Upon completion of this module, you should be able
to: • Explain the principal operations of the Image service • Understand the range of back-end storage options • Discuss steps involved in image creation
EMC CONFIDENTIAL—INTERNAL USE ONLY 2
BASIC CONCEPT: GLANCE • Glance exists to provide Nova users with VM images to use to create instances • Some debate on whether it should be separate from Nova, but it is right now • Effort underway to extend Glance with fuller Artifact Repository for other OpenStack services – Heat templates – Murano application packages – Compare with apps.openstack.org Image source: OpenStack is doomed and it is Your Fault
EMC CONFIDENTIAL—INTERNAL USE ONLY 3
BASIC CONCEPTS: GLANCE IMAGES • Image is a virtual disk with a bootable filesystem Disk format Hypervisor support
• Glance specifies disk format and raw KVM, Xen
container format for each image, qcow2 QEMU/KVM though container format is not used – Use ‘bare’ container format if unsure vmdk ESXi
• VM instances are created from copies vhd/vhdx Hyper-V, ESXi, Xen
of the image file, so later changes do ISO
not affect instances AMI/ARI/AKI • Glance provides unique URL for retrieval of each image, e.g. – http://192.168.0.42:9292/v1/images/b3ef8 345-ea48-45a4-8afc-bda596317301 EMC CONFIDENTIAL—INTERNAL USE ONLY 4 BASIC CONCEPTS: IMAGE METADATA • Image owners can assign arbitrary properties to images (KV pairs) • Properties help users find and select images • Properties can also influence Nova scheduling of instances (via ImagePropertiesFilter) – architecture – hypervisor_type – hypervisor_version_requires – vm_mode
EMC CONFIDENTIAL—INTERNAL USE ONLY 5
BASIC CONCEPTS: ACCESS CONTROL • Images can be public or private to a project • Private images can be shared with other projects by the image owner or admin – $ glance member-create [--can-share] <image> <member-id>
• Permission to share the image can also be shared along with
the image, via the –can-share flag
EMC CONFIDENTIAL—INTERNAL USE ONLY 6
BASIC CONCEPTS: IMAGE CREATION • Many Linux OS providers provide pre-packaged images ready for use with OpenStack: CentOS, Ubuntu, … • Users can also create their own images, but it’s work – Download OS ISO – Manually create VM somewhere and boot from ISO – Install and configure OS – Install instance metadata package (e.g. cloud-init) – Install any other desired applications – Stop the VM and clean up the environment for packaging (e.g. virt-sysprep) – Convert the image format, if desired (e.g. qemu-image convert)
EMC CONFIDENTIAL—INTERNAL USE ONLY 7
KEY SERVICE OPERATIONS: IMAGES • CRUD on images and image $ glance image-create … metadata (subject to policy) $ glance image-delete … – Images created from local file or URL $ glance image-download … $ glance image-show … • CRUD on access control lists (member lists) for images $ glance member-create … • Image list call supports filtering $ glance member-delete … and sorting results by metadata $ glance member-list … – name $ glance image-list – disk-format $ glance image-list – – size property-filter <key=value> – property-filter – owner – … EMC CONFIDENTIAL—INTERNAL USE ONLY 8 GLANCE ARCHITECTURE • Glance API consists of stack of Nova Client Swift services to handle all functions, s implemented via WSGI pipeline HTTP – Glance Domain Controller: Authentication, Cinder Notifier, Policy, Quota, Location, DB Control Node – Glance Store: image storage and retrieval
glance-api HTTP AWS
• Image metadata and location saved S3 RPC / Store in Glance DB HTTP driver HTTP • Image files saved in configured glance- storage backend (default: filesystem) registry Filesystem – /var/lib/glance/images
RBD (Ceph) • Option: Glance API delegates DB
access to separate glance-registry Sheepdog service via RPC over HTTP Glance DB SQL GridFS • Glance notifier sends lifecycle AMQP notification messages instead of log HTTP VMware DS entries (optional config) Queues EMC CONFIDENTIAL—INTERNAL USE ONLY Storage backends 9 SERVICE LOGICAL ARCHITECTURE • Auth via Keystone middleware
• Glance registry is optional component
to avoid direct DB access from public API service
• Glance notifier function supports
multiple drivers for lifecycle notifications, including log and oslo.messaging to send notification messages to an exchange – Default driver is noop – no notifictions
• Glance store functionality depends on
which backend (and hypervisor) is in use
• Most Glance development uses
filesystem back end or Swift Source: Glance Developer Documentation
EMC CONFIDENTIAL—INTERNAL USE ONLY 10
OPTION: GLANCE IMAGE CACHE • Glance API supports configuration of Client Nova a local image cache, transparent to s clients HTTP • Cache is shared for all API instances Control Node on a given API server Swift glance-api HTTP • Images automatically cached on RPC / Store retrieval HTTP driver • Utilities provided to help manage the glance- cache, including registry – glance-cache-pruner : enforces cache max size – glance-cache-cleaner: removes invalid Local and stalled images filesystem – glance-cache-manage: queue, remove, and Glance list images in the cache DB SQL – glance-cache-prefetcher: prefetch queued images AMQP HTTP Queues EMC CONFIDENTIAL—INTERNAL USE ONLY 11