BestHub
search
Sign in
Cloud Computing 15 min read

Step-by-Step Guide to Building OpenStack Keystone and Glance Services

This tutorial walks through the complete installation and configuration of OpenStack's identity (Keystone) and image (Glance) services, covering database setup, service and endpoint creation, Apache integration, token management, client environment scripts, and verification steps, with detailed command examples and configuration snippets.

Ops Development Stories
Ops Development Stories
Ops Development Stories
Step-by-Step Guide to Building OpenStack Keystone and Glance Services

OpenStack Keystone Service Setup

OpenStack Identity (Keystone) provides single‑sign‑on for authentication, authorization and service catalog. It is the first service users interact with; other services verify tokens via Keystone and can integrate with external directories such as LDAP.

Keystone manages a service catalog where each service has one or more endpoints (admin, internal, public). Endpoints can be placed on separate networks for security. Regions (e.g., RegionOne) group services and endpoints.

Keystone components

Server – RESTful API for authentication and authorization.

Driver – Backend integration to external identity stores (SQL, LDAP).

Module – Middleware that intercepts requests and forwards credentials to the server.

Installation and configuration steps

1. Create the keystone database and grant privileges

<code>mysql -uroot -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
</code>

2. Install and configure the keystone service

<code>yum install openstack-keystone httpd mod_wsgi</code>

Edit

/etc/keystone/keystone.conf

:

<code>[database]
connection = mysql+pymysql://keystone:keystone@<IP>/keystone

[token]
provider = fernet
</code>

3. Initialize the keystone database

<code>su -s /bin/sh -c "keystone-manage db_sync" keystone</code>

4. Initialize Fernet key repository

<code>keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone</code>

5. Create API endpoints

<code>keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne</code>

6. Configure Apache

<code>echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
systemctl enable httpd && systemctl start httpd</code>

7. Set environment variables for the admin user

<code>export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3</code>

8. Create domain, project, user and role

<code>openstack project create --domain default --description "ServiceProject" service
openstack project create --domain default --description "DemoProject" demo
openstack user create --domain default --password-prompt demo
openstack role create user
openstack role add --project demo --user demo user</code>

9. Verify keystone

<code>unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue</code>

10. Create client environment scripts (admin-openrc, demo-openrc)

These scripts export the same variables shown above for each project, allowing the OpenStack client to operate under the selected project and user.

OpenStack Glance (Image) Service Setup

Glance provides a REST API for discovering, registering and retrieving virtual machine images. It stores image metadata in a database and the image files in configurable back‑ends such as filesystem, object storage or RBD.

Glance components

glance‑api – Handles image API calls.

glance‑registry – Stores image metadata.

Database – Stores metadata (MySQL or SQLite).

Image store – Filesystem, object storage, RBD, etc.

Metadata definition service – Allows custom image properties.

Installation and configuration steps

1. Create the glance database and grant privileges

<code>mysql -uroot -p
CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
</code>

2. Create glance user and service

<code>. admin-openrc
openstack user create --domain default --password-prompt glance
openstack role add --project service --user glance admin
openstack service create --name glance --description "OpenStack Image" image</code>

3. Create image service endpoints

<code>openstack endpoint create --region RegionOne image public http://controller:9292
openstack endpoint create --region RegionOne image internal http://controller:9292
openstack endpoint create --region RegionOne image admin http://controller:9292</code>

4. Install glance packages and configure

<code>yum install openstack-glance</code>

Edit

/etc/glance/glance-api.conf

:

<code>[database]
connection = mysql+pymysql://glance:glance@<IP>/glance

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance

[paste_deploy]
flavor = keystone

[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/</code>

Edit

/etc/glance/glance-registry.conf

similarly, updating the [database] and [keystone_authtoken] sections.

5. Initialize the glance database

<code>su -s /bin/sh -c "glance-manage db_sync" glance</code>

6. Enable and start glance services

<code>systemctl enable openstack-glance-api openstack-glance-registry
systemctl start openstack-glance-api openstack-glance-registry</code>

7. Verify glance

<code>. admin-openrc
wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
openstack image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public
openstack image list</code>

After these steps, both Keystone and Glance services are operational.

cloud-computingImage ServiceOpenStackKeystoneLinux DeploymentGlanceIdentity Service
Ops Development Stories
Written by

Ops Development Stories

Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment