image Service to Authenticate through the Identity Service

  1. Configure the glance-api service:
    # openstack-config --set /etc/glance/glance-api.conf \
       paste_deploy flavor keystone
    # openstack-config --set /etc/glance/glance-api.conf \
       keystone_authtoken auth_host IP
    # openstack-config --set /etc/glance/glance-api.conf \
       keystone_authtoken auth_port 35357
    # openstack-config --set /etc/glance/glance-api.conf \
       keystone_authtoken auth_protocol http
    # openstack-config --set /etc/glance/glance-api.conf \      
       keystone_authtoken admin_tenant_name services
    # openstack-config --set /etc/glance/glance-api.conf \
       keystone_authtoken admin_user glance
    # openstack-config --set /etc/glance/glance-api.conf \
       keystone_authtoken admin_password PASSWORD
  2. Configure the glance-registry service:
    # openstack-config --set /etc/glance/glance-registry.conf \
       paste_deploy flavor keystone
    # openstack-config --set /etc/glance/glance-registry.conf \
       keystone_authtoken auth_host IP
    # openstack-config --set /etc/glance/glance-registry.conf \
       keystone_authtoken auth_port 35357   
    # openstack-config --set /etc/glance/glance-registry.conf \
       keystone_authtoken auth_protocol http
    # openstack-config --set /etc/glance/glance-registry.conf \
       keystone_authtoken admin_tenant_name services
    # openstack-config --set /etc/glance/glance-registry.conf \
       keystone_authtoken admin_user glance
    # openstack-config --set /etc/glance/glance-registry.conf \
       keystone_authtoken admin_password PASSWORD
Replace the following values:
  • Replace IP with the IP address or host name of the Identity server.
  • Replace services with the name of the tenant that was created for the use of the Image service (previous examples set this to services).
  • Replace glance with the name of the service user that was created for the Image service (previous examples set this to glance).
  • Replace PASSWORD with the password associated with the service user.

5.4.4. Use the Object Storage Service for Image Storage

By default, the Image service uses the local file system (file) for its storage back end; however, either of the following storage back ends can be used to store uploaded disk images:
  • file - Local file system of the Image server (/var/lib/glance/images/ directory)
  • swift - OpenStack Object Storage service

Note

The configuration procedure below uses the openstack-config command; however, you can also manually update the /etc/glance/glance-api.conf file. If manually updating the file, ensure that the default_store parameter is set to the correct back end (for example, 'default_store=rbd'), and update the parameters in that back end's section (for example, under 'RBD Store Options').

Procedure 5.5. Configuring the Image Service to use the Object Storage Service

  1. Set the default_store configuration key to swift:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT default_store swift
  2. Set the swift_store_auth_address configuration key to the public endpoint for the Identity service:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT swift_store_auth_address http://IP:5000/v2.0/
  3. Add the container for storing images in the Object Storage service:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT swift_store_create_container_on_put True
  4. Set the swift_store_user configuration key, in the format TENANT:USER, to contain the tenant and user to use for authentication:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT swift_store_user services:swift
    • If you followed the instructions in this guide to deploy Object Storage, replace these values with the services tenant and the swift user respectively (as shown in the command example above).
    • If you did not follow the instructions in this guide to deploy Object Storage, replace these values with the appropriate Object Storage tenant and user for your environment.
  5. Set the swift_store_key configuration key to the password that was set for the swift user when deploying the Object Storage service:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT swift_store_key PASSWORD

5.4.5. Configure the Firewall to Allow Image Service Traffic

The Image service must be accessible over the network through port 9292. All steps in this procedure must be performed on the server hosting the Image service, while logged in as the root user.

Procedure 5.6. Configuring the Firewall to Allow Image Service Traffic

  1. Open the /etc/glance/glance-api.conf file in a text editor, and remove any comment characters preceding the following parameters:
    bind_host = 0.0.0.0
    bind_port = 9292
  2. Open the /etc/sysconfig/iptables file in a text editor.
  3. Add an INPUT rule allowing TCP traffic on port 9292. The new rule must appear before any INPUT rules that REJECT traffic:
    -A INPUT -p tcp -m multiport --dports 9292 -j ACCEPT
  4. Save the changes to the /etc/sysconfig/iptables file.
  5. Restart the iptables service to ensure that the change takes effect:
    # systemctl restart iptables.service

5.4.6. Configure RabbitMQ Message Broker Settings for the Image Service

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on the server hosting the Image service, while logged in as the root user.

Procedure 5.7. Configuring the Image Service (glance) to Use the RabbitMQ Message Broker

  1. Set RabbitMQ as the notifier:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT notification_driver messaging
  2. Set the name of the RabbitMQ host:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_port 5672
  4. Set the RabbitMQ user name and password created for the Image service when RabbitMQ was configured:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_userid glance
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_password GLANCE_PASS
    Replace glance and GLANCE_PASS with the RabbitMQ user name and password created for the Image service.
  5. When RabbitMQ was launched, the glance user was granted read and write permissions to all resources: specifically, through the virtual host /. Configure the Image service to connect to this virtual host:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_virtual_host /

5.4.7. Configure the Image Service to Use SSL

Use the following options in the glance-api.conf file to configure SSL.

Table 5.1. SSL Options for the Image Service

Configuration Option Description
cert_file
The path to the certificate file to use when starting the API server securely.
key_file
The path to the private key file to use when starting the API server securely.
ca_file
The path to the CA certificate file to use to verify connecting clients.

5.4.8. Populate the Image Service Database

Populate the Image service database after you have successfully configured the Image service database connection string.

Procedure 5.8. Populating the Image Service Database

  1. Log in to the system hosting the Image service.
  2. Switch to the glance user:
    # su glance -s /bin/sh
  3. Initialize and populate the database identified in /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf:
    $ glance-manage db_sync

5.4.9. Enable Image Loading Through the Local File System

By default, the Image service provides images to instances using the HTTP protocol. Specifically, image data is transmitted from the image store to the local disk of the Compute node using HTTP. This process is typical for most deployments where the Image and Compute services are installed on different hosts.

Note

You can use direct image access if the Image service and the Compute service are not installed on the same host, but are sharing a shared file system. In this case, the file system must be mounted in the same location.
In deployments where both services are installed on the same host (and, consequently, share the same file system), it is more efficient to skip the HTTP steps altogether. Instead, you must configure both the Image service and the Compute service to send and receive images using the local file system.
The Image file system metadata generated for this procedure will only apply to new images. Any existing images will not use this metadata.

Procedure 5.9. Configuring Image and Compute Services to Send and Receive Images through the Local File System

  1. Create a JSON document that exposes the Image file system metadata required by openstack-nova-compute.
  2. Configure the Image service to use the JSON document.
  3. Configure openstack-nova-compute to use the file system metadata provided by the Image service.

5.4.9.1. Configure the Image Service to Provide Images Through the Local File System

To enable image loading through the local file system (as opposed to HTTP), the Image service must first expose its local file-system metadata to the openstack-nova-compute service.

Procedure 5.10. Configuring the Image Service to Expose Local File System Metadata to the Compute Service

  1. Determine the mount point of the file system used by the Image service:
    # df
    Filesystem     1K-blocks     Used Available Use% Mounted on
    /dev/sda3       51475068 10905752  37947876  23% /
    devtmpfs         2005504        0   2005504   0% /dev
    tmpfs            2013248      668   2012580   1% /dev/shm
    For example, if the Image service uses the /dev/sda3 file system, its corresponding mount point is /.
  2. Create a unique ID for the mount point:
    # uuidgen
    ad5517ae-533b-409f-b472-d82f91f41773
    Note the output of the uuidgen, as this will be used in the next step.
  3. Create a file with the .json extension.
  4. Open the file in a text editor, and add the following information:
    {
    "id": "UID",
    "mountpoint": "MOUNTPT"
    }
    Replace the following values:
    • Replace UID with the unique ID created in the previous step.
    • Replace MOUNTPT with the mount point of the Image service's file system, as determined in the first step.
  5. Configure the Image service to use this JSON file:
    # openstack-config --set /etc/glance/glance-api.conf \
    	DEFAULT show_multiple_locations True
    # openstack-config --set /etc/glance/glance-api.conf \
    	DEFAULT filesystem_store_metadata_file JSON_PATH
    Replace JSON_PATH with the full path to the JSON file.

    Important

    If configured without the proper policy settings, a non-admin user of the Image Service can replace active image data (that is, switch out a current image without other users knowing). See the OSSN announcement (recommended actions) for configuration information: https://wiki.openstack.org/wiki/OSSN/OSSN-0065
  6. Restart the Image service (if it is already running):
    # systemctl restart openstack-glance-registry.service
    # systemctl restart openstack-glance-api.service
The Image file-system metadata generated for this procedure only applies to new images. Any existing images will not use this metadata.

5.4.9.2. Configure the Compute Service to Use Local File System Metadata

After configuring the Image service to expose local file-system metadata, configure the Compute service to use this metadata. This allows openstack-nova-compute to load images from the local file system.

Procedure 5.11. Configuring the Compute Service to use File System Metadata Provided by the Image Service

  1. Configure openstack-nova-compute to enable the use of direct URLs that have the file:// scheme:
    # openstack-config --set /etc/nova/nova.conf \
    	DEFAULT allowed_direct_url_schemes file
  2. Create an entry for the Image service's file system:
    # openstack-config --set /etc/nova/nova.conf \
    	image_file_url filesystems FSENTRY
    Replace FSENTRY with a name to assign to the Image service's file system.
  3. Open the .json file used by the Image service to expose its local file-system metadata. The information in this file will be used in the next step.
  4. Associate the entry for Image service's file system to the file system metadata exposed by the Image service:
    # openstack-config --set /etc/nova/nova.conf \
    	image_file_url:FSENTRY id UID
    # openstack-config --set /etc/nova/nova.conf \
    	image_file_url:FSENTRY mountpoint MOUNTPT
    Replace the following values:
    • Replace UID with the unique ID used by the Image service. In the .json file used by the Image service, the UID is the "id" value.
    • Replace MOUNTPT with the mount point used by the Image service's file system. In the .json file used by the Image service, the MOUNTPT is the "mountpoint" value.