OpenStack Introduction for Ubuntu Part II

This is the second Post about Open Stack Introduction. The first part of this post series is about general concepts, basic configuration and Identity service installation, this second part continue with Image and Compute services. At this link a complete installation guide can be found.

Configure the Image Service

The OpenStack Image Service enables users to discover, register, and retrieve virtual machine images. Also known as the glance project, the Image Service offers a REST API that enables you to query virtual machine image metadata and retrieve an actual image.

Image Service overview

  • glance-api. Accepts Image API calls for image discovery, retrieval, and storage.
  • glance-registry. Stores, processes, and retrieves metadata about images. Metadata includes size, type, and so on.
  • Database. Stores image metadata.
  • Storage repository for image files, you can use the Object Storage Service as the image repository, but the Image Service supports normal file systems, RADOS block devices, Amazon S3, and HTTP.

Install the Image Service

The OpenStack Image Service acts as a registry for virtual disk images. Users can add new images or take a snapshot of an image from an existing server for immediate storage. Use snapshots for back up and as templates to launch new servers.

Install the Image Service on the controller node
   # apt-get install glance python-glanceclient 

Edit /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf and change the [DEFAULT] section to configure database connection:

    # SQLAlchemy connection string for the reference implementation
    # registry server. Any valid SQLAlchemy connection string is fine.
    # See:
    sql_connection = mysql://glance:GLANCE_DBPASS@controller/glance

Note: You should create a new database, an user with access to this database if this doesn't exists, after that you can create the database tables for the Image Service.

   # glance-manage db_sync 

Create a glance user that the Image Service can use to authenticate with the Identity Service. Choose a password and specify an email address for the glance user. Use the service tenant and give the user the admin role.

    # keystone user-create --name=glance --pass=GLANCE_PASS

    | Property |              Value               |
    |  email   |        |
    | enabled  |               True               |
    |    id    | 3c6813f8f5c84379adfc23132562efce |
    |   name   |              glance              |

   # keystone user-role-add --user=glance --tenant=service --role=admin 

Configure the Image Service to use the Identity Service for authentication. Edit the /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf files. Replace GLANCE_PASS with the password you chose for the glance user in the Identity Service. Add the following keys under the [keystone_authtoken] section:

    auth_uri = http://controller:5000
    auth_host = controller
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = service
    admin_user = glance
    admin_password = GLANCE_PASS

Add the following key under the [paste_deploy] section:

   flavor = keystone 

Add the credentials to the /etc/glance/glance-api-paste.ini and /etc/glance/glance-registry-paste.ini files. Edit each file to set the following options in the [filter:authtoken] section .


Register the service and create the endpoint:

   # keystone service-create --name=glance --type=image --description="Glance Image Service" 

    |   Property  |              Value               |
    | description |       Glance Image Service       |
    |      id     | d0c6e90350f1454596ed2200421a044b |
    |     name    |              glance              |
    |     type    |              image               |

Use the id property returned for the service to create the endpoint:

   # keystone endpoint-create --service-id=the_service_id_above \
     --publicurl=http://controller:9292 --internalurl=http://controller:9292 \

    |   Property  |              Value               |
    |   adminurl  |      http://controller:9292      |
    |      id     | 0a4e70031d4d4840a4c888053b221e1d |
    | internalurl |      http://controller:9292      |
    |  publicurl  |      http://controller:9292      |
    |    region   |            regionOne             |
    |  service_id | d0c6e90350f1454596ed2200421a044b |

Restart the glance service with its new settings.

   # service glance-registry restart
   # service glance-api restart 

Verify the Image Service installation

We need download at least one virtual machine image compatible with Open Stack. For this test we will use CirrOS which is a small test image that can be used to test Open Stack services. More information about build and download images at this link.

    $ mkdir images
    $ cd images/
    $ wget 

To upload the image to the Image Service you need pass the next parameters:

  • --name: The name of the image.
  • --disk-format: Specifies the format of the image file. Valid formats include qcow2, raw, vhd, vmdk, vdi, iso, aki, ari, and ami.
  • --container-format: Specifies the container format. Valid formats include: bare, ovf, aki, ari and ami.
  • --is-public: if is true all users can use the image, if is false only admnistrators
   # glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 \
  --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img 

    | Property         | Value                                |
    | checksum         | d972013792949d0d3ba628fbe8685bce     |
    | container_format | bare                                 |
    | created_at       | 2014-04-10T15:43:23.652215           |
    | deleted          | False                                |
    | deleted_at       | None                                 |
    | disk_format      | qcow2                                |
    | id               | 2c0955c1-3811-451a-927e-4681bf26eca0 |
    | is_public        | True                                 |
    | min_disk         | 0                                    |
    | min_ram          | 0                                    |
    | name             | CirrOS 0.3.1                         |
    | owner            | None                                 |
    | protected        | False                                |
    | size             | 13147648                             |
    | status           | active                               |
    | updated_at       | 2014-04-10T15:43:24.347303           |


# glance image-list
| ID                                   | Name         | Disk Format | Container Format | Size     | Status |
| 2c0955c1-3811-451a-927e-4681bf26eca0 | CirrOS 0.3.1 | qcow2       | bare             | 13147648 | active |

Configure Compute services

The Compute service is a cloud computing fabric controller, interacts with the Identity Service for authentication, Image Service for images, and the Dashboard for the user and administrative interface. Access to images is limited by project and by user; quotas are limited per project.

Compute services components

  • nova-api service: Accepts and responds to end user compute API calls.
  • nova-api-metadata service: Accepts metadata requests from instances.
Compute core
  • nova-compute process: worker daemon that creates and terminates virtual machine instances through hypervisor APIs.
  • nova-scheduler process: Takes a virtual machine instance request from the queue and determines on which compute server host it should run.
  • nova-conductor module: Mediates interactions between nova-compute and the database. Aims to eliminate direct accesses to the cloud database made by nova-compute.
Networking for VMs
  • nova-network worker daemon: Accepts networking tasks from the queue and performs tasks to manipulate the network, such as setting up bridging interfaces or changing iptables rules.
  • nova-dhcpbridge script: Tracks IP address leases and records them in the database by using the dnsmasq dhcp-script facility.
Console interface
  • nova-consoleauth daemon: Authorizes tokens for users that console proxies provide.
  • nova-novncproxy daemon: Provides a proxy for accessing running instances through a VNC connection. Supports browser-based novnc clients.
  • nova-xvpnvncproxy daemon: A proxy for accessing running instances through a VNC connection. Supports a Java client specifically designed for OpenStack.
  • nova-cert daemon: Manages x509 certificates.
Command-line clients and other interfaces
  • nova client: Enables users to submit commands as a tenant administrator or end user.
  • nova-manage client: Enables cloud administrators to submit commands.

Install Compute controller services

Install Compute packages:

   # apt-get install nova-novncproxy novnc nova-api \
     nova-ajax-console-proxy nova-cert nova-conductor \
     nova-consoleauth nova-doc nova-scheduler \

Edit the /etc/nova/nova.conf file and add these lines to the [database] and [keystone_authtoken] sections:

    # The SQLAlchemy connection string used to connect to the database
    connection = mysql://nova:NOVA_DBPASS@controller/nova
    auth_host = controller
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = service
    admin_user = nova
    admin_password = NOVA_PASS

Configure the Compute Service to use the RabbitMQ message broker by setting these configuration keys in the [DEFAULT] configuration group of the /etc/nova/nova.conf file:

    rpc_backend = nova.rpc.impl_kombu
    rabbit_host = controller
    rabbit_password = RABBIT_PASS 

Create the Compute service tables:

   # nova-manage db sync 

Set the my_ip, vncserver_listen, and vncserver_proxyclient_address configuration options to the internal IP address of the controller node: Edit the /etc/nova/nova.conf file and add these lines to the [DEFAULT] section:


Create a nova user that Compute uses to authenticate with the Identity Service. Use the service tenant and give the user the admin role

   # keystone user-create --name=nova --pass=NOVA_PASS

    | Property |              Value               |
    |  email   |         |
    | enabled  |               True               |
    |    id    | 64e4c1ff707449a2b470d82d1269a91b |
    |   name   |               nova               |

   # keystone user-role-add --user=nova --tenant=service --role=admin 

Configure Compute to use these credentials with the Identity Service running on the controller. Replace NOVA_PASS with your Compute password. Edit the [DEFAULT] section in the /etc/nova/nova.conf file to add this key:


Add the credentials to the /etc/nova/api-paste.ini file. Add these options to the [filter:authtoken] section:

    paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
    auth_host = controller
    auth_port = 35357
    auth_protocol = http
    auth_uri = http://controller:5000/v2.0
    admin_tenant_name = service
    admin_user = nova
    admin_password = NOVA_PASS 
   Register Compute with the Identity Service so that other OpenStack services can locate it. 
   Register the service and specify the endpoint: 
   # keystone service-create --name=nova --type=compute \
  --description="Nova Compute service" 

    |   Property  |              Value               |
    | description |       Nova Compute service       |
    |      id     | 4835b37554764710b7fbc669ced638c7 |
    |     name    |               nova               |
    |     type    |             compute              |

Use the id property that is returned to create the endpoint.

   # keystone endpoint-create \
  --service-id=the_service_id_above \
  --publicurl=http://controller:8774/v2/%\(tenant_id\)s \
  --internalurl=http://controller:8774/v2/%\(tenant_id\)s \

    |   Property  |                  Value                  |
    |   adminurl  | http://controller:8774/v2/%(tenant_id)s |
    |      id     |     d347a210e04945b0b17c7c7ec1f95aca    |
    | internalurl | http://controller:8774/v2/%(tenant_id)s |
    |  publicurl  | http://controller:8774/v2/%(tenant_id)s |
    |    region   |                regionOne                |
    |  service_id |     4835b37554764710b7fbc669ced638c7    |

Restart Compute services:

    # service nova-api restart
    # service nova-cert restart
    # service nova-consoleauth restart
    # service nova-scheduler restart
    # service nova-conductor restart
    # service nova-novncproxy restart 

To verify your configuration, list available images:

  # nova image-list 
    | ID                                   | Name         | Status | Server |
    | 2c0955c1-3811-451a-927e-4681bf26eca0 | CirrOS 0.3.1 | ACTIVE |        |