Understanding OpenStack Core Services: Keystone, Glance, Nova, Neutron & More

OpenStack Core Components Workflow

Core services are essential for OpenStack to run.

Nova manages compute resources.

Neutron manages network resources.

Glance provides OS images (storage).

Cinder provides block storage; optional for testing.

Keystone authentication service.

Horizon provides the dashboard.

1. Keystone

Keystone is the foundation service handling three main tasks:

Manage users and their permissions.

Maintain service endpoints.

Authentication and authorization.

Key concepts:

User

Credentials

Authentication

Token

Project

Service

Endpoint

Role

1.1 User

User represents any entity that uses OpenStack, including real users or programs.

Each component creates a corresponding user; Keystone validates the user’s identity.

1.2 Credentials

Credentials are information a user provides to prove identity.

Examples include username/password, token, API key, or other advanced methods.

1.3 Authentication

Authentication is the process by which Keystone verifies a user’s identity.

After successful authentication, Keystone issues a token for subsequent requests.

1.4 Token

A token is an alphanumeric string assigned by Keystone after authentication.

Token serves as credentials for accessing services.

Services validate token via Keystone.

Token default validity is 24 hours.

1.5 Project

Project groups OpenStack resources (compute, storage, network) for isolation.

Projects can represent a customer, department, or project team. Ownership belongs to the project, not the user; users must be associated with a project to access its resources, and a user may belong to multiple projects. Admin is a root user with highest privileges.

1.6 Service

OpenStack services include Compute (Nova), Block Storage (Cinder), Object Storage (Swift), Image Service (Glance), Networking Service (Neutron), etc.

Each service provides one or more endpoints; users access resources via these endpoints.

1.7 Endpoint

An endpoint is a network‑accessible address (URL) through which a service exposes its API.

Keystone maintains endpoints for each service.

1.8 Role

Security comprises authentication (who you are) and authorization (what you can do).

Authorization is implemented via roles; assigning permissions to a role and binding the role to a user grants those permissions.

1.9 Keystone Summary

Keystone workflow:

User submits credentials to Keystone.

Keystone validates and returns a token.

User presents token to service endpoints.

Service forwards token to Keystone for validation before proceeding.

2. Glance

Glance provides image services for virtual machines and consists of three processes:

glance-api

glance-registry

backend

2.1 glance-api

glance-api runs as a background service exposing a REST API for image metadata queries, retrieval, and storage. It forwards metadata requests to glance-registry and image data requests to the backend store.

2.2 glance-registry

glance-registry handles image metadata storage, such as size and type.

2.3 backend

Actual image data is stored in a backend (default local filesystem).

2.4 Glance Summary

When a request reaches glance-api, it forwards it to the appropriate component: metadata queries go to glance-registry, while image storage/retrieval goes to the backend.

3. Placement

Placement, formerly part of Nova, now tracks hardware utilization and provides data for Nova scheduling.

4. Nova

Nova is the core compute service managing VM lifecycle.

nova-api

nova-scheduler

nova-compute

nova-conductor

nova-console

4.1 nova-api

Accepts requests and publishes them to the message queue.

4.2 nova-scheduler

Uses placement data and scheduling algorithms to select a compute node, then publishes the decision via the message queue.

4.3 nova-compute

Runs on each compute node, creates VMs based on messages, updates VM state in the database via nova-conductor.

4.4 nova-conductor

Acts as an intermediary for database operations, improving security and scalability.

4.5 nova-console

Provides console access to VMs via novncproxy (Web VNC), spicehtml5proxy (HTML5 SPICE), or xvpnvncproxy (Java VNC).

4.6 Nova Summary

When a VM creation request arrives at nova-api, it is queued; nova-scheduler selects a host; nova-compute creates the VM and reports status; nova-conductor updates the database.

5. Neutron

Neutron supplies networking for OpenStack, offering L2 switching, L3 routing, load balancing, firewall, and VPN.

Neutron implements networking via soft routers on each node, using physical NICs for inter‑node communication. Supported network types include:

local – isolated to a single node.

flat – no VLAN tags, connects across nodes without isolation.

vlan – uses VLAN IDs for isolation (up to 4094 groups).

vxlan – overlay network with 16 million IDs, higher overhead.

gre – overlay using IP encapsulation.