Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

5.4. Configure the Image Service

To configure the Image service, the following tasks must be completed:
  • Configure the Identity service for Image service authentication (create database entries, set connection strings, and update configuration files).
  • Configure the disk-image storage back end (this guide uses the Object Storage service).
  • Configure the firewall for Image service access.
  • Configure TLS/SSL.
  • Populate the Image service database.

5.4.1. Configure the Image Service Database Connection
Copiar o link

The database connection string used by the Image service is defined in the /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf files. It must be updated to point to a valid database server before starting the service.
All steps in this procedure must be performed on the server hosting the Image service, while logged in as the root user.

Procedure 5.2. Configuring the Image Service SQL Database Connection

  1. Set the value of the sql_connection configuration key in the glance-api.conf file: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT sql_connection mysql://USER:PASS@IP/DB
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace USER with the Image service database user name, usually glance.
    • Replace PASS with the password of the database user.
    • Replace IP with the IP address or host name of the server hosting the database service.
    • Replace DB with the name of the Image service database, usually glance.
  2. Set the value of the sql_connection configuration key in the glance-registry.conf file: 
    # openstack-config --set /etc/glance/glance-registry.conf \
   DEFAULT sql_connection mysql://USER:PASS@IP/DB
    Copy to Clipboard Toggle word wrap
    Replace USER, PASS, IP, and DB with the same values used in the previous step.

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the Image service database user was granted access when creating the Image service database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the Image service database, you must enter 'localhost'.

5.4.2. Create the Image Service Identity Records
Copiar o link

Create and configure Identity service records required by the Image service. These entries assist other OpenStack services attempting to locate and access the volume functionality provided by the Image service.
This procedure assumes that you have already created an administrative user account and a services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 5.3. Creating Identity Records for the Image Service

  1. Set up the shell to access Keystone as the admin user: 
    # source ~/keystonerc_admin
    Copy to Clipboard Toggle word wrap
  2. Create the glance user: 
    [(keystone_admin)]# openstack user create --password PASSWORD glance
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | b1f665b15a7943ccb4668c9e78e98a7c |
| name     | glance                           |
| username | glance                           |
+----------+----------------------------------+
    Copy to Clipboard Toggle word wrap
    Replace PASSWORD with a secure password that will be used by the Image Service when authenticating with the Identity service.
  3. Link the glance user and the admin role together within the context of the services tenant: 
    [(keystone_admin)]# openstack role add --project services --user glance admin
    Copy to Clipboard Toggle word wrap
  4. Create the glance Image service entry: 
    [(keystone_admin)]# openstack service create --name glance \
        --description "Glance Image Service" \
        image
    Copy to Clipboard Toggle word wrap
  5. Create the glance endpoint entry: 
    [(keystone_admin)]#openstack endpoint create \
        --publicurl 'http://IP:9292' \ 
        --adminurl 'http://IP:9292' \  
        --internalurl 'http://IP:9292' \
        --region RegionOne \
        glance
    Copy to Clipboard Toggle word wrap
    Replace IP with the IP address or host name of the server hosting the Image service.

5.4.3. Configure Image Service Authentication
Copiar o link

Configure the Image service to use the Identity service for authentication. All steps in this procedure must be performed on each node hosting the Image service, while logged in as the root user.

Procedure 5.4. Configuring the Image Service to Authenticate through the Identity Service

  1. Configure the glance-api service: 
    # openstack-config --set /etc/glance/glance-api.conf \
   paste_deploy flavor keystone
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken auth_host IP
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken auth_port 35357
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken auth_protocol http
# openstack-config --set /etc/glance/glance-api.conf \      
   keystone_authtoken admin_tenant_name services
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken admin_user glance
# openstack-config --set /etc/glance/glance-api.conf \
   keystone_authtoken admin_password PASSWORD
    Copy to Clipboard Toggle word wrap
  2. Configure the glance-registry service: 
    # openstack-config --set /etc/glance/glance-registry.conf \
   paste_deploy flavor keystone
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken auth_host IP
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken auth_port 35357   
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken auth_protocol http
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken admin_tenant_name services
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken admin_user glance
# openstack-config --set /etc/glance/glance-registry.conf \
   keystone_authtoken admin_password PASSWORD
    Copy to Clipboard Toggle word wrap
Replace the following values:
  • Replace IP with the IP address or host name of the Identity server.
  • Replace services with the name of the tenant that was created for the use of the Image service (previous examples set this to services).
  • Replace glance with the name of the service user that was created for the Image service (previous examples set this to glance).
  • Replace PASSWORD with the password associated with the service user.

5.4.4. Use the Object Storage Service for Image Storage
Copiar o link

By default, the Image service uses the local file system (file) for its storage back end; however, either of the following storage back ends can be used to store uploaded disk images:
  • file - Local file system of the Image server (/var/lib/glance/images/ directory)
  • swift - OpenStack Object Storage service

Note

The configuration procedure below uses the openstack-config command; however, you can also manually update the /etc/glance/glance-api.conf file. If manually updating the file, ensure that the default_store parameter is set to the correct back end (for example, 'default_store=rbd'), and update the parameters in that back end's section (for example, under 'RBD Store Options').

Procedure 5.5. Configuring the Image Service to use the Object Storage Service

  1. Set the default_store configuration key to swift: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT default_store swift
    Copy to Clipboard Toggle word wrap
  2. Set the swift_store_auth_address configuration key to the public endpoint for the Identity service: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT swift_store_auth_address http://IP:5000/v2.0/
    Copy to Clipboard Toggle word wrap
  3. Add the container for storing images in the Object Storage service: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT swift_store_create_container_on_put True
    Copy to Clipboard Toggle word wrap
  4. Set the swift_store_user configuration key, in the format TENANT:USER, to contain the tenant and user to use for authentication: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT swift_store_user services:swift
    Copy to Clipboard Toggle word wrap
    • If you followed the instructions in this guide to deploy Object Storage, replace these values with the services tenant and the swift user respectively (as shown in the command example above).
    • If you did not follow the instructions in this guide to deploy Object Storage, replace these values with the appropriate Object Storage tenant and user for your environment.
  5. Set the swift_store_key configuration key to the password that was set for the swift user when deploying the Object Storage service: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT swift_store_key PASSWORD
    Copy to Clipboard Toggle word wrap

5.4.5. Configure the Firewall to Allow Image Service Traffic
Copiar o link

The Image service must be accessible over the network through port 9292. All steps in this procedure must be performed on the server hosting the Image service, while logged in as the root user.

Procedure 5.6. Configuring the Firewall to Allow Image Service Traffic

  1. Open the /etc/glance/glance-api.conf file in a text editor, and remove any comment characters preceding the following parameters: 
    bind_host = 0.0.0.0
bind_port = 9292
    Copy to Clipboard Toggle word wrap
  2. Open the /etc/sysconfig/iptables file in a text editor.
  3. Add an INPUT rule allowing TCP traffic on port 9292. The new rule must appear before any INPUT rules that REJECT traffic: 
    -A INPUT -p tcp -m multiport --dports 9292 -j ACCEPT
    Copy to Clipboard Toggle word wrap
  4. Save the changes to the /etc/sysconfig/iptables file.
  5. Restart the iptables service to ensure that the change takes effect: 
    # systemctl restart iptables.service
    Copy to Clipboard Toggle word wrap

5.4.6. Configure RabbitMQ Message Broker Settings for the Image Service
Copiar o link

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on the server hosting the Image service, while logged in as the root user.

Procedure 5.7. Configuring the Image Service (glance) to Use the RabbitMQ Message Broker

  1. Set RabbitMQ as the notifier: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT notification_driver messaging
    Copy to Clipboard Toggle word wrap
  2. Set the name of the RabbitMQ host: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT rabbit_host RABBITMQ_HOST
    Copy to Clipboard Toggle word wrap
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT rabbit_port 5672
    Copy to Clipboard Toggle word wrap
  4. Set the RabbitMQ user name and password created for the Image service when RabbitMQ was configured: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT rabbit_userid glance
# openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT rabbit_password GLANCE_PASS
    Copy to Clipboard Toggle word wrap
    Replace glance and GLANCE_PASS with the RabbitMQ user name and password created for the Image service.
  5. When RabbitMQ was launched, the glance user was granted read and write permissions to all resources: specifically, through the virtual host /. Configure the Image service to connect to this virtual host: 
    # openstack-config --set /etc/glance/glance-api.conf \
   DEFAULT rabbit_virtual_host /
    Copy to Clipboard Toggle word wrap

5.4.7. Configure the Image Service to Use SSL
Copiar o link

Use the following options in the glance-api.conf file to configure SSL.
Expand
Table 5.1. SSL Options for the Image Service
Configuration Option Description
cert_file
The path to the certificate file to use when starting the API server securely.
key_file
The path to the private key file to use when starting the API server securely.
ca_file
The path to the CA certificate file to use to verify connecting clients.

5.4.8. Populate the Image Service Database
Copiar o link

Populate the Image service database after you have successfully configured the Image service database connection string.

Procedure 5.8. Populating the Image Service Database

  1. Log in to the system hosting the Image service.
  2. Switch to the glance user: 
    # su glance -s /bin/sh
    Copy to Clipboard Toggle word wrap
  3. Initialize and populate the database identified in /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf: 
    $ glance-manage db_sync
    Copy to Clipboard Toggle word wrap

5.4.9. Enable Image Loading Through the Local File System
Copiar o link

By default, the Image service provides images to instances using the HTTP protocol. Specifically, image data is transmitted from the image store to the local disk of the Compute node using HTTP. This process is typical for most deployments where the Image and Compute services are installed on different hosts.

Note

You can use direct image access if the Image service and the Compute service are not installed on the same host, but are sharing a shared file system. In this case, the file system must be mounted in the same location.
In deployments where both services are installed on the same host (and, consequently, share the same file system), it is more efficient to skip the HTTP steps altogether. Instead, you must configure both the Image service and the Compute service to send and receive images using the local file system.
The Image file system metadata generated for this procedure will only apply to new images. Any existing images will not use this metadata.

Procedure 5.9. Configuring Image and Compute Services to Send and Receive Images through the Local File System

  1. Create a JSON document that exposes the Image file system metadata required by openstack-nova-compute.
  2. Configure the Image service to use the JSON document.
  3. Configure openstack-nova-compute to use the file system metadata provided by the Image service.

5.4.9.1. Configure the Image Service to Provide Images Through the Local File System
Copiar o link

To enable image loading through the local file system (as opposed to HTTP), the Image service must first expose its local file-system metadata to the openstack-nova-compute service.

Procedure 5.10. Configuring the Image Service to Expose Local File System Metadata to the Compute Service

  1. Determine the mount point of the file system used by the Image service: 
    # df
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/sda3       51475068 10905752  37947876  23% /
devtmpfs         2005504        0   2005504   0% /dev
tmpfs            2013248      668   2012580   1% /dev/shm
    Copy to Clipboard Toggle word wrap
    For example, if the Image service uses the /dev/sda3 file system, its corresponding mount point is /.
  2. Create a unique ID for the mount point: 
    # uuidgen
ad5517ae-533b-409f-b472-d82f91f41773
    Copy to Clipboard Toggle word wrap
    Note the output of the uuidgen, as this will be used in the next step.
  3. Create a file with the .json extension.
  4. Open the file in a text editor, and add the following information: 
    {
"id": "UID",
"mountpoint": "MOUNTPT"
}
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace UID with the unique ID created in the previous step.
    • Replace MOUNTPT with the mount point of the Image service's file system, as determined in the first step.
  5. Configure the Image service to use this JSON file: 
    # openstack-config --set /etc/glance/glance-api.conf \
	DEFAULT show_multiple_locations True
# openstack-config --set /etc/glance/glance-api.conf \
	DEFAULT filesystem_store_metadata_file JSON_PATH
    Copy to Clipboard Toggle word wrap
    Replace JSON_PATH with the full path to the JSON file.

    Important

    If configured without the proper policy settings, a non-admin user of the Image Service can replace active image data (that is, switch out a current image without other users knowing). See the OSSN announcement (recommended actions) for configuration information: https://wiki.openstack.org/wiki/OSSN/OSSN-0065
  6. Restart the Image service (if it is already running): 
    # systemctl restart openstack-glance-registry.service
# systemctl restart openstack-glance-api.service
    Copy to Clipboard Toggle word wrap
The Image file-system metadata generated for this procedure only applies to new images. Any existing images will not use this metadata.

5.4.9.2. Configure the Compute Service to Use Local File System Metadata
Copiar o link

After configuring the Image service to expose local file-system metadata, configure the Compute service to use this metadata. This allows openstack-nova-compute to load images from the local file system.

Procedure 5.11. Configuring the Compute Service to use File System Metadata Provided by the Image Service

  1. Configure openstack-nova-compute to enable the use of direct URLs that have the file:// scheme: 
    # openstack-config --set /etc/nova/nova.conf \
	DEFAULT allowed_direct_url_schemes file
    Copy to Clipboard Toggle word wrap
  2. Create an entry for the Image service's file system: 
    # openstack-config --set /etc/nova/nova.conf \
	image_file_url filesystems FSENTRY
    Copy to Clipboard Toggle word wrap
    Replace FSENTRY with a name to assign to the Image service's file system.
  3. Open the .json file used by the Image service to expose its local file-system metadata. The information in this file will be used in the next step.
  4. Associate the entry for Image service's file system to the file system metadata exposed by the Image service: 
    # openstack-config --set /etc/nova/nova.conf \
	image_file_url:FSENTRY id UID
# openstack-config --set /etc/nova/nova.conf \
	image_file_url:FSENTRY mountpoint MOUNTPT
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace UID with the unique ID used by the Image service. In the .json file used by the Image service, the UID is the "id" value.
    • Replace MOUNTPT with the mount point used by the Image service's file system. In the .json file used by the Image service, the MOUNTPT is the "mountpoint" value.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat