[Cloud Computing Study Notes (18)] OpenStack service topology design, Keystone, Glance

Article Directory

This article is published by the official account [Developing Pigeon]! Welcome to follow! ! !

Old Rules-Sister Town House:

One. OpenStack service topology design

OpenStack is a distributed system consisting of several nodes. Different services in OpenStack can be deployed on each node. At the same time, different components of each service can also be deployed on different nodes in a distributed manner.

(1) Control Node Controller

The services running on the Controller node include Keystone, Glance, Horizon, and management-related components in Nova and Neutron.

There are also services that support OpenStack, such as Mysql, RabbitMQ and network time service NTP.

(Two) network node Network

The running service is Neutron, which provides L2 and L3 networks for OpenStack, including virtual machine networks, DHCP, routing, NAT, etc.

(3) Storage node Storage

Provide block storage service Cinder or object storage service Swift.

(4) Compute node

Run Hypervisor (KVM is used by default). This component is used to create and manage virtual machines. At the same time, it also runs the agent agent of Neutron service to provide network support for virtual machines.

two. KeyStone service

(1) User

User refers to any entity that uses OpenStack. It can be a real user or other system. When a User requests access to OpenStack, Keystone will verify it. In addition to admin and demo, OpenStack also creates corresponding users for nova, cinder, glance, and neutron services, and admin can manage these users.

(2) Credentials

Credentials are information used by users to prove their identity, which can be account/password, token, etc.

(3) Authentication

Authentication is the process by which Keystone verifies the user's identity.

(4) Token

Token is a string composed of numbers and letters. After the User successfully authenticates, it is assigned to the User by KeyStone. The Token will serve as the Credential for accessing the service. The service will verify the validity of the Token with Keystone. The default period of the Token is 24H.

(5) Project

Project is used to group and isolate OpenStack resources (computing, storage, and networking). Depending on the object of OpenStack services, a project can be a customer (tenant in the public cloud) or a department.

Note that the ownership of resources belongs to the Project, not the User. Each User (including admin) must be linked to the Project to be able to access the resources of the Project. A User can belong to multiple Projects.

(6) Address Endpoint

Endpoint is a URL that can be accessed on the Internet. Service exposes its own API through Endpoint, and Keystone is responsible for managing and maintaining the Endpoint of each Service.

(7) Role

Security consists of two parts: Authentication and Authentication.

Keystone implements authentication through Role. Different Roles are defined in Keystone. Each Role may have different permissions, and multiple Roles can be assigned to User.

Each Service determines what each Role can do, and controls access to the Role through its own policy.json file.

three. Glance service

(1) Functions of Glance Service

Provide REST API, allowing users to query and obtain Image metadata and Image itself;

Support multiple ways to store Image, including ordinary file system, Swift, Amazon S3;

Execute a snapshot of the instance instance to create a new Image;

(2) Glance service component architecture

The architecture of Glance is as follows:

Insert picture description here

You can see that Glance is composed of three parts:


The service process running in the background provides Rest API externally, responds to Image query, acquisition and storage calls, it will not really process the request.

If it is an operation related to Image metadata (metadata), glance-api will forward the request to glance-registry, and then interact with the database to retrieve the corresponding data;

If it is an operation related to the access of the Image itself, glance-api will forward the request to the image storage system store backend;


The service process running in the background of the system is responsible for processing and accessing the metadata of the Image, such as the size and type of the Image, which will be stored in the database database. The default is Mysql.

Glance supports multiple types of images. As follows:

Insert picture description here

3.store backend

The Glance service does not store the Image itself, but in the backend. Glance supports multiple types of backedn, such as the default local file system, Amazon S3, Cinder, Swift, VMware ESX.

Which backend to use is configured in /etc/glance/glance-api.conf.

(3) Operation of Glance

OpenStack provides two interactive interfaces: Web UI (Horizon) and command line CLI. The command line supports more functions, more parameters, faster execution speed, and CLI can be placed in a script for batch processing, and for time-consuming The CLI is more suitable.

1. Create Image

If the Image is set to public, other projects can use the Image; if it is set to Protected, the Image is not allowed to be deleted. It is recommended to use CLI command line operation, and it can also display the status of creation.

glance image-create –name cirrors—file /tmp/xxxx.img –disk-format qcow2 –container-format bare –progress

The last parameter—progress can display the percentage of Image file upload, which is more intuitive.

2. Delete Image

glance image-delete xxxx

The following is the ID of the Image.

(4) Glance log

The method of OpenStack troubleshooting is mainly through logs, and each Service has its own log. There are two Glance logs, glanceapi.log and glanceregistry.log. The glace-api log records the call of the Rest API, and the glance-registry log records the process of the Glance service processing requests and the operation of the database. If you need a more detailed log, you can /etc/glance/*.confturn on the debug option in.

(5) OpenStack command line operation

1. Before executing the command, you need to set the environment variable

These variables include username, project, password, etc. If they are not set, then the relevant command line parameters must be set each time the command is executed.

2. The commands of each service can be added, deleted, modified and checked

The format is:

CMD <obj>-create [param1][param2]…
CMD <obj>-delete [param1][param2]…
CMD <obj>-update [param1][param2]…
CMD <obj>-list [param1][param2]…
CMD <obj>-show [param1][param2]…

If image is managed in glance, then CMD is glance and obj is image;

Netron manages networks and subnets, then CMD is neutron, and obj is net and subnet;

The obj of nova can be omitted, such as the operation for instance:

nova boot , nova delete, nova list, nova show;

3.help to view the usage of the command

The format is:

CMD help [sub-CMD]

For example, glance help image-update can query the usage of image-update.