blob: 8fde47d9631c19b9865ac4a8a62c4c688cb23f69 [file] [log] [blame]
OlgaGusarenko87eb2842018-07-30 17:51:09 +03001=====
2Usage
3=====
Filip Pytlound681ae22015-10-06 16:28:31 +02004
Jakub Pavlik9e85d172016-05-20 11:13:14 +02005The Glance project provides services for discovering, registering, and
6retrieving virtual machine images. Glance has a RESTful API that allows
7querying of VM image metadata as well as retrieval of the actual image.
Filip Pytlound681ae22015-10-06 16:28:31 +02008
Aleš Komáreke5b388f2017-02-06 15:48:57 +01009Sample pillars
10==============
Filip Pytlound681ae22015-10-06 16:28:31 +020011
12.. code-block:: yaml
13
14 glance:
15 server:
16 enabled: true
17 version: juno
Alena Holanovac1e51312016-03-22 14:08:44 +010018 workers: 8
Dmitry Stremkovskiye9490cf2017-07-11 11:37:44 +030019 glance_uid: 302
20 glance_gid: 302
Filip Pytlound681ae22015-10-06 16:28:31 +020021 policy:
22 publicize_image:
23 - "role:admin"
24 - "role:image_manager"
25 database:
26 engine: mysql
27 host: 127.0.0.1
28 port: 3306
29 name: glance
30 user: glance
31 password: pwd
32 identity:
33 engine: keystone
34 host: 127.0.0.1
35 port: 35357
36 tenant: service
37 user: glance
38 password: pwd
39 message_queue:
40 engine: rabbitmq
41 host: 127.0.0.1
42 port: 5672
43 user: openstack
44 password: pwd
45 virtual_host: '/openstack'
46 storage:
47 engine: file
48 images:
49 - name: "CirrOS 0.3.1"
50 format: qcow2
51 file: cirros-0.3.1-x86_64-disk.img
52 source: http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
53 public: true
Petr Michalec86ec0142016-11-29 16:34:15 +010054 audit:
55 enabled: false
Simon Pasquier2acbef52017-02-03 15:09:39 +010056 api_limit_max: 100
57 limit_param_default: 50
Oleg Iurchenko68ae3552017-10-13 18:40:42 +030058 barbican:
59 enabled: true
Simon Pasquier2acbef52017-02-03 15:09:39 +010060
OlgaGusarenko87eb2842018-07-30 17:51:09 +030061The pagination is controlled by the ``api_limit_max`` and ``limit_param_default``
Simon Pasquier2acbef52017-02-03 15:09:39 +010062parameters as shown above:
63
OlgaGusarenko87eb2842018-07-30 17:51:09 +030064* ``api_limit_max``
65 Defines the maximum number of records that the server will return.
Simon Pasquier2acbef52017-02-03 15:09:39 +010066
OlgaGusarenko87eb2842018-07-30 17:51:09 +030067* ``limit_param_default``
68 The default ``limit`` parameter that applies if the request didn't define
69 it explicitly.
Filip Pytlound681ae22015-10-06 16:28:31 +020070
OlgaGusarenko87eb2842018-07-30 17:51:09 +030071Configuration of the ``policy.json`` file:
Dmitry Ukov0a228ad2017-05-15 13:35:43 +040072
73.. code-block:: yaml
74
75 glance:
76 server:
77 ....
78 policy:
79 publicize_image: "role:admin"
80 # Add key without value to remove line from policy.json
81 add_member:
OlgaGusarenko87eb2842018-07-30 17:51:09 +030082
Aleš Komáreke5b388f2017-02-06 15:48:57 +010083Keystone and cinder region
84
85.. code-block:: yaml
86
87 glance:
88 server:
89 enabled: true
90 version: kilo
91 ...
92 identity:
93 engine: keystone
94 host: 127.0.0.1
95 region: RegionTwo
96 ...
97
98Ceph integration glance
99
100.. code-block:: yaml
101
102 glance:
103 server:
104 enabled: true
105 version: juno
106 storage:
107 engine: rbd,http
108 user: glance
109 pool: images
110 chunk_size: 8
111 client_glance_key: AQDOavlU6BsSJhAAnpFR906mvdgdfRqLHwu0Uw==
112
Vasyl Saienko83575672018-07-17 18:34:43 +0300113VMWare integration:
114
115.. code-block:: yaml
116
117 glance:
118 server
119 storage:
120 engine: vmware
121 default_store: vsphere
122 vmware:
123 enabled: true
124 server_host: 1.2.3.4
125 server_username: vmware_username
126 server_password: vmware_password
127 datastores:
128 data1:
129 name: datastore_name1
130 enabled: true
131 path: datacenter_name
132 weight: 10
133 data2:
134 name: datastore_name2
135 enabled: true
136 path: datacenter_name
137
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100138RabbitMQ HA setup
139
140.. code-block:: yaml
141
142 glance:
143 server:
144 ....
145 message_queue:
146 engine: rabbitmq
147 members:
148 - host: 10.0.16.1
149 - host: 10.0.16.2
150 - host: 10.0.16.3
151 user: openstack
152 password: pwd
153 virtual_host: '/openstack'
154 ....
155
steluczdf5176a2018-01-17 14:42:11 +0100156Quota Options
157
158.. code-block:: yaml
159
160 glance:
161 server:
162 ....
163 quota:
164 image_member: -1
165 image_property: 256
166 image_tag: 256
167 image_location: 15
168 user_storage: 0
169 ....
170
Kirill Bespalovb5584362017-11-20 16:42:07 +0300171Configuring TLS communications
172------------------------------
Kirill Bespalov365d2432017-07-28 09:01:04 +0300173
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300174.. note:: By default, system wide installed CA certs are used, so
175 ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalovb5584362017-11-20 16:42:07 +0300176
177- **RabbitMQ TLS**
Kirill Bespalov365d2432017-07-28 09:01:04 +0300178
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300179 .. code-block:: yaml
Kirill Bespalov365d2432017-07-28 09:01:04 +0300180
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300181 glance:
182 server:
183 message_queue:
184 port: 5671
185 ssl:
186 enabled: True
187 (optional) cacert: cert body if the cacert_file does not exists
188 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
189 (optional) version: TLSv1_2
Kirill Bespalov365d2432017-07-28 09:01:04 +0300190
Kirill Bespalovb5584362017-11-20 16:42:07 +0300191- **MySQL TLS**
Kirill Bespalov365d2432017-07-28 09:01:04 +0300192
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300193 .. code-block:: yaml
Kirill Bespalov365d2432017-07-28 09:01:04 +0300194
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300195 glance:
196 server:
197 database:
198 ssl:
199 enabled: True
200 (optional) cacert: cert body if the cacert_file does not exists
201 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov365d2432017-07-28 09:01:04 +0300202
Kirill Bespalovb5584362017-11-20 16:42:07 +0300203- **Openstack HTTPS API**
204
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300205 Set the ``https`` as protocol at ``glance:server`` sections:
Kirill Bespalovb5584362017-11-20 16:42:07 +0300206
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300207 .. code-block:: yaml
Kirill Bespalov365d2432017-07-28 09:01:04 +0300208
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300209 glance:
210 server:
211 identity:
212 protocol: https
Kirill Bespalovb5584362017-11-20 16:42:07 +0300213 (optional) cacert_file: /etc/openstack/proxy.pem
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300214 registry:
215 protocol: https
216 (optional) cacert_file: /etc/openstack/proxy.pem
217 storage:
218 engine: cinder, swift
219 cinder:
220 protocol: https
221 (optional) cacert_file: /etc/openstack/proxy.pem
222 swift:
223 store:
224 (optional) cafile: /etc/openstack/proxy.pem
Kirill Bespalov365d2432017-07-28 09:01:04 +0300225
mnederlofad6d6242017-03-30 15:31:15 +0200226Enable Glance Image Cache:
227
228.. code-block:: yaml
229
230 glance:
231 server:
232 image_cache:
233 enabled: true
234 enable_management: true
235 directory: /var/lib/glance/image-cache/
236 max_size: 21474836480
237 ....
238
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100239Enable auditing filter (CADF):
240
241.. code-block:: yaml
242
243 glance:
244 server:
245 audit:
246 enabled: true
247 ....
248 filter_factory: 'keystonemiddleware.audit:filter_factory'
249 map_file: '/etc/pycadf/glance_api_audit_map.conf'
250 ....
251
RobertJansen168e84f92017-03-30 15:45:12 +0200252Swift integration glance
253
254.. code-block:: yaml
255
256 glance:
257 server:
258 enabled: true
259 version: mitaka
260 storage:
261 engine: swift,http
262 swift:
263 store:
264 auth:
265 address: http://keystone.example.com:5000/v2.0
266 version: 2
267 endpoint_type: publicURL
268 container: glance
269 create_container_on_put: true
270 retry_get_count: 5
271 user: 2ec7966596504f59acc3a76b3b9d9291:glance-user
272 key: someRandomPassword
273
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300274Another way, which also supports multiple swift backends, can be
275configured like this:
Michel Nederlof3a867812017-05-15 09:46:11 +0200276
277.. code-block:: yaml
278
279 glance:
280 server:
281 enabled: true
282 version: mitaka
283 storage:
284 engine: swift,http
285 swift:
286 store:
287 endpoint_type: publicURL
288 container: glance
289 create_container_on_put: true
290 retry_get_count: 5
291 references:
292 my_objectstore_reference_1:
293 auth:
294 address: http://keystone.example.com:5000/v2.0
295 version: 2
296 user: 2ec7966596504f59acc3a76b3b9d9291:glance-user
297 key: someRandomPassword
298
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300299Enable CORS parameters:
Ondrej Smolae695fe82017-04-28 12:22:28 +0200300
301.. code-block:: yaml
302
303 glance:
304 server:
305 cors:
306 allowed_origin: https:localhost.local,http:localhost.local
307 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
308 allow_methods: GET,PUT,POST,DELETE,PATCH
309 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
310 allow_credentials: True
311 max_age: 86400
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100312
Michel Nederlof3ad5aac2017-05-15 09:46:24 +0200313Enable Viewing Multiple Locations
314---------------------------------
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300315
Michel Nederlof3ad5aac2017-05-15 09:46:24 +0200316If you want to expose all locations available (for example when you have
317multiple backends configured), then you can configure this like so:
318
319.. code-block:: yaml
320
321 glance:
322 server:
323 show_multiple_locations: True
324 location_strategy: store_type
325 store_type_preference: rbd,swift,file
326
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300327.. note:: The ``show_multiple_locations`` option is deprecated since
328 Newton and is planned to be handled by policy files *only*
329 starting with the Pike release.
Michel Nederlof3ad5aac2017-05-15 09:46:24 +0200330
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300331This feature is convenient in a scenario when you have swift and rbd
332configured and want to benefit from rbd enhancements.
Michel Nederlof3ad5aac2017-05-15 09:46:24 +0200333
Oleg Iurchenko68ae3552017-10-13 18:40:42 +0300334Barbican integration glance
335---------------------------
336
337.. code-block:: yaml
338
339 glance:
340 server:
341 barbican:
342 enabled: true
343
sgarbuz2d39f412018-08-27 10:44:31 +0300344Adding cron-job
345---------------
346
347.. code-block:: yaml
348
349 glance:
350 server:
351 cron:
352 cache_pruner:
353 special_period: '@daily'
354 cache_cleaner:
355 hour: '5'
356 minute: '30'
Oleksandr Bryndziif87ae002019-04-24 13:20:57 +0300357 daymonth: '\*/2'
sgarbuz2d39f412018-08-27 10:44:31 +0300358
359
360Image cache settings
361--------------------
362
363.. code-block:: yaml
364
365 glance:
366 server:
367 image_cache:
368 max_size: 10737418240
369 stall_time: 86400
370 directory: '/var/lib/glance/image-cache/'
371
Oleg Iurchenko68ae3552017-10-13 18:40:42 +0300372
Richard Felkl4143a0e2017-02-01 23:24:13 +0100373Client role
374-----------
375
376Glance images
377
378.. code-block:: yaml
379
380 glance:
381 client:
382 enabled: true
383 server:
384 profile_admin:
385 image:
386 cirros-test:
387 visibility: public
388 protected: false
389 location: http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-i386-disk.img
Jiri Konecny0456cfa2016-04-20 16:47:25 +0200390
Dmitry Kalashnikdd0d0282017-12-06 12:45:31 +0400391Enhanced logging with logging.conf
392----------------------------------
393
394By default logging.conf is disabled.
395
396That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnikdd0d0282017-12-06 12:45:31 +0400397
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300398* ``openstack_log_appender``
399 Set to true to enable ``log_config_append`` for all OpenStack services
Dmitry Kalashnikdd0d0282017-12-06 12:45:31 +0400400
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300401* ``openstack_fluentd_handler_enabled``
402 Set to true to enable FluentHandler for all Openstack services
403
404* ``openstack_ossyslog_handler_enabled``
405 Set to true to enable OSSysLogHandler for all Openstack services
406
407Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
408are available.
409
410Also, it is possible to configure this with pillar:
Dmitry Kalashnikdd0d0282017-12-06 12:45:31 +0400411
412.. code-block:: yaml
413
414 glance:
415 server:
416 logging:
417 log_appender: true
418 log_handlers:
419 watchedfile:
420 enabled: true
421 fluentd:
422 enabled: true
Oleksii Chupryn90a2e642018-02-06 19:53:06 +0200423 ossyslog:
424 enabled: true
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100425
Oleksandr Shyshko75e3d682018-09-07 14:07:57 +0300426Enable x509 and ssl communication between Glance and Galera cluster.
427---------------------
428By default communication between Glance and Galera is unsecure.
429
430glance:
431 server:
432 database:
433 x509:
434 enabled: True
435
436You able to set custom certificates in pillar:
437
438glance:
439 server:
440 database:
441 x509:
442 cacert: (certificate content)
443 cert: (certificate content)
444 key: (certificate content)
445
446You can read more about it here:
447 https://docs.openstack.org/security-guide/databases/database-access-control.html
448
Oleksandr Bryndziic69e8c82018-09-28 23:27:30 +0000449Glance services on controller node with memcached caching and security strategy:
450
451.. code-block:: yaml
452
453 glance:
454 server:
455 enabled: true
456 ...
457 cache:
458 engine: memcached
459 members:
460 - host: 127.0.0.1
461 port: 11211
462 - host: 127.0.0.1
463 port: 11211
464 security:
465 enabled: true
466 strategy: ENCRYPT
467 secret_key: secret
468
Oleksandr Bryndziidcf245d2018-10-24 19:10:05 +0300469Show all image locations when returning an image. This configuration option indicates
470whether to show all the image locations when returning image details to the user.
471
472.. code-block:: yaml
473
474 glance:
475 server:
476 enabled: true
477 ...
478 show_multiple_locations: True
479
Oleksandr Bryndziif87ae002019-04-24 13:20:57 +0300480Change default resource quotas using configmap template settings
481========
482
483.. code-block:: yaml
484
485 glance:
486 server:
487 configmap:
488 glace_api:
489 DEFAULT:
490 image_member_quota = 128
491 image_property_quota = 128
492 image_tag_quota = 128
493 image_location_quota = 10
494 user_storage_quota = 0
495 glace_registry:
496 DEFAULT:
497 image_member_quota = 128
498 image_property_quota = 128
499 image_tag_quota = 128
500 image_location_quota = 10
501 user_storage_quota = 0
502
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100503Usage
504=====
505
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300506#. Import new public image:
Jiri Konecny0456cfa2016-04-20 16:47:25 +0200507
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300508 .. code-block:: yaml
Jiri Konecny0456cfa2016-04-20 16:47:25 +0200509
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100510 glance image-create --name 'Windows 7 x86_64' --is-public true --container-format bare --disk-format qcow2 < ./win7.qcow2
Jiri Konecny0456cfa2016-04-20 16:47:25 +0200511
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300512#. Change new image's disk properties
Petr Michalec86ec0142016-11-29 16:34:15 +0100513
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300514 .. code-block:: yaml
Petr Michalec86ec0142016-11-29 16:34:15 +0100515
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100516 glance image-update "Windows 7 x86_64" --property hw_disk_bus=ide
Petr Michalec86ec0142016-11-29 16:34:15 +0100517
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300518#. Change new image's NIC properties
Jakub Pavlik80a41ea2016-03-06 14:33:42 +0100519
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300520 .. code-block:: yaml
Jakub Pavlik80a41ea2016-03-06 14:33:42 +0100521
Aleš Komáreke5b388f2017-02-06 15:48:57 +0100522 glance image-update "Windows 7 x86_64" --property hw_vif_model=rtl8139
Jakub Pavlik80a41ea2016-03-06 14:33:42 +0100523
Vasyl Saienko27185832018-09-10 10:36:00 +0000524Upgrades
525========
526
527Each openstack formula provide set of phases (logical bloks) that will help to
528build flexible upgrade orchestration logic for particular components. The list
529of phases and theirs descriptions are listed in table below:
530
531+-------------------------------+------------------------------------------------------+
532| State | Description |
533+===============================+======================================================+
534| <app>.upgrade.service_running | Ensure that all services for particular application |
535| | are enabled for autostart and running |
536+-------------------------------+------------------------------------------------------+
537| <app>.upgrade.service_stopped | Ensure that all services for particular application |
538| | disabled for autostart and dead |
539+-------------------------------+------------------------------------------------------+
540| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
541| | are installed to latest available version. |
542| | This will not upgrade data plane packages like qemu |
543| | and openvswitch as usually minimal required version |
544| | in openstack services is really old. The data plane |
545| | packages should be upgraded separately by `apt-get |
546| | upgrade` or `apt-get dist-upgrade` |
547| | Applying this state will not autostart service. |
548+-------------------------------+------------------------------------------------------+
549| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
550+-------------------------------+------------------------------------------------------+
551| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
552| | cloud before running upgrade. |
553| | Only non destructive actions will be applied during |
554| | this phase. Perform service built in service check |
555| | like (keystone-manage doctor and nova-status upgrade)|
556+-------------------------------+------------------------------------------------------+
557| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
558| | phase resources will be gracefully removed from |
559| | current node if it is allowed. Services for upgraded |
560| | application will be set to admin disabled state to |
561| | make sure node will not participate in resources |
562| | scheduling. For example on gtw nodes this will set |
563| | all agents to admin disable state and will move all |
564| | routers to other agents. |
565+-------------------------------+------------------------------------------------------+
566| <app>.upgrade.upgrade | This state will basically upgrade application on |
567| | particular target. Stop services, render |
568| | configuration, install new packages, run offline |
569| | dbsync (for ctl), start services. Data plane should |
570| | not be affected, only OpenStack python services. |
571+-------------------------------+------------------------------------------------------+
572| <app>.upgrade.upgrade.post | Add services back to scheduling. |
573+-------------------------------+------------------------------------------------------+
574| <app>.upgrade.post | This phase should be launched only when upgrade of |
575| | the cloud is completed. Cleanup temporary files, |
576| | perform other post upgrade tasks. |
577+-------------------------------+------------------------------------------------------+
578| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
579| | operations, verify do not have dead network |
580| | agents/compute services) |
581+-------------------------------+------------------------------------------------------+
582
Jiri Konecny0456cfa2016-04-20 16:47:25 +0200583
OlgaGusarenko87eb2842018-07-30 17:51:09 +0300584Read more
585==========
Filip Pytlound681ae22015-10-06 16:28:31 +0200586
587* http://ceph.com/docs/master/rbd/rbd-openstack/