OPENSTACK FOR VSPECIALISTS

MODULE 6: OPENSTACK IMAGE SERVICE (GLANCE)

EMC CONFIDENTIAL—INTERNAL USE ONLY 1

MODULE 6: OPENSTACK IMAGE (GLANCE)

Upon completion of this module, you should be able

to:
• Explain the principal operations of the Image service
• Understand the range of back-end storage options
• Discuss steps involved in image creation

EMC CONFIDENTIAL—INTERNAL USE ONLY 2

BASIC CONCEPT: GLANCE
• Glance exists to provide Nova users
with VM images to use to create
instances
• Some debate on whether it should be
separate from Nova, but it is right
now
• Effort underway to extend Glance
with fuller Artifact Repository for
other OpenStack services
– Heat templates
– Murano application packages
– Compare with apps.openstack.org
Image source: OpenStack is doomed and it is Your Fault

EMC CONFIDENTIAL—INTERNAL USE ONLY 3

BASIC CONCEPTS: GLANCE IMAGES
• Image is a virtual disk with a bootable
filesystem Disk format Hypervisor support

• Glance specifies disk format and raw KVM, Xen

container format for each image,
qcow2 QEMU/KVM
though container format is not used
– Use ‘bare’ container format if unsure vmdk ESXi

• VM instances are created from copies vhd/vhdx Hyper-V, ESXi, Xen

of the image file, so later changes do ISO

not affect instances AMI/ARI/AKI
• Glance provides unique URL for
retrieval of each image, e.g.
– http://192.168.0.42:9292/v1/images/b3ef8
345-ea48-45a4-8afc-bda596317301
EMC CONFIDENTIAL—INTERNAL USE ONLY 4
BASIC CONCEPTS: IMAGE METADATA
• Image owners can assign
arbitrary properties to images
(KV pairs)
• Properties help users find and
select images
• Properties can also influence
Nova scheduling of instances
(via ImagePropertiesFilter)
– architecture
– hypervisor_type
– hypervisor_version_requires
– vm_mode

EMC CONFIDENTIAL—INTERNAL USE ONLY 5

BASIC CONCEPTS: ACCESS CONTROL
• Images can be public or private to a project
• Private images can be shared with other projects by the image
owner or admin
– $ glance member-create [--can-share] <image> <member-id>

• Permission to share the image can also be shared along with

the image, via the –can-share flag

EMC CONFIDENTIAL—INTERNAL USE ONLY 6

BASIC CONCEPTS: IMAGE CREATION
• Many Linux OS providers provide pre-packaged images ready
for use with OpenStack: CentOS, Ubuntu, …
• Users can also create their own images, but it’s work
– Download OS ISO
– Manually create VM somewhere and boot from ISO
– Install and configure OS
– Install instance metadata package (e.g. cloud-init)
– Install any other desired applications
– Stop the VM and clean up the environment for packaging (e.g.
virt-sysprep)
– Convert the image format, if desired (e.g. qemu-image convert)

EMC CONFIDENTIAL—INTERNAL USE ONLY 7

KEY SERVICE OPERATIONS: IMAGES
• CRUD on images and image $ glance image-create …
metadata (subject to policy) $ glance image-delete …
– Images created from local file or URL $ glance image-download …
$ glance image-show …
• CRUD on access control lists
(member lists) for images $ glance member-create …
• Image list call supports filtering $ glance member-delete …
and sorting results by metadata $ glance member-list …
– name
$ glance image-list
– disk-format
$ glance image-list –
– size
property-filter <key=value>
– property-filter
– owner
– …
EMC CONFIDENTIAL—INTERNAL USE ONLY 8
 GLANCE ARCHITECTURE
• Glance API consists of stack of
Nova
Client Swift services to handle all functions,
s
implemented via WSGI pipeline
HTTP – Glance Domain Controller: Authentication,
Cinder Notifier, Policy, Quota, Location, DB
Control Node – Glance Store: image storage and retrieval

glance-api HTTP AWS

• Image metadata and location saved
S3
RPC / Store in Glance DB
HTTP driver
HTTP • Image files saved in configured
glance- storage backend (default: filesystem)
registry Filesystem – /var/lib/glance/images

RBD (Ceph) • Option: Glance API delegates DB

access to separate glance-registry
Sheepdog service via RPC over HTTP
Glance
DB
SQL GridFS • Glance notifier sends lifecycle
AMQP notification messages instead of log
HTTP VMware DS entries (optional config)
Queues
EMC CONFIDENTIAL—INTERNAL USE ONLY
Storage backends 9
SERVICE LOGICAL ARCHITECTURE
• Auth via Keystone middleware

• Glance registry is optional component

to avoid direct DB access from public
API service

• Glance notifier function supports

multiple drivers for lifecycle
notifications, including log and
oslo.messaging to send notification
messages to an exchange
– Default driver is noop – no notifictions

• Glance store functionality depends on

which backend (and hypervisor) is in
use

• Most Glance development uses

filesystem back end or Swift
Source: Glance Developer Documentation

EMC CONFIDENTIAL—INTERNAL USE ONLY 10

 OPTION: GLANCE IMAGE CACHE
• Glance API supports configuration of
Client
Nova a local image cache, transparent to
s
clients
HTTP
• Cache is shared for all API instances
Control Node on a given API server
Swift
glance-api HTTP
• Images automatically cached on
RPC / Store retrieval
HTTP driver
• Utilities provided to help manage the
glance- cache, including
registry – glance-cache-pruner : enforces cache max
size
– glance-cache-cleaner: removes invalid
Local
and stalled images
filesystem – glance-cache-manage: queue, remove, and
Glance list images in the cache
DB
SQL – glance-cache-prefetcher: prefetch queued
images
AMQP
HTTP
Queues
EMC CONFIDENTIAL—INTERNAL USE ONLY 11