I'm Venu

Technology leader with 20 years of excellence in the digital transformation of rapidly growing businesses. Expert at leveraging the technologies that dictate the future, designing highly efficient processes, and building competent teams. From leading the development and management of mission-critical applications for different industries to migrating legacy systems to the cloud, I've been fortunate to imbibe the nuances of various domains.

Core Competence
Technology To Business Alignment

Strategic Alliances n Partnership

Agile n Hybrid


Project Management

Team Building

Managing Director

Calcium Health

Executive Director - Head of Technology

Hinfoways HealthCare Pvt. Ltd.

Chief Architect




Software Engineer

Société Générale

SOBIS Mannheim




My Skills
Build An AWS like Cloud


Total Years Of Experience


Happy Customers


Projects Done


In Tech Since

How May I Help You?


Project Management, Build Competent Teams, Automate Processes and Stive For Excellence

Winning Strategies

Strategy Planning, , Performance Optimisation, Service Deliver and Operations, BCP and Risk Management


Technology To Business Alignment, Implementation, Integration, Migration,

Clean Code

Test Driven Development (TDD), Big-O, Integration and Migration, Security and Compliance


Visionary Stratergies, Strategic Alliances n Partnership, Sales and Marketing, Regulatory Expertise, Governance

Team Building

Building, hiring, and growing large teams of graphically-dispersed members inculcating the culture of commitment, accountability, and shared success.


OpenStack's Image Service-Glance--A Deep Dive

Objective: Further to the previous post this is to install and configure the OpenStack's Image Service along with several concepts around it.

What is Glance?

The OpenStack's Image Service is known as Glance and provides the following services for Virtual Machine (VM) Images:-

- Discover
- Register
- Retrieve

This service provides REST API that enables us to query VM images metadata and retrieve an actual image.

This component is as highlighted in the screenshot below

from the above diagram we see that one of the services is glance-api which accepts calls for image discovery, retrieval and storage. The second one is glance-registry which stores, process and retrieves the  metadata like size, type and etc about the image. The third one is Database which stores image metadata, this could be any, but we would be choosing MySQL here.

Note: The storage repository for the Image service is the Object Storage Service, it could be as simple as the local filesystem to RADOS block devices or Amazon S3...

Using Glance you can even take snapshots of an image from an existing server for immediate storage. Use snapshots for backup and as templates to launch new servers.

Installing Glance

As mentioned, this a sequel to the previous post.

To install the Image service on the Controller node:

  1. yum install openstack-glance  

Now since we will be saving the metadata into the MySQL DB, set the variables the files /etc/glance/glance-api.conf and etc/glance/glance-registry.conf
sql_connection = mysql://glance:glance_password@controller/glance
We will now use the helper command openstack-db to create the image service database and tables in the mysql server along with creating a user called "glance" who will be using them.

  1. openstack-db --init --service glance --password glance_password  

Following this we will now let KeyStone let the identitiy management system know that there is a service called Glance and create a user with that name "glance", and assign it the role of an admin and add it to the "service" tenant.
  1. keystone user-create --name=glance --pass=glance_password --email=glance@example.com  
  2. keystone user-role-add --user=glance --tenant=service --role=admin  

Now we will edit these two files and set the variables as

  1. /etc/glance/glance-api.conf  
  2. /etc/glance/glance-registry.conf  

In /etc/glance/glance-api.conf under the section [keystone_authtoken]

auth_host = controller
admin_tenant_name = service
admin_user = glance
admin_password = glance_password

Under section paste_deploy
flavor = keystone

In the file /etc/glance/glance-registry.conf under the section [keystone_authtoken]
auth_host = controller
admin_tenant_name = service
admin_user = glance
admin_password = glance_password

Under section paste_deploy

flavor = keystone

Now adding the credentials to the /etc/glance/glance-api-paste.ini and /etc/glance/glance-registry-paste.ini, in Centos we copied the files to the correct location as well

  1. cp /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api- paste.ini  
  2. cp /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance- registry-paste.ini  

and edit both the file to set the following options to the section [filter:authtoken]

Now registering the Image service with the Identity service so that other openstack services can locate it.

To register the service and create the endpoint

  1. keystone service-create --name=glance --type=image --description="Glance Image service"  

Now using the ID property returned from the service to create the endpoint:

  1. keystone endpoint-create --service-id=e6.....seviceid --publicurl=http://controller:9292 --internalurl=http://controller:9292 --adminurl=http://controller:9292  

Now for the moment of truth starting the Glance service.

  1. service openstack-glance-api start  
  2. service openstack-glance-registry start  

And now ensuring that the service will start automatically when the system boots

  1. chkconfig openstack-glance-api on  
  2. chkconfig openstack-glance-registry on  

Taking the new glance for a spin

We can download an image, the lowest footprint one is the Cirros one.

  1. wget http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64- disk.img  

and now uploading this image to the Image service so that it can be used to create VMs with this OS installed.

  1. glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 \ --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img   

We are all set with Glance now. 

OpenStack's Identity Management--KeyStone--A Deep Dive

What is KeyStone?

Keystone is an OpenStack project that provides the following services to other projects in the OpenStack family:

Some interesting definitions providing more depth to what seems to be already known 

A digital representation of a person, system, or service that uses OpenStack cloud services. OpenStack Identity authentication services validate that an incoming request is being made by the user who claims to be making the call.
Users have a login and may be assigned tokens to access resources. Users may be directly assigned to a particular tenant and behave as if they are contained in that tenant.
Data that belongs to, is owned by, and generally only known by a user that the user can present to prove their identity.
Examples include:
  • A matching username and password
  • A matching username and API key
  • A token that was issued to you
In the context OpenStack Identity, the act of confirming the identity of a user or the truth of a claim. OpenStack Identity confirms that an incoming request is being made by the user who claims to be making the call by validating a set of claims that the user is making.
These claims are initially in the form of a set of credentials. After initial confirmation, OpenStack Identity issues the user a token, which the user can then provide to demonstrate that their identity has been authenticated when making subsequent requests.
An arbitrary bit of text that is used to access resources. Each token has a scope that describes which resources are accessible with it. A token may be revoked at anytime and is valid for a finite duration.
While OpenStack Identity supports token-based authentication in this release, the intention is for it to support additional protocols in the future. The intent is for it to be an integration service foremost, and not aspire to be a full-fledged identity store and management solution.
A container used to group or isolate resources and/or identity objects. Depending on the service operator, a tenant can map to a customer, account, organization, or project.
An OpenStack service, such as Compute (Nova), Object Storage (Swift), or Image Service (Glance). A service provides one or more endpoints through which users can access resources and perform operations.
A network-accessible address, usually described by a URL, where a service may be accessed. If using an extension for templates, you can create an endpoint template, which represents the templates of all the consumable services that are available across the regions.
A personality that a user assumes when performing a specific set of operations. A role includes a set of rights and privileges. A user assuming that role inherits those rights and privileges.
In OpenStack Identity, a token that is issued to a user includes the list of roles that user can assume. Services that are being called by that user determine how they interpret the set of roles a user has and to which operations or resources each role grants access.
It is up to individual services such as the Compute service and Image service to assign meaning to these roles. As far as the Identity service is concerned, a role is an arbitrary name assigned by the user.

Request/Response Types

The OpenStack Identity API supports both the JSON and XML data serialization formats. The request format is specified using the Content-Type header and is required for operations that have a request body. The response format can be specified in requests using either the Accept header or adding an .xml or .jsonextension to the request URI. Note that it is possible for a response to be serialized using a format different from the request (see example below). If no response format is specified, JSON is the default. If conflicting formats are specified using both an Accept header and a query extension, the query extension takes precedence.
FormatAccept HeaderQuery ExtensionDefault

Authentication and Authorization flow in Keystone

Below is a flow depicting the Authentication and Authorization flow using Keystone.

Keystone Up and running!

As discussed in the previous post we are mainly focused on getting the user's perspective on the component.
To be as close to a production environment as possible, we have chosen to have this running on CentOS.

Getting the Controller Node ready:-

Install CentOS
Setup Network service to start, set hostname, etc.
Sync time using with the ntp service
MySQL installed and running
OpenStack dependencies installed,
Messaging Server Qpid installed and configured

Bring the Server up and running

yum install openstack-keystone python-keystoneclient

The above will have openstack and it's dependency installed, and now hooking it up to the MySQL Database, do the following

          vi /etc/keystone/keystone.conf

          uncomment "connection" variable in the SQL section and set it to

                 connection = mysql://keystone:keystone_password@localhost/keystone


     Using the openstack-db command we will go ahead and create the database and tables we created in our previous session.

     openstack-db --init --service keystone --password KEYSTONE_DBPASS

We hit upon an error that is "ungoogleable", please see the end of this doc for some information on that.

Now we will go ahead and create a secret token that would be shared between the Identity service and other OpenStack services. Which is done by editing the keystone.conf
and setting

admin_token = somerandom_password(no quotes)

Keystone uses PKI tokens, and we are going to now create the signing keys and certs:
          The identity service generates tokens which are cryptographically signed documents users and other services use for authentication.
          The tokens are signed using a private key while the public key is made available in an X509 certificate.
          The certificates and relevant configuration keys are automatically generated by the keystone-manage pki_setup command.
          The configuration keys relevant to PKI setup appear in the [signing] section of the /etc/keystone/keystone.conf configuration file that are relevant to the PKI setup are:

    keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

post this we ensure the ownership using the below command

chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/

Post his we can enable the service to start when the system reboots or boots
     chkconfig openstack-keystone on

to start the service we can use

     service openstack-keystone start

Define Users, Tenants and Roles

These are used to allow access to services and endpoints.

We authenticate with the service using the Admin token we had defined earlier and the service end point is http://controller:35357/v2.0

We will now create a tenant for an administrative user and a tenant for other OpenStack Services to use, by using the command keystone tenant-create

  1. keystone tenant-create --name=admin --description="Admin Tenant"
  2. keystone tenant-create --name=service --description="Service Tenant"

  3. Creating an admin user
  4. keystone user-create --name=admin --pass=password --email=admin@example.com

Now we will go ahead and create a role for the user. Since its for admin, we will go ahead and create an administrative tasks role called "admin".
Any roles we create should be mapped to roles specified in the policy.json files of various OpenStack services. Which is in /etc/keystone/policy.json

keystone user-create --name=admin
Now we will go ahead and add the user "admin to the role "admin" and tenant "admin"

keystone user-role-add --user=admin --tenant=admin --role=admin

Define services and API endpoints

The identity service can track which OpenStack services are installed and where they are located on the network.
We will have to register each service in OpenStack installation, using commands like keystone service-create, keystone endpoint-create

1. Creating a service entry for the identity service

      keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"

2. Specifying an API endpoint for the Identity service by using the returned service ID from above.
     Endpoints are nothing but usually URLs and hence we will provide URLs for
    • Public API
    • Internal API
    • Admin API

     keystone endpoint-create \
     --service-id=the_service_id_above \
     --publicurl=http://controller:5000/v2.0 \
     --internalurl=http://controller:5000/v2.0 \


Testing Keystone now!

Create a file called openrc.sh to have all the --os-* environment variables
export OS_USERNAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0

we can now source the file using the command source openrc.sh

And run commands such as

     keystone token-get
     keystone user-list

Start Work With Me

Contact Us
Venu Murthy
+91 9886782890

CC. Powered by Blogger.


Punch Line

“Excellence is never an accident. It is always the result of high intention, sincere effort, and intelligent execution.... ― Aristotle

Join My Professional Network

Feature Post

Featured Post

We wasted 3 months on Area 51 - Stackexchange

In the light of wanting a discussion forum to nurture the science of PLRT, we placed a proposal on StackExchange.  But very soon reali...


Search This Blog

Providing Solutions For Life

Stack Overflow

Stack Overflow


Author Details

Hey there, We are Blossom Themes! We are trying to provide you the new way to look and use the blogger templates. Our designers are working hard and pushing the boundaries of possibilities to widen the horizon of the regular templates and provide high quality blogger templates to all hardworking bloggers!

Popular Posts