Step-by-Step Guide to Building OpenStack Keystone and Glance Services

OpenStack Keystone Service Setup

OpenStack Identity (Keystone) provides single‑sign‑on for authentication, authorization and service catalog. It is the first service users interact with; other services verify tokens via Keystone and can integrate with external directories such as LDAP.

Keystone manages a service catalog where each service has one or more endpoints (admin, internal, public). Endpoints can be placed on separate networks for security. Regions (e.g., RegionOne) group services and endpoints.

Keystone components

Server – RESTful API for authentication and authorization.

Driver – Backend integration to external identity stores (SQL, LDAP).

Module – Middleware that intercepts requests and forwards credentials to the server.

Installation and configuration steps

1. Create the keystone database and grant privileges

mysql -uroot -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

2. Install and configure the keystone service

yum install openstack-keystone httpd mod_wsgi

Edit /etc/keystone/keystone.conf:

[database]
connection = mysql+pymysql://keystone:keystone@<IP>/keystone

[token]
provider = fernet

3. Initialize the keystone database

su -s /bin/sh -c "keystone-manage db_sync" keystone

4. Initialize Fernet key repository

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

5. Create API endpoints

keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne

6. Configure Apache

echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
systemctl enable httpd && systemctl start httpd

7. Set environment variables for the admin user

export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

8. Create domain, project, user and role

openstack project create --domain default --description "ServiceProject" service
openstack project create --domain default --description "DemoProject" demo
openstack user create --domain default --password-prompt demo
openstack role create user
openstack role add --project demo --user demo user

9. Verify keystone

unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue

10. Create client environment scripts (admin-openrc, demo-openrc)

These scripts export the same variables shown above for each project, allowing the OpenStack client to operate under the selected project and user.

OpenStack Glance (Image) Service Setup

Glance provides a REST API for discovering, registering and retrieving virtual machine images. It stores image metadata in a database and the image files in configurable back‑ends such as filesystem, object storage or RBD.

Glance components

glance‑api – Handles image API calls.

glance‑registry – Stores image metadata.

Database – Stores metadata (MySQL or SQLite).

Image store – Filesystem, object storage, RBD, etc.

Metadata definition service – Allows custom image properties.

Installation and configuration steps

1. Create the glance database and grant privileges

mysql -uroot -p
CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';

2. Create glance user and service

. admin-openrc
openstack user create --domain default --password-prompt glance
openstack role add --project service --user glance admin
openstack service create --name glance --description "OpenStack Image" image

3. Create image service endpoints

openstack endpoint create --region RegionOne image public http://controller:9292
openstack endpoint create --region RegionOne image internal http://controller:9292
openstack endpoint create --region RegionOne image admin http://controller:9292

4. Install glance packages and configure

yum install openstack-glance

Edit /etc/glance/glance-api.conf:

[database]
connection = mysql+pymysql://glance:glance@<IP>/glance

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance

[paste_deploy]
flavor = keystone

[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/

Edit /etc/glance/glance-registry.conf similarly, updating the [database] and [keystone_authtoken] sections.

5. Initialize the glance database

su -s /bin/sh -c "glance-manage db_sync" glance

6. Enable and start glance services

systemctl enable openstack-glance-api openstack-glance-registry
systemctl start openstack-glance-api openstack-glance-registry

7. Verify glance

. admin-openrc
wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
openstack image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public
openstack image list

After these steps, both Keystone and Glance services are operational.