Configuring OpenStack Image Service to use OpenStack Identity Service is required to allow our OpenStack Compute to operate correctly.
To begin with, ensure you're logged in to our OpenStack Controller host or the host that is running OpenStack Image Service. If the OpenStack Identity Service is not installed, carry out the steps in the Installing the OpenStack Identity Service recipe of Chapter 1, Keystone – OpenStack Identity Service. We also require that the Glance service user and endpoints have been set up. See the Defining Service Endpoints and Creating the service tenant and service users recipes of Chapter 1, Keystone – OpenStack Identity Service.
To log in to our OpenStack Controller host that was created using Vagrant, issue the following command:
vagrant ssh controller
To configure OpenStack Image Service to use OpenStack Identity Service, carry out the following steps:
/etc/glance/glance-api.conf
file to tell OpenStack Image Service to utilize OpenStack Identity Service by adding a [keystone_authtoken]
section. Note that we are using insecure = True
in the configuration because we are using self-signed certificates
. In production, it is expected that issued certificates are used and they don't require this parameter. The code is as follows:[keystone_authtoken] auth_uri = https://192.168.100.200:35357/v2.0/ identity_uri = https://192.168.100.200:5000 admin_tenant_name = service admin_user = glance admin_password = glance insecure = True
/etc/glance/glance-registry.conf
file, configuring the glance
service user in the [keystone_authtoken]
section. We are using insecure = True
here because our example used self-signed certificates. The code is as follows:[keystone_authtoken] auth_uri = https://192.168.100.200:35357/v2.0/ identity_uri = https://192.168.100.200:5000 admin_tenant_name = service admin_user = glance admin_password = glance insecure = True
sudo restart glance-api sudo restart glance-registry
OpenStack Image Service runs two services: glance-api
, which is the service that our clients and services talk to, and the glance-registry
service that manages the objects on the disk and database registry. Both of these services need to have matching credentials that were defined previously in OpenStack Identity Service in their configuration files in order to allow a user to authenticate with the service successfully.