Understanding OpenStack Core Services: Keystone, Glance, Nova, Neutron & More

OpenStack Core Components Workflow

Core services are essential; without them OpenStack cannot operate.

Nova manages compute resources.

Neutron manages network resources.

Glance provides VM image services, a storage component.

Cinder provides block storage; it can be omitted for testing when persistent disks are not needed.

Keystone is the authentication service; without it OpenStack cannot function.

Horizon provides the dashboard interface.

1. Keystone

Keystone, the foundational OpenStack service, performs three main functions:

Manage users and their permissions.

Maintain endpoints for OpenStack services.

Handle authentication and authorization.

Understanding Keystone requires familiarity with the following concepts:

User

Credentials

Authentication

Token

Project

Service

Endpoint

Role

1.1 User

User refers to any entity that uses OpenStack.

A user can be a human or a program; OpenStack creates a corresponding user for each component, and Keystone validates the identity when the user accesses the system.

1.2 Credentials

Credentials are the information a user provides to prove its identity.

Credentials may be:

Username/password

Token

API key

Other advanced methods

1.3 Authentication

Authentication is the process by which Keystone verifies a user's identity.

A user submits credentials (e.g., username and password) to Keystone; upon successful verification, Keystone issues a token that serves as credentials for subsequent requests.

1.4 Token

A token is a string of letters and numbers assigned to a user after successful authentication.

Token is used as credentials to access services.

Services validate token validity via Keystone.

Token default expiration is 24 hours.

1.5 Project

Project groups and isolates OpenStack resources (compute, storage, network).

A project can represent a customer, department, or project team. Important notes:

Resources belong to a project, not to a user.

Users must be associated with a project to access its resources; a user may belong to multiple projects.

Admin is equivalent to a root user with the highest privileges.

1.6 Service

OpenStack services include Compute (Nova), Block Storage (Cinder), Object Storage (Swift), Image Service (Glance), and Networking (Neutron). Each service provides one or more endpoints that users access.

1.7 Endpoint

An endpoint is a network-accessible address, typically a URL, through which a service exposes its API.

Keystone maintains the endpoints for each service.

1.8 Role

Security consists of authentication (who you are) and authorization (what you can do).

Authentication answers “who are you,” while authorization answers “what can you do.” Keystone implements authorization by assigning roles to users; a user inherits the permissions defined for its role.

1.9 Keystone Summary

The Keystone workflow is:

User submits credentials (e.g., username/password) to Keystone.

Keystone validates and returns a token.

User presents the token to a service endpoint.

The service forwards the token to Keystone for validation; if valid, the request proceeds.

2. Glance

Glance provides image services for virtual machines and consists of three processes: glance‑api, glance‑registry, and a backend storage.

2.1 glance‑api

glance‑api runs as a background service exposing a REST API for image queries, retrieval, and storage. It forwards metadata‑related requests to glance‑registry and image‑data requests to the appropriate backend.

2.2 glance‑registry

glance‑registry handles image metadata such as size and type.

2.3 backend

Images are stored in the backend; by default this is the local filesystem.

2.4 Glance Summary

When a user request reaches glance‑api, it forwards the request to the appropriate component: metadata queries go to glance‑registry, while image storage operations go to the backend. The api itself does not store images.

3. Placement

Placement, formerly part of Nova, now operates as an independent component that tracks hardware utilization and supplies this data to Nova for scheduling decisions.

4. Nova

Nova is the core compute service of OpenStack, managing the lifecycle of virtual machines.

Nova consists of several sub‑components:

nova‑api

nova‑scheduler

nova‑compute

nova‑conductor

nova‑console

4.1 nova‑api

Like glance‑api, nova‑api receives requests and publishes them to the message queue without processing them directly.

4.2 nova‑scheduler

Nova‑scheduler selects the most suitable compute node for a VM using data from Placement and various scoring algorithms, then publishes the decision via the message queue.

4.3 nova‑compute

Running on each compute node, nova‑compute creates and manages VMs, updates their state, and communicates with the database through nova‑conductor.

4.4 nova‑conductor

nova‑conductor mediates database access for nova‑compute, improving security and scalability by preventing compute nodes from directly touching the database.

4.5 nova‑console

nova‑console provides console access to VMs through three methods: nova‑novncproxy (Web VNC), nova‑spicehtml5proxy (HTML5 SPICE), and nova‑xvpnvncproxy (Java VNC).

4.6 Nova Summary

When a VM creation request arrives at nova‑api, it is placed on the message queue; nova‑scheduler selects a host and publishes the choice; nova‑compute creates the VM and reports its state; nova‑conductor updates the database accordingly.

5. Neutron

Neutron supplies networking for the OpenStack environment, offering L2 switching, L3 routing, load balancing, firewall, and VPN capabilities.

Neutron implements networking by creating a soft router on each node; VMs connect to this router for intra‑node communication, while inter‑node traffic is handled via a physical NIC assigned to Neutron.

Neutron supports several network types:

5.1 local

Isolated to a single node; VMs cannot communicate across hosts.

5.2 flat

Untagged network that allows inter‑node communication but offers no isolation.

5.3 vlan

Uses VLAN tags to isolate traffic; up to 4094 VLANs are supported.

5.4 vxlan

Overlay network with up to 16 million IDs, providing greater isolation at the cost of additional encapsulation overhead.

5.5 gre

Overlay network similar to VXLAN but encapsulates packets using IP instead of UDP.