Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

6.3. Configure the Block Storage Service

6.3.1. Configure the Block Storage Service Database Connection

The database connection string used by the Block Storage services is defined in the /etc/cinder/cinder.conf file. It must be updated to point to a valid database server before starting the service.
Set the value of the sql_connection configuration key on each system hosting Block Storage services: 
# openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT sql_connection mysql://USER:PASS@IP/DB
Copy to Clipboard
Replace the following values:
  • Replace USER with the Block Storage service database user name, usually cinder.
  • Replace PASS with the password of the database user.
  • Replace IP with the IP address or host name of the server hosting the database service.
  • Replace DB with the name of the Block Storage service database, usually cinder.

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the Block Storage service database user was granted access when creating the Block Storage service database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the Block Storage service database, you must enter 'localhost'.

6.3.2. Create the Block Storage Service Identity Records

Create and configure Identity service records required by the Block Storage service. These entries provide authentication for the Block Storage services, and guide other OpenStack services attempting to locate and access the volume functionality provided by Block Storage.
This procedure assumes that you have already created an administrative user account and a services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 6.2. Creating Identity Records for the Block Storage Service

  1. Set up the shell to access Keystone as the administrative user: 
    # source ~/keystonerc_admin
    Copy to Clipboard
  2. Create the cinder user: 
    [(keystone_admin)]# keystone user-create --name cinder --pass PASSWORD
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | e1765f70da1b4432b54ced060139b46a |
|   name   |              cinder              |
| username |              cinder              |
+----------+----------------------------------+
    Copy to Clipboard
    Replace PASSWORD with a secure password that will be used by the Block Storage service when authenticating with the Identity service.
  3. Link the cinder user and the admin role together within the context of the services tenant: 
    [(keystone_admin)]# keystone user-role-add --user cinder --role admin --tenant services
    Copy to Clipboard
  4. Create the cinder and cinderv2 Block Storage service entries: 
    [(keystone_admin)]# keystone service-create --name cinder \
        --type volume \
        --description "Cinder Volume Service"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |      Cinder Volume Service       |
|   enabled   |               True               |
|      id     | dfde7878671e484c9e581a3eb9b63e66 |
|     name    |              cinder              |
|     type    |              volume              |
+-------------+----------------------------------+
    Copy to Clipboard 
    [(keystone_admin)]# keystone service-create --name cinderv2 \
        --type volumev2 \
        --description "Cinder Volume Service v2"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |     Cinder Volume Service v2     |
|   enabled   |               True               |
|      id     | 42318fdec1926f57643ca7b1e40b78df |
|     name    |             cinderv2             |
|     type    |             volumev2             |
+-------------+----------------------------------+
    Copy to Clipboard
  5. Create the cinder endpoint entry: 
    [(keystone_admin)]# keystone endpoint-create \
   --service cinder \
   --publicurl 'http://IP:8776/v1/%(tenant_id)s' \
   --adminurl 'http://IP:8776/v1/%(tenant_id)s' \
   --internalurl 'http://IP:8776/v1/%(tenant_id)s' \
   --region 'RegionOne'
    Copy to Clipboard 
    [(keystone_admin)]# keystone endpoint-create \
   --service cinderv2 \
   --publicurl 'http://IP:8776/v2/%(tenant_id)s' \
   --adminurl 'http://IP:8776/v2/%(tenant_id)s' \
   --internalurl 'http://IP:8776/v2/%(tenant_id)s'
   --region 'RegionOne'
    Copy to Clipboard
    Replace IP with the IP address or host name of the server hosting the Block Storage API service (openstack-cinder-api). To install and run multiple instances of the API service, repeat this step for the IP address or host name of each instance.

6.3.3. Configure Block Storage Service Authentication

Configure the Block Storage service to use the Identity service for authentication. All steps in this procedure must be performed on each server hosting Block Storage services, while logged in as the root user.

Procedure 6.3. Configuring the Block Storage Service to Authenticate Through the Identity Service

  1. Set the authentication strategy to keystone: 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT auth_strategy keystone
    Copy to Clipboard
  2. Set the Identity service host that the Block Storage services must use: 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken auth_host IP
    Copy to Clipboard
    Replace IP with the IP address or host name of the server hosting the Identity service.
  3. Set the Block Storage services to authenticate as the correct tenant: 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken admin_tenant_name services
    Copy to Clipboard
    Replace services with the name of the tenant created for the use of OpenStack Networking. Examples in this guide use services.
  4. Set the Block Storage services to authenticate using the cinder administrative user account: 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken admin_user cinder
    Copy to Clipboard
  5. Set the Block Storage services to use the correct cinder administrative user account password: 
    # openstack-config --set /etc/cinder/cinder.conf \
   keystone_authtoken admin_password PASSWORD
    Copy to Clipboard
    Replace PASSWORD with the password set when the cinder user was created.

6.3.4. Configure the Firewall to Allow Block Storage Service Traffic

Each component in the OpenStack environment uses the Identity service for authentication and must be able to access the service. The firewall on the system hosting the Block Storage service must be altered to allow network traffic on the required ports. All steps in this procedure must be run on each server hosting Block Storage services, while logged in as the root user.

Procedure 6.4. Configuring the Firewall to Allow Block Storage Service Traffic

  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing TCP traffic on ports 3260 and 8776 to the file. The new rule must appear before any INPUT rules that REJECT traffic: 
    -A INPUT -p tcp -m multiport --dports 3260,8776 -j ACCEPT
    Copy to Clipboard
  3. Save the changes to the /etc/sysconfig/iptables file.
  4. Restart the iptables service to ensure that the change takes effect: 
    # systemctl restart iptables.service
    Copy to Clipboard

6.3.5. Configure the Block Storage Service to Use SSL

Use the following options in the cinder.conf file to configure SSL.
Table 6.1. SSL options for Block Storage
Configuration Option Description
backlog
The number of backlog requests with which to configure the socket.
tcp_keepidle
Sets the value of TCP_KEEPIDLE in seconds for each server socket.
ssl_ca_file
The CA certificate file to use to verify connecting clients.
ssl_cert_file
The certificate file to use when starting the server securely.
ssl_key_file
The private key file to use when starting the server securely.

6.3.6. Configure RabbitMQ Message Broker Settings for the Block Storage Service

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on the server hosting the Block Storage service, while logged in as the root user.

Procedure 6.5. Configuring the Block Storage Service to use the RabbitMQ Message Broker

  1. Set RabbitMQ as the RPC back end: 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT rpc_backend cinder.openstack.common.rpc.impl_kombu
    Copy to Clipboard
  2. Set the name of the RabbitMQ host: 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT rabbit_host RABBITMQ_HOST
    Copy to Clipboard
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672: 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT rabbit_port 5672
    Copy to Clipboard
  4. Set the RabbitMQ username and password created for the Block Storage service when RabbitMQ was configured: 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT rabbit_userid cinder
    Copy to Clipboard 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT rabbit_password CINDER_PASS
    Copy to Clipboard
    Replace cinder and CINDER_PASS with the RabbitMQ user name and password created for the Block Storage service.
  5. When RabbitMQ was launched, the cinder user was granted read and write permissions to all resources: specifically, through the virtual host /. Configure the Block Storage service to connect to this virtual host: 
    # openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT rabbit_virtual_host /
    Copy to Clipboard

6.3.7. Enable SSL Communication Between the Block Storage Service and the Message Broker

If you enabled SSL on the message broker, you must configure the Block Storage service accordingly. This procedure requires the exported client certificates and key file. See Section 2.3.5, “Export an SSL Certificate for Clients” for instructions on how to export these files.
  1. Enable SSL communication with the message broker: 
    # openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT rabbit_use_ssl True
# openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT kombu_ssl_certfile /path/to/client.crt
# openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
    Copy to Clipboard
    Replace the following values:
    • Replace /path/to/client.crt with the absolute path to the exported client certificate.
    • Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
  2. If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command: 
    # openstack-config --set /etc/cinder/cinder.conf \
 DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
    Copy to Clipboard
    Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).

6.3.8. Populate the Block Storage Database

Populate the Block Storage database after you have successfully configured the Block Storage service database connection string.

Important

This procedure must be followed only once to initialize and populate the database. You do not need to perform these steps again when adding additional systems hosting Block Storage services.

Procedure 6.6. Populating the Block Storage Service Database

  1. Log in to the system hosting one of the Block Storage services.
  2. Switch to the cinder user: 
    # su cinder -s /bin/sh
    Copy to Clipboard
  3. Initialize and populate the database identified in /etc/cinder/cinder.conf: 
    $ cinder-manage db sync
    Copy to Clipboard

6.3.9. Increase the Throughput of the Block Storage API Service

By default, the Block Storage API service (openstack-cinder-api) runs in one process. This limits the number of API requests that the Block Storage service can process at any given time. In a production environment, you should increase the Block Storage API throughput by allowing openstack-cinder-api to run in as many processes as the machine capacity allows.
The Block Storage API service option, osapi_volume_workers, allows you to specify the number of API service workers (or OS processes) to launch for openstack-cinder-api.
To set this option, run the following command on the openstack-cinder-api host: 
# openstack-config --set /etc/cinder/cinder.conf \
   DEFAULT osapi_volume_workers CORES
Copy to Clipboard
Replace CORES with the number of CPU cores/threads on a machine.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat