KEMBAR78
Image Guide of Openstack | PDF | Open Stack | File System
0% found this document useful (0 votes)
278 views101 pages

Image Guide of Openstack

This document provides guidance on obtaining, creating, modifying, and sharing virtual machine images that are compatible with OpenStack. It discusses disk and container image formats, requirements for images, modifying existing images, tools for image creation, and converting between formats. The document also covers adding metadata to images to help with scheduling and provides examples of displaying image metadata and properties.

Uploaded by

Abdou Mfopa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
278 views101 pages

Image Guide of Openstack

This document provides guidance on obtaining, creating, modifying, and sharing virtual machine images that are compatible with OpenStack. It discusses disk and container image formats, requirements for images, modifying existing images, tools for image creation, and converting between formats. The document also covers adding metadata to images to help with scheduling and provides examples of displaying image metadata and properties.

Uploaded by

Abdou Mfopa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 101

Virtual Machine Image Guide

OpenStack contributors

Apr 15, 2019


CONTENTS

Abstract 1

Contents 2
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Get images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Image requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Modify images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Create images manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Tool support for image creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Converting between image formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Image sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Index 92

i
ABSTRACT

This guide describes how to obtain, create, and modify virtual machine images that are compatible with
OpenStack.

1
CONTENTS

Conventions

The OpenStack documentation uses several typesetting conventions.

Notices

Notices take these forms:

Note: A comment with additional information that explains a part of the text.

Important: Something you must be aware of before proceeding.

Tip: An extra but helpful piece of practical advice.

Caution: Helpful information that prevents the user from making mistakes.

Warning: Critical information about the risk of data loss or security issues.

Command prompts

$ command

Any user, including the root user, can run commands that are prefixed with the $ prompt.

# command

The root user must run commands that are prefixed with the # prompt. You can also prefix these commands
with the sudo command, if available, to run them.

Introduction

Disk and container formats for images

When you add an image to the Image service, you can specify its disk and container formats.

2
Virtual Machine Image Guide

Disk formats

The disk format of a virtual machine image is the format of the underlying disk image. Virtual appliance
vendors have different formats for laying out the information contained in a virtual machine disk image.
Set the disk format for your image to one of the following values:
aki An Amazon kernel image.
ami An Amazon machine image.
ari An Amazon ramdisk image.
iso An archive format for the data contents of an optical disc, such as CD-ROM.
qcow2 Supported by the QEMU emulator that can expand dynamically and supports Copy on Write.
raw An unstructured disk image format; if you have a file without an extension it is possibly a raw format.
vdi Supported by VirtualBox virtual machine monitor and the QEMU emulator.
vhd The VHD disk format, a common disk format used by virtual machine monitors from VMware, Xen,
Microsoft, VirtualBox, and others.
vhdx The VHDX disk format, an enhanced version of the VHD format, which supports larger disk sizes
among other features.
vmdk Common disk format supported by many common virtual machine monitors.

Container formats

The container format indicates whether the virtual machine image is in a file format that also contains
metadata about the actual virtual machine.

Note: The Image service and other OpenStack projects do not currently support the container format. It
is safe to specify bare as the container format if you are unsure.

You can set the container format for your image to one of the following values:
aki An Amazon kernel image.
ami An Amazon machine image.
ari An Amazon ramdisk image.
bare The image does not have a container or metadata envelope.
docker A docker container format.
ova An OVF package in a tarfile.
ovf The OVF container format.

Image metadata

Image metadata can help end users determine the nature of an image, and is used by associated OpenStack
components and drivers which interface with the Image service.

Introduction 3
Virtual Machine Image Guide

Metadata can also determine the scheduling of hosts. If the property option is set on an image, and
Compute is configured so that the ImagePropertiesFilter scheduler filter is enabled (default), then the
scheduler only considers compute hosts that satisfy that property.

Note: Compute’s ImagePropertiesFilter value is specified in the enabled_filters value in the


[filter_scheduler] section of the /etc/nova/nova.conf file.

You can add metadata to Image service images by using the --property key=value parameter with
the openstack image create or openstack image set command. More than one property can be
specified. For example:

$ openstack image set --property architecture=arm \


--property hypervisor_type=qemu image_name_or_id

Common image properties are also specified in the /etc/glance/schema-image.json file. For a com-
plete list of valid property keys and values, refer to the Useful image properties.
All associated properties for an image can be displayed using the openstack image show command. For
example:

$ openstack image show cirros


+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2016-04-15T13:57:38Z |
| disk_format | qcow2 |
| file | /v2/images/55f0907f-70a5-4376-a346-432e4ec509ed/file |
| id | 55f0907f-70a5-4376-a346-432e4ec509ed |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | f9574e69042645d6b5539035cb8c00bf |
| properties | architecture='arm', hypervisor_type='qemu' |
| protected | False |
| schema | /v2/schemas/image |
| size | 13287936 |
| status | active |
| tags | |
| updated_at | 2016-04-15T13:57:57Z |
| virtual_size | None |
| visibility | public |
+------------------+------------------------------------------------------+

Note: Volume-from-Image properties


When creating Block Storage volumes from images, also consider your configured image properties. If
you alter the core image properties, you should also update your Block Storage configuration. Amend
glance_core_properties in the /etc/cinder/cinder.conf file on all controller nodes to match the
core properties you have set in the Image service.

4 Introduction
Virtual Machine Image Guide

Metadata definition service

With this service you can define:


Namespace
• Contains metadata definitions.
• Specifies the access controls for everything defined in the namespace. These access controls
determine who can define and use the definitions in the namespace.
• Associates the definitions with different types of resources.
Property A single property and its primitive constraints. Each property can only be a primitive type. For
example, string, integer, number, boolean, or array.
Object Describes a group of one to many properties and their primitive constraints. Each property in the
group can only be a primitive type. For example, string, integer, number, boolean, or array.
The object may optionally define required properties under the semantic understanding that if you
use the object, you should provide all required properties.
Resource type association Specifies the relationship between resource types and the namespaces that are
applicable to them. This information can be used to drive UI and CLI views. For example, the same
namespace of objects, properties, and tags may be used for images, snapshots, volumes, and flavors.
Or a namespace may only apply to images.
The Image service has predefined namespaces for the metadata definitions catalog. To load files from this
directory into the database:

$ glance-manage db_load_metadefs

To unload the files from the database:

$ glance-manage db_unload_metadefs

To export the definitions in JSON format:

$ glance-manage db_export_metadefs

Note: By default, files are loaded from and exported to the Image service’s /etc/glance/metadefs
directory.

An OpenStack Compute cloud is not very useful unless you have virtual machine images (which some
people call “virtual appliances”). This guide describes how to obtain, create, and modify virtual machine
images that are compatible with OpenStack.
To keep things brief, we will sometimes use the term image instead of virtual machine image.
What is a virtual machine image?
A virtual machine image is a single file which contains a virtual disk that has a bootable operating system
installed on it.
Virtual machine images come in different formats, some of which are described below.
AKI/AMI/ARI The AKI/AMI/ARI format was the initial image format supported by Amazon EC2. The
image consists of three files:

Introduction 5
Virtual Machine Image Guide

AKI (Amazon Kernel Image) A kernel file that the hypervisor will load initially to boot the image.
For a Linux machine, this would be a vmlinuz file.
AMI (Amazon Machine Image) This is a virtual machine image in raw format, as described above.
ARI (Amazon Ramdisk Image) An optional ramdisk file mounted at boot time. For a Linux ma-
chine, this would be an initrd file.
ISO The ISO format is a disk image formatted with the read-only ISO 9660 (also known as ECMA-119)
filesystem commonly used for CDs and DVDs. While we do not normally think of ISO as a virtual
machine image format, since ISOs contain bootable filesystems with an installed operating system,
you can treat them the same as you treat other virtual machine image files.
OVF OVF (Open Virtualization Format) is a packaging format for virtual machines, defined by the Dis-
tributed Management Task Force (DMTF) standards group. An OVF package contains one or more
image files, a .ovf XML metadata file that contains information about the virtual machine, and
possibly other files as well.
An OVF package can be distributed in different ways. For example, it could be distributed as a set
of discrete files, or as a tar archive file with an .ova (open virtual appliance/application) extension.
OpenStack Compute does not currently have support for OVF packages, so you will need to extract
the image file(s) from an OVF package if you wish to use it with OpenStack.
QCOW2 The QCOW2 (QEMU copy-on-write version 2) format is commonly used with the KVM hy-
pervisor. It has some additional features over the raw format, such as:
• Using sparse representation, so the image size is smaller.
• Support for snapshots.
Because qcow2 is sparse, qcow2 images are typically smaller than raw images. Smaller images
mean faster uploads, so it is often faster to convert a raw image to qcow2 for uploading instead of
uploading the raw file directly.

Note: Because raw images do not support snapshots, OpenStack Compute will automatically con-
vert raw image files to qcow2 as needed.

Raw The raw image format is the simplest one, and is natively supported by both KVM and Xen hyper-
visors. You can think of a raw image as being the bit-equivalent of a block device file, created as if
somebody had copied, say, /dev/sda to a file using the dd command.

Note: We do not recommend creating raw images by dd’ing block device files, we discuss how to
create raw images later.

UEC tarball A UEC (Ubuntu Enterprise Cloud) tarball is a gzipped tarfile that contains an AMI file, AKI
file, and ARI file.

Note: Ubuntu Enterprise Cloud refers to a discontinued Eucalyptus-based Ubuntu cloud solution
that has been replaced by the OpenStack-based Ubuntu Cloud Infrastructure.

VDI VirtualBox uses the VDI (Virtual Disk Image) format for image files. None of the OpenStack Com-
pute hypervisors support VDI directly, so you will need to convert these files to a different format

6 Introduction
Virtual Machine Image Guide

to use them with OpenStack.


VHD Microsoft Hyper-V uses the VHD (Virtual Hard Disk) format for images.
VHDX The version of Hyper-V that ships with Microsoft Server 2012 uses the newer VHDX format,
which has some additional features over VHD such as support for larger disk sizes and protection
against data corruption during power failures.
VMDK VMware ESXi hypervisor uses the VMDK (Virtual Machine Disk) format for images.

Get images

The simplest way to obtain a virtual machine image that works with OpenStack is to download one that
someone else has already created. Most of the images contain the cloud-init package to support the
SSH key pair and user data injection. Because many of the images disable SSH password authentication
by default, boot the image with an injected key pair. You can SSH into the instance with the private key
and default login account. See Configure access and security for instances for more information on how
to create and inject key pairs with OpenStack.

CentOS

The CentOS project maintains official images for direct download.


• CentOS 6 images
• CentOS 7 images

Note: In a CentOS cloud image, the login account is centos.

CirrOS (test)

CirrOS is a minimal Linux distribution that was designed for use as a test image on clouds such as Open-
Stack Compute. You can download a CirrOS image in various formats from the CirrOS download page.
If your deployment uses QEMU or KVM, we recommend using the images in qcow2 format. The most
recent 64-bit qcow2 image as of this writing is cirros-0.4.0-x86_64-disk.img.

Note: In a CirrOS image, the login account is cirros. The password is gocubsgo.

Debian

Debian provides images for direct download. They are made at the same time as the CD and DVD images
of Debian. Therefore, images are available on each point release of Debian. Also, weekly images of the
testing distribution are available.

Note: In a Debian image, the login account is debian.

Get images 7
Virtual Machine Image Guide

Fedora

The Fedora project maintains a list of official cloud images at Fedora download page.

Note: In a Fedora cloud image, the login account is fedora.

Microsoft Windows

Cloudbase Solutions hosts Windows Cloud Images that runs on Hyper-V, KVM, and XenServer/XCP.

Ubuntu

Canonical maintains an official set of Ubuntu-based images.


Images are arranged by Ubuntu release, and by image release date, with current being the most recent.
For example, the page that contains the most recently built image for Ubuntu 16.04 Xenial Xerus is Ubuntu
16.04 LTS (Xenial Xerus) Daily Build. Scroll to the bottom of the page for links to the images that can be
downloaded directly.
If your deployment uses QEMU or KVM, we recommend using the images in qcow2 format. The most
recent version of the 64-bit QCOW2 image for Ubuntu 16.04 is xenial-server-cloudimg-amd64-disk1.img.

Note: In an Ubuntu cloud image, the login account is ubuntu.

openSUSE and SUSE Linux Enterprise Server

The openSUSE community provides images for openSUSE.


SUSE maintains official SUSE Linux Enterprise Server cloud images. Go to download.suse.com and
search for SUSE Linux Enterprise Server 15 JeOS.

Note: In an openSUSE cloud image, the login account is opensuse.

Red Hat Enterprise Linux

Red Hat maintains official Red Hat Enterprise Linux cloud images. A valid Red Hat Enterprise Linux
subscription is required to download these images.
• Red Hat Enterprise Linux 7 KVM Guest Image
• Red Hat Enterprise Linux 6 KVM Guest Image

Note: In a RHEL cloud image, the login account is cloud-user.

8 Get images
Virtual Machine Image Guide

Image requirements

Linux

For a Linux-based image to have full functionality in an OpenStack Compute cloud, there are a few re-
quirements. For some of these, you can fulfill the requirements by installing the cloud-init package. Read
this section before you create your own image to be sure that the image supports the OpenStack features
that you plan to use.
• Disk partitions and resize root partition on boot (cloud-init)
• No hard-coded MAC address information
• SSH server running
• Disable firewall
• Access instance using ssh public key (cloud-init)
• Process user data and other metadata (cloud-init)
• Paravirtualized Xen support in Linux kernel (Xen hypervisor only with Linux kernel version < 3.0)

Disk partitions and resize root partition on boot (cloud-init)

When you create a Linux image, you must decide how to partition the disks. The choice of partition method
can affect the resizing functionality, as described in the following sections.
The size of the disk in a virtual machine image is determined when you initially create the image. However,
OpenStack lets you launch instances with different size drives by specifying different flavors. For example,
if your image was created with a 5 GB disk, and you launch an instance with a flavor of m1.small. The
resulting virtual machine instance has, by default, a primary disk size of 20 GB. When the disk for an
instance is resized up, zeros are just added to the end.
Your image must be able to resize its partitions on boot to match the size requested by the user. Otherwise,
after the instance boots, you must manually resize the partitions to access the additional storage to which
you have access when the disk size associated with the flavor exceeds the disk size with which your image
was created.

Xen: one ext3/ext4 partition (no LVM)

If you use the OpenStack XenAPI driver, the Compute service automatically adjusts the partition and file
system for your instance on boot. Automatic resize occurs if the following conditions are all true:
• auto_disk_config=True is set as a property on the image in the image registry.
• The disk on the image has only one partition.
• The file system on the one partition is ext3 or ext4.
Therefore, if you use Xen, we recommend that when you create your images, you create a single ext3 or
ext4 partition (not managed by LVM). Otherwise, read on.

Image requirements 9
Virtual Machine Image Guide

Non-Xen with cloud-init/cloud-tools: one ext3/ext4 partition (no LVM)

You must configure these items for your image:


• The partition table for the image describes the original size of the image.
• The file system for the image fills the original size of the image.
Then, during the boot process, you must:
• Modify the partition table to make it aware of the additional space:
– If you do not use LVM, you must modify the table to extend the existing root partition to
encompass this additional space.
– If you use LVM, you can add a new LVM entry to the partition table, create a new LVM physical
volume, add it to the volume group, and extend the logical partition with the root volume.
• Resize the root volume file system.
Depending on your distribution, the simplest way to support this is to install in your image:
• the cloud-init package,
• the cloud-utils package, which, on Ubuntu and Debian, also contains the growpart tool for extend-
ing partitions,
• if you use Fedora, CentOS 7, or RHEL 7, the cloud-utils-growpart package, which contains
the growpart tool for extending partitions,
• if you use Ubuntu or Debian, the cloud-initramfs-growroot package , which supports resizing root
partition on the first boot.
With these packages installed, the image performs the root partition resize on boot. For example, in the
/etc/rc.local file.

If you cannot install cloud-initramfs-tools, Robert Plestenjak has a GitHub project called linux-
rootfs-resize that contains scripts that update a ramdisk by using growpart so that the image resizes prop-
erly on boot.
If you can install the cloud-init and cloud-utils packages, we recommend that when you create your
images, you create a single ext3 or ext4 partition (not managed by LVM).

Non-Xen without cloud-init/cloud-tools: LVM

If you cannot install cloud-init and cloud-tools inside of your guest, and you want to support resize,
you must write a script that your image runs on boot to modify the partition table. In this case, we recom-
mend using LVM to manage your partitions. Due to a limitation in the Linux kernel (as of this writing),
you cannot modify a partition table of a raw disk that has partitions currently mounted, but you can do this
for LVM.
Your script must do something like the following:
1. Detect if any additional space is available on the disk. For example, parse the output of parted
/dev/sda --script "print free".

2. Create a new LVM partition with the additional space. For example, parted /dev/sda --script
"mkpart lvm ...".

3. Create a new physical volume. For example, pvcreate /dev/sda6.

10 Image requirements
Virtual Machine Image Guide

4. Extend the volume group with this physical partition. For example, vgextend vg00 /dev/sda6.
5. Extend the logical volume contained the root partition by the amount of space. For example,
lvextend /dev/mapper/node-root /dev/sda6.

6. Resize the root file system. For example, resize2fs /dev/mapper/node-root.


You do not need a /boot partition unless your image is an older Linux distribution that requires that /boot
is not managed by LVM.

No hard-coded MAC address information

You must remove the network persistence rules in the image because they cause the network interface in
the instance to come up as an interface other than eth0. This is because your image has a record of the
MAC address of the network interface card when it was first installed, and this MAC address is different
each time the instance boots. You should alter the following files:
• Replace /etc/udev/rules.d/70-persistent-net.rules with an empty file (contains network
persistence rules, including MAC address).
• Replace /lib/udev/rules.d/75-persistent-net-generator.rules with an empty file (this
generates the file above).
• Remove the HWADDR line from /etc/sysconfig/network-scripts/ifcfg-eth0 on Fedora-
based images.

Note: If you delete the network persistent rules files, you may get a udev kernel warning at boot time,
which is why we recommend replacing them with empty files instead.

Ensure ssh server runs

You must install an ssh server into the image and ensure that it starts up on boot, or you cannot con-
nect to your instance by using ssh when it boots inside of OpenStack. This package is typically called
openssh-server.

Disable firewall

In general, we recommend that you disable any firewalls inside of your image and use OpenStack security
groups to restrict access to instances. The reason is that having a firewall installed on your instance can
make it more difficult to troubleshoot networking issues if you cannot connect to your instance.

Access instance by using ssh public key (cloud-init)

The typical way that users access virtual machines running on OpenStack is to ssh using public key au-
thentication. For this to work, your virtual machine image must be configured to download the ssh public
key from the OpenStack metadata service or config drive, at boot time.
If both the XenAPI agent and cloud-init are present in an image, cloud-init handles ssh-key injection.
The system assumes cloud-init is present when the image has the cloud_init_installed property.

Image requirements 11
Virtual Machine Image Guide

Use cloud-init to fetch the public key

The cloud-init package automatically fetches the public key from the metadata server and places the
key in an account. The account varies by distribution. On Ubuntu-based virtual machines, the account
is called ubuntu, on Fedora-based virtual machines, the account is called fedora, and on CentOS-based
virtual machines, the account is called centos.
You can change the name of the account used by cloud-init by editing the /etc/cloud/cloud.cfg
file and adding a line with a different user. For example, to configure cloud-init to put the key in an
account named admin, use the following syntax in the configuration file:

users:
- name: admin
(...)

Write a custom script to fetch the public key

If you are unable or unwilling to install cloud-init inside the guest, you can write a custom script to
fetch the public key and add it to a user account.
To fetch the ssh public key and add it to the root account, edit the /etc/rc.local file and add the following
lines before the line touch /var/lock/subsys/local. This code fragment is taken from the rackerjoe
oz-image-build CentOS 6 template.

if [ ! -d /root/.ssh ]; then
mkdir -p /root/.ssh
chmod 700 /root/.ssh
fi

# Fetch public key using HTTP


ATTEMPTS=30
FAILED=0
while [ ! -f /root/.ssh/authorized_keys ]; do
curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/
,→metadata-key 2>/dev/null
if [ $? -eq 0 ]; then
cat /tmp/metadata-key >> /root/.ssh/authorized_keys
chmod 0600 /root/.ssh/authorized_keys
restorecon /root/.ssh/authorized_keys
rm -f /tmp/metadata-key
echo "Successfully retrieved public key from instance metadata"
echo "*****************"
echo "AUTHORIZED KEYS"
echo "*****************"
cat /root/.ssh/authorized_keys
echo "*****************"
else
FAILED=`expr $FAILED + 1`
if [ $FAILED -ge $ATTEMPTS ]; then
echo "Failed to retrieve public key from instance metadata after $FAILED attempts,
,→ quitting"
break
fi
echo "Could not retrieve public key from instance metadata (attempt #$FAILED/
,→$ATTEMPTS), retrying in 5 seconds..."

(continues on next page)

12 Image requirements
Virtual Machine Image Guide

(continued from previous page)


sleep 5
fi
done

Note: Some VNC clients replace : (colon) with ; (semicolon) and _ (underscore) with - (hyphen). If
editing a file over a VNC session, make sure it is http: not http; and authorized_keys not authorized-keys.

Process user data and other metadata (cloud-init)

In addition to the ssh public key, an image might need additional information from OpenStack, such as to
povide user data to instances, that the user submitted when requesting the image. For example, you might
want to set the host name of the instance when it is booted. Or, you might wish to configure your image
so that it executes user data content as a script on boot.
You can access this information through the metadata service or referring to Store metadata on the config-
uration drive. As the OpenStack metadata service is compatible with version 2009-04-04 of the Amazon
EC2 metadata service, consult the Amazon EC2 documentation on Using Instance Metadata for details on
how to retrieve the user data.
The easiest way to support this type of functionality is to install the cloud-init package into your image,
which is configured by default to treat user data as an executable script, and sets the host name.

Ensure image writes boot log to console

You must configure the image so that the kernel writes the boot log to the ttyS0 device. In particular, the
console=tty0 console=ttyS0,115200n8 arguments must be passed to the kernel on boot.

If your image uses grub2 as the boot loader, there should be a line in the grub configuration file. For
example, /boot/grub/grub.cfg, which looks something like this:

linux /boot/vmlinuz-3.2.0-49-virtual root=UUID=6d2231e4-0975-4f35-a94f-56738c1a8150 ro�


,→console=tty0 console=ttyS0,115200n8

If console=tty0 console=ttyS0,115200n8 does not appear, you must modify your grub con-
figuration. In general, you should not update the grub.cfg directly, since it is automatically
generated. Instead, you should edit the /etc/default/grub file and modify the value of the
GRUB_CMDLINE_LINUX_DEFAULT variable:

GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"

Next, update the grub configuration. On Debian-based operating systems such as Ubuntu, run this com-
mand:

# update-grub

On Fedora-based systems, such as RHEL and CentOS, and on openSUSE, run this command:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Image requirements 13
Virtual Machine Image Guide

Paravirtualized Xen support in the kernel (Xen hypervisor only)

Prior to Linux kernel version 3.0, the mainline branch of the Linux kernel did not have support for par-
avirtualized Xen virtual machine instances (what Xen calls DomU guests). If you are running the Xen
hypervisor with paravirtualization, and you want to create an image for an older Linux distribution that has
a pre 3.0 kernel, you must ensure that the image boots a kernel that has been compiled with Xen support.

Manage the image cache

Use options in the nova.conf file to control whether, and for how long, unused base images are stored
in the /var/lib/nova/instances/_base/. If you have configured live migration of instances, all your
compute nodes share one common /var/lib/nova/instances/ directory.
For information about the libvirt images in OpenStack, see The life of an OpenStack libvirt image from
Pádraig Brady.

Table 1: Image cache management configuration options


Configuration option=Default value (Type) Description
preallocate_images=none (StrOpt) VM image preallocation mode:
none No storage provisioning occurs up
front.
space Storage is fully allocated at in-
stance start. The $instance_dir/
images are fallocated to immedi-
ately determine if enough space is
available, and to possibly improve
VM I/O performance due to ongo-
ing allocation avoidance, and better
locality of block allocations.

remove_unused_base_images=True (BoolOpt) Should unused base images be


removed? When set to True, the interval
at which base images are removed are set
with the following two settings. If set to
False base images are never removed by
Compute.
remove_unused_original_minimum_age_seconds=86400 (IntOpt) Unused unresized base images
younger than this are not removed. Default
is 86400 seconds, or 24 hours.
remove_unused_resized_minimum_age_seconds=3600 (IntOpt) Unused resized base images
younger than this are not removed. Default
is 3600 seconds, or one hour.

To see how the settings affect the deletion of a running instance, check the directory where the images are
stored:

# ls -lash /var/lib/nova/instances/_base/

In the /var/log/compute/compute.log file, look for the identifier:

14 Image requirements
Virtual Machine Image Guide

2012-02-18 04:24:17 41389 WARNING nova.virt.libvirt.imagecache [-] Unknown base file: /


,→var/lib/nova/instances/_base/06a057b9c7b0b27e3b496f53d1e88810a0d1d5d3_20
2012-02-18 04:24:17 41389 INFO nova.virt.libvirt.imagecache [-] Removable base files: /
,→var/lib/nova/instances/_base/06a057b9c7b0b27e3b496f53d1e88810a0d1d5d3 /var/lib/nova/

,→instances/_base/06a057b9c7b0b27e3b496f53d1e88810a0d1d5d3_20
2012-02-18 04:24:17 41389 INFO nova.virt.libvirt.imagecache [-] Removing base file: /
,→var/lib/nova/instances/_base/06a057b9c7b0b27e3b496f53d1e88810a0d1d5d3

Because 86400 seconds (24 hours) is the default time for remove_unused_original_minimum_age_seconds,
you can either wait for that time interval to see the base image removed, or set the value to a shorter time
period in the nova.conf file. Restart all nova services after changing a setting in the nova.conf file.

Modify images

Once you have obtained a virtual machine image, you may want to make some changes to it before up-
loading it to the Image service. Here we describe several tools available that allow you to modify images.

Warning: Do not attempt to use these tools to modify an image that is attached to a running virtual
machine. These tools are designed only to modify the images that are not currently running.

guestfish

The guestfish program is a tool from the libguestfs project that allows you to modify the files inside of
a virtual machine image.

Note: guestfish does not mount the image directly into the local file system. Instead, it provides you
with a shell interface that enables you to view, edit, and delete files. Many of guestfish commands, such
as touch, chmod, and rm, resemble traditional bash commands.

Example guestfish session

Sometimes you must modify a virtual machine image to remove any traces of the MAC address that was as-
signed to the virtual network interface card when the image was first created. This is because the MAC ad-
dress is different when the virtual machine images boots. This example shows how to use the guestfish to
remove references to the old MAC address by deleting the /etc/udev/rules.d/70-persistent-net.
rules file and removing the HWADDR line from the /etc/sysconfig/network-scripts/ifcfg-eth0
file.
Assume that you have a CentOS qcow2 image called centos63_desktop.img. Mount the image in read-
write mode as root, as follows:

# guestfish --rw -a centos63_desktop.img

Welcome to guestfish, the libguestfs filesystem interactive shell for


editing virtual machine filesystems.

(continues on next page)

Modify images 15
Virtual Machine Image Guide

(continued from previous page)


Type: 'help' for help on commands
'man' to read the manual
'quit' to quit the shell

><fs>

This starts a guestfish session.

Note: the guestfish prompt looks like a fish: ><fs>.

We must first use the run command at the guestfish prompt before we can do anything else. This will
launch a virtual machine, which will be used to perform all of the file manipulations.

><fs> run

1. We can now view the file systems in the image using the list-filesystems command:

><fs> list-filesystems
/dev/vda1: ext4
/dev/vg_centosbase/lv_root: ext4
/dev/vg_centosbase/lv_swap: swap

2. We need to mount the logical volume that contains the root partition:

><fs> mount /dev/vg_centosbase/lv_root /

3. Next, we want to delete a file. We can use the rm guestfish command, which works the same way it
does in a traditional shell.

><fs> rm /etc/udev/rules.d/70-persistent-net.rules

4. We want to edit the ifcfg-eth0 file to remove the HWADDR line. The edit command will copy the
file to the host, invoke your editor, and then copy the file back.

><fs> edit /etc/sysconfig/network-scripts/ifcfg-eth0

5. If you want to modify this image to load the 8021q kernel at boot time, you must create an executable
script in the /etc/sysconfig/modules/ directory. You can use the touch guestfish command to
create an empty file, the edit command to edit it, and the chmod command to make it executable.

><fs> touch /etc/sysconfig/modules/8021q.modules


><fs> edit /etc/sysconfig/modules/8021q.modules

6. We add the following line to the file and save it:

modprobe 8021q

7. Then we set to executable:

><fs> chmod 0755 /etc/sysconfig/modules/8021q.modules

8. We are done, so we can exit using the exit command:

16 Modify images
Virtual Machine Image Guide

><fs> exit

Go further with guestfish

There is an enormous amount of functionality in guestfish and a full treatment is beyond the scope of this
document. Instead, we recommend that you read the guestfs-recipes documentation page for a sense of
what is possible with these tools.

guestmount

For some types of changes, you may find it easier to mount the image’s file system directly in the guest.
The guestmount program, also from the libguestfs project, allows you to do so.
1. For example, to mount the root partition from our centos63_desktop.qcow2 image to /mnt, we
can do:

# guestmount -a centos63_desktop.qcow2 -m /dev/vg_centosbase/lv_root --rw /mnt

2. If we did not know in advance what the mount point is in the guest, we could use the -i (inspect)
flag to tell guestmount to automatically determine what mount point to use:

# guestmount -a centos63_desktop.qcow2 -i --rw /mnt

3. Once mounted, we could do things like list the installed packages using rpm:

# rpm -qa --dbpath /mnt/var/lib/rpm

4. Once done, we unmount:

# umount /mnt

virt-* tools

The libguestfs project has a number of other useful tools, including:


• virt-edit for editing a file inside of an image.
• virt-df for displaying free space inside of an image.
• virt-resize for resizing an image.
• virt-sysprep for preparing an image for distribution (for example, delete SSH host keys, remove
MAC address info, or remove user accounts).
• virt-sparsify for making an image sparse.
• virt-p2v for converting a physical machine to an image that runs on KVM.
• virt-v2v for converting Xen and VMware images to KVM images.

Modify images 17
Virtual Machine Image Guide

Modify a single file inside of an image

This example shows how to use virt-edit to modify a file. The command can take either a filename
as an argument with the -a flag, or a domain name as an argument with the -d flag. The following
examples shows how to use this to modify the /etc/shadow file in instance with libvirt domain name
instance-000000e1 that is currently running:

# virsh shutdown instance-000000e1


# virt-edit -d instance-000000e1 /etc/shadow
# virsh start instance-000000e1

Resize an image

Here is an example of how to use virt-resize to resize an image. Assume we have a 16 GB Windows
image in qcow2 format that we want to resize to 50 GB.
1. First, we use virt-filesystems to identify the partitions:

# virt-filesystems --long --parts --blkdevs -h -a /data/images/win2012.qcow2


Name Type MBR Size Parent
/dev/sda1 partition 07 350M /dev/sda
/dev/sda2 partition 07 16G /dev/sda
/dev/sda device - 16G -

2. In this case, it is the /dev/sda2 partition that we want to resize. We create a new qcow2 image and
use the virt-resize command to write a resized copy of the original into the new image:

# qemu-img create -f qcow2 /data/images/win2012-50gb.qcow2 50G


# virt-resize --expand /dev/sda2 /data/images/win2012.qcow2 \
/data/images/win2012-50gb.qcow2
Examining /data/images/win2012.qcow2 ...
**********

Summary of changes:

/dev/sda1: This partition will be left alone.

/dev/sda2: This partition will be resized from 15.7G to 49.7G. The


filesystem ntfs on /dev/sda2 will be expanded using the
'ntfsresize' method.

**********
Setting up initial partition table on /data/images/win2012-50gb.qcow2 ...
Copying /dev/sda1 ...
100% [ ] 00:00
Copying /dev/sda2 ...
100% [ ] 00:00
Expanding /dev/sda2 using the 'ntfsresize' method ...

Resize operation completed with no errors. Before deleting the old


disk, carefully check that the resized disk boots and works correctly.

18 Modify images
Virtual Machine Image Guide

Loop devices, kpartx, network block devices

If you do not have access to the libguestfs, you can mount image file systems directly in the host using
loop devices, kpartx, and network block devices.

Warning: Mounting untrusted guest images using the tools described in this section is a security
risk, always use libguestfs tools such as guestfish and guestmount if you have access to them. See A
reminder why you should never mount guest disk images on the host OS by Daniel Berrangé for more
details.

Mount a raw image (without LVM)

If you have a raw virtual machine image that is not using LVM to manage its partitions, use the losetup
command to find an unused loop device.

# losetup -f
/dev/loop0

In this example, /dev/loop0 is free. Associate a loop device with the raw image:

# losetup /dev/loop0 fedora17.img

If the image only has a single partition, you can mount the loop device directly:

# mount /dev/loop0 /mnt

If the image has multiple partitions, use kpartx to expose the partitions as separate devices (for example,
/dev/mapper/loop0p1), then mount the partition that corresponds to the root file system:

# kpartx -av /dev/loop0

If the image has, say three partitions (/boot, /, swap), there should be one new device created per partition:

$ ls -l /dev/mapper/loop0p*
brw-rw---- 1 root disk 43, 49 2012-03-05 15:32 /dev/mapper/loop0p1
brw-rw---- 1 root disk 43, 50 2012-03-05 15:32 /dev/mapper/loop0p2
brw-rw---- 1 root disk 43, 51 2012-03-05 15:32 /dev/mapper/loop0p3

To mount the second partition, as root:

# mkdir /mnt/image
# mount /dev/mapper/loop0p2 /mnt/image

Once you are done, to clean up:

# umount /mnt/image
# rmdir /mnt/image
# kpartx -d /dev/loop0
# losetup -d /dev/loop0

Modify images 19
Virtual Machine Image Guide

Mount a raw image (with LVM)

If your partitions are managed with LVM, use losetup and kpartx commands as in the previous example
to expose the partitions to the host.

# losetup -f
/dev/loop0
# losetup /dev/loop0 rhel62.img
# kpartx -av /dev/loop0

Next, you need to use the vgscan command to identify the LVM volume groups and then the vgchange
command to expose the volumes as devices:

# vgscan
Reading all physical volumes. This may take a while...
Found volume group "vg_rhel62x8664" using metadata type lvm2
# vgchange -ay
2 logical volume(s) in volume group "vg_rhel62x8664" now active
# mount /dev/vg_rhel62x8664/lv_root /mnt

Clean up when you are done:

# umount /mnt
# vgchange -an vg_rhel62x8664
# kpartx -d /dev/loop0
# losetup -d /dev/loop0

Mount a qcow2 image (without LVM)

You need the nbd (network block device) kernel module loaded to mount qcow2 images. This will load it
with support for 16 block devices, which is fine for our purposes. As root:

# modprobe nbd max_part=16

Assuming the first block device (/dev/nbd0) is not currently in use, we can expose the disk partitions
using the qemu-nbd and partprobe commands. As root:

# qemu-nbd -c /dev/nbd0 image.qcow2


# partprobe /dev/nbd0

If the image has, say three partitions (/boot, /, swap), there should be one new device created for each
partition:

$ ls -l /dev/nbd3*
brw-rw---- 1 root disk 43, 48 2012-03-05 15:32 /dev/nbd0
brw-rw---- 1 root disk 43, 49 2012-03-05 15:32 /dev/nbd0p1
brw-rw---- 1 root disk 43, 50 2012-03-05 15:32 /dev/nbd0p2
brw-rw---- 1 root disk 43, 51 2012-03-05 15:32 /dev/nbd0p3

Note: If the network block device you selected was already in use, the initial qemu-nbd command will
fail silently, and the /dev/nbd3p{1,2,3} device files will not be created.

If the image partitions are not managed with LVM, they can be mounted directly:

20 Modify images
Virtual Machine Image Guide

# mkdir /mnt/image
# mount /dev/nbd3p2 /mnt/image

When you are done, clean up:

# umount /mnt/image
# rmdir /mnt/image
# qemu-nbd -d /dev/nbd0

Mount a qcow2 image (with LVM)

If the image partitions are managed with LVM, after you use qemu-nbd and partprobe, you must use
vgscan and vgchange -ay in order to expose the LVM partitions as devices that can be mounted:

# modprobe nbd max_part=16


# qemu-nbd -c /dev/nbd0 image.qcow2
# partprobe /dev/nbd0
# vgscan
Reading all physical volumes. This may take a while...
Found volume group "vg_rhel62x8664" using metadata type lvm2
# vgchange -ay
2 logical volume(s) in volume group "vg_rhel62x8664" now active
# mount /dev/vg_rhel62x8664/lv_root /mnt

When you are done, clean up:

# umount /mnt
# vgchange -an vg_rhel62x8664
# qemu-nbd -d /dev/nbd0

Create images manually

Verify the libvirt default network is running

Before starting a virtual machine with libvirt, verify that the libvirt default network has started. This
network must be active for your virtual machine to be able to connect out to the network. Starting this
network will create a Linux bridge (usually called virbr0), iptables rules, and a dnsmasq process that will
serve as a DHCP server.
To verify that the libvirt default network is enabled, use the virsh net-list command and verify that
the default network is active:

# virsh net-list
Name State Autostart
-----------------------------------------
default active yes

If the network is not active, start it by doing:

# virsh net-start default

Create images manually 21


Virtual Machine Image Guide

Use the virt-manager X11 GUI

If you plan to create a virtual machine image on a machine that can run X11 applications, the simplest
way to do so is to use the virt-manager GUI, which is installable as the virt-manager package on both
Fedora-based and Debian-based systems. This GUI has an embedded VNC client that will let you view
and interact with the guest’s graphical console.
If you are building the image on a headless server, and you have an X server on your local machine, you can
launch virt-manager using ssh X11 forwarding to access the GUI. Since virt-manager interacts directly
with libvirt, you typically need to be root to access it. If you can ssh directly in as root (or with a user that
has permissions to interact with libvirt), do:

$ ssh -X root@server virt-manager

If the account you use to ssh into your server does not have permissions to run libvirt, but has sudo privi-
leges, do:

$ ssh -X user@server
$ sudo virt-manager

Note: The -X flag passed to ssh will enable X11 forwarding over ssh. If this does not work, try replacing
it with the -Y flag.

Click the Create a new virtual machine button at the top-left, or go to File → New Virtual Machine. Then,
follow the instructions.

You will be shown a series of dialog boxes that will allow you to specify information about the virtual
machine.

Note: When using qcow2 format images, you should check the option Customize configuration
before install, go to disk properties and explicitly select the qcow2 format. This ensures the virtual
machine disk size will be correct.

Use virt-install and connect by using a local VNC client

If you do not wish to use virt-manager (for example, you do not want to install the dependencies on your
server, you do not have an X server running locally, the X11 forwarding over SSH is not working), you
can use the virt-install tool to boot the virtual machine through libvirt and connect to the graphical
console from a VNC client installed on your local machine.

22 Create images manually


Virtual Machine Image Guide

Because VNC is a standard protocol, there are multiple clients available that implement the VNC spec,
including TigerVNC (multiple platforms), TightVNC (multiple platforms), RealVNC (multiple platforms),
Chicken (Mac OS X), Krde (KDE), Vinagre (GNOME).
The following example shows how to use the qemu-img command to create an empty image file, and
virt-install command to start up a virtual machine using that image file. As root:

# qemu-img create -f qcow2 /tmp/centos.qcow2 10G


# virt-install --virt-type kvm --name centos --ram 1024 \
--disk /tmp/centos.qcow2,format=qcow2 \
--network network=default \
--graphics vnc,listen=0.0.0.0 --noautoconsole \
--os-type=linux --os-variant=centos7.0 \
--location=/data/isos/CentOS-7-x86_64-NetInstall-1611.iso

Starting install...
Creating domain... | 0 B 00:00
Domain installation still in progress. You can reconnect to
the console to complete the installation process.

The KVM hypervisor starts the virtual machine with the libvirt name, centos, with 1024 MB of
RAM. The virtual machine also has a virtual CD-ROM drive associated with the /data/isos/
CentOS-7-x86_64-NetInstall-1611.iso file and a local 10 GB hard disk in qcow2 format that is
stored in the host at /tmp/centos.qcow2. It configures networking to use libvirt default network. There
is a VNC server that is listening on all interfaces, and libvirt will not attempt to launch a VNC client auto-
matically nor try to display the text console (--no-autoconsole). Finally, libvirt will attempt to optimize
the configuration for a Linux guest running a CentOS 7 distribution.

Note: When using the libvirt default network, libvirt will connect the virtual machine’s interface to a
bridge called virbr0. There is a dnsmasq process managed by libvirt that will hand out an IP address on
the 192.168.122.0/24 subnet, and libvirt has iptables rules for doing NAT for IP addresses on this subnet.

Run the osinfo-query os command to see a range of allowed --os-variant options.


Use the virsh vncdisplay vm-name command to get the VNC port number.

# virsh vncdisplay centos


:1

In the example above, the guest centos uses VNC display :1, which corresponds to TCP port 5901. You
should be able to connect a VNC client running on your local machine to display :1 on the remote machine
and step through the installation process.

Example: CentOS image

This example shows you how to install a CentOS image and focuses mainly on CentOS 7. Because the
CentOS installation process might differ across versions, the installation steps might differ if you use a
different version of CentOS.

Download a CentOS install ISO

1. Navigate to the CentOS mirrors page.

Create images manually 23


Virtual Machine Image Guide

2. Click one of the HTTP links in the right-hand column next to one of the mirrors.
3. Click the folder link of the CentOS version that you want to use. For example, 7/.
4. Click the isos/ folder link.
5. Click the x86_64/ folder link for 64-bit images.
6. Click the netinstall ISO image that you want to download. For example,
CentOS-7-x86_64-NetInstall-1611.iso is a good choice because it is a smaller image
that downloads missing packages from the Internet during installation.

Start the installation process

Start the installation process using either the virt-manager or the virt-install command as described
previously. If you use the virt-install command, do not forget to connect your VNC client to the virtual
machine.
Assume that:
• The name of your virtual machine image is centos; you need this name when you use virsh com-
mands to manipulate the state of the image.
• You saved the netinstall ISO image to the /data/isos directory.
If you use the virt-install command, the commands should look something like this:

# qemu-img create -f qcow2 /tmp/centos.qcow2 10G


# virt-install --virt-type kvm --name centos --ram 1024 \
--disk /tmp/centos.qcow2,format=qcow2 \
--network network=default \
--graphics vnc,listen=0.0.0.0 --noautoconsole \
--os-type=linux --os-variant=centos7.0 \
--location=/data/isos/CentOS-7-x86_64-NetInstall-1611.iso

Step through the installation

At the initial Installer boot menu, choose the Install CentOS 7 option. After the installation program starts,
choose your preferred language and click Continue to get to the installation summary. Accept the defaults.

24 Create images manually


Virtual Machine Image Guide

Change the Ethernet status

The default Ethernet setting is OFF. Change the setting of the Ethernet form OFF to ON. In particular, ensure
that IPv4 Settings' Method is Automatic (DHCP), which is the default.

Create images manually 25


Virtual Machine Image Guide

Hostname

The installer allows you to choose a host name. The default (localhost.localdomain) is fine. You
install the cloud-init package later, which sets the host name on boot when a new instance is provisioned
using this image.

Point the installer to a CentOS web server

Depending on the version of CentOS, the net installer requires the user to specify either a URL or the web
site and a CentOS directory that corresponds to one of the CentOS mirrors. If the installer asks for a single
URL, a valid URL might be http://mirror.umd.edu/centos/7/os/x86_64.

Note: Consider using other mirrors as an alternative to mirror.umd.edu.

26 Create images manually


Virtual Machine Image Guide

If the installer asks for web site name and CentOS directory separately, you might enter:
• Web site name: mirror.umd.edu
• CentOS directory: centos/7/os/x86_64
See CentOS mirror page to get a full list of mirrors, click on the HTTP link of a mirror to retrieve the web
site name of a mirror.

Storage devices

If prompted about which type of devices your installation uses, choose Virtio Block Device.

Partition the disks

There are different options for partitioning the disks. The default installation uses LVM partitions, and
creates three partitions (/boot, /, swap), which works fine. Alternatively, you might want to create a
single ext4 partition that is mounted to /, which also works fine.
If unsure, use the default partition scheme for the installer. While no scheme is inherently better than
another, having the partition that you want to dynamically grow at the end of the list will allow it to grow
without crossing another partition’s boundary.

Create images manually 27


Virtual Machine Image Guide

Select installation option

Step through the installation, using the default options. The simplest thing to do is to choose the Minimal
Install install, which installs an SSH server.

Set the root password

During the installation, remember to set the root password when prompted.

Detach the CD-ROM and reboot

Wait until the installation is complete.

To eject a disk by using the virsh command, libvirt requires that you attach an empty disk at the same
target that the CD-ROM was previously attached, which may be hda. You can confirm the appropriate
target using the virsh dumpxml vm-image command.

# virsh dumpxml centos


<domain type='kvm' id='19'>
<name>centos</name>
...
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw'/>
<target dev='hda' bus='ide'/>
(continues on next page)

28 Create images manually


Virtual Machine Image Guide

(continued from previous page)


<readonly/>
<address type='drive' controller='0' bus='1' target='0' unit='0'/>
</disk>
...
</domain>

Run the following commands from the host to eject the disk and reboot using virsh, as root. If you are
using virt-manager, the commands below will work, but you can also use the GUI to detach and reboot
it by manually stopping and starting.

# virsh attach-disk --type cdrom --mode readonly centos "" hda


# virsh reboot centos

Install the ACPI service

To enable the hypervisor to reboot or shutdown an instance, you must install and run the acpid service on
the guest system.
Log in as root to the CentOS guest and run the following commands to install the ACPI service and con-
figure it to start when the system boots:

# yum install acpid


# systemctl enable acpid

Configure to fetch metadata

An instance must interact with the metadata service to perform several tasks on start up. For example, the
instance must get the ssh public key and run the user data script. To ensure that the instance performs these
tasks, use one of these methods:
• Install a cloud-init RPM, which is a port of the Ubuntu cloud-init package. This is the recom-
mended approach.
• Modify the /etc/rc.local file to fetch desired information from the metadata service, as described
in the next section.

Use cloud-init to fetch the public key

The cloud-init package automatically fetches the public key from the metadata server and places the
key in an account. Install cloud-init inside the CentOS guest by running:

# yum install cloud-init

The account varies by distribution. On CentOS-based virtual machines, the account is called centos.
You can change the name of the account used by cloud-init by editing the /etc/cloud/cloud.cfg
file and adding a line with a different user. For example, to configure cloud-init to put the key in an
account named admin, use the following syntax in the configuration file:

Create images manually 29


Virtual Machine Image Guide

users:
- name: admin
(...)

Install cloud-utils-growpart to allow partitions to resize

In order for the root partition to properly resize, install the cloud-utils-growpart package, which con-
tains the proper tools to allow the disk to resize using cloud-init.

# yum install cloud-utils-growpart

Write a script to fetch the public key (if no cloud-init)

If you are not able to install the cloud-init package in your image, to fetch the ssh public key and add it
to the root account, edit the /etc/rc.d/rc.local file and add the following lines before the line touch
/var/lock/subsys/local:

if [ ! -d /root/.ssh ]; then
mkdir -p /root/.ssh
chmod 700 /root/.ssh
fi

# Fetch public key using HTTP


ATTEMPTS=30
FAILED=0
while [ ! -f /root/.ssh/authorized_keys ]; do
curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key \
> /tmp/metadata-key 2>/dev/null
if [ \$? -eq 0 ]; then
cat /tmp/metadata-key >> /root/.ssh/authorized_keys
chmod 0600 /root/.ssh/authorized_keys
restorecon /root/.ssh/authorized_keys
rm -f /tmp/metadata-key
echo "Successfully retrieved public key from instance metadata"
echo "*****************"
echo "AUTHORIZED KEYS"
echo "*****************"
cat /root/.ssh/authorized_keys
echo "*****************"
fi
done

Note: Some VNC clients replace the colon (:) with a semicolon (;) and the underscore (_) with a
hyphen (-). Make sure to specify http: and not http;. Make sure to specify authorized_keys and not
authorized-keys.

Note: The previous script only gets the ssh public key from the metadata server. It does not get user data,
which is optional data that can be passed by the user when requesting a new instance. User data is often
used to run a custom script when an instance boots.

30 Create images manually


Virtual Machine Image Guide

As the OpenStack metadata service is compatible with version 2009-04-04 of the Amazon EC2 metadata
service, consult the Amazon EC2 documentation on Using Instance Metadata for details on how to get user
data.

Disable the zeroconf route

For the instance to access the metadata service, you must disable the default zeroconf route:

# echo "NOZEROCONF=yes" >> /etc/sysconfig/network

Configure console

For the nova console-log command to work properly on CentOS 7, you might need to do the following
steps:
1. Edit the /etc/default/grub file and configure the GRUB_CMDLINE_LINUX option. Delete the
rhgb quiet and add console=tty0 console=ttyS0,115200n8 to the option.

For example:

...
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=cl/root rd.lvm.lv=cl/swap�
,→console=tty0 console=ttyS0,115200n8"

2. Run the following command to save the changes:

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-229.14.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-229.14.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-229.4.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-229.4.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-229.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-229.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-605f01abef434fb98dd1309e774b72ba
Found initrd image: /boot/initramfs-0-rescue-605f01abef434fb98dd1309e774b72ba.img
done

Shut down the instance

From inside the instance, run as root:

# poweroff

Clean up (remove MAC address details)

The operating system records the MAC address of the virtual Ethernet card in locations such as /etc/
sysconfig/network-scripts/ifcfg-eth0 during the instance process. However, each time the image
boots up, the virtual Ethernet card will have a different MAC address, so this information must be deleted
from the configuration file.

Create images manually 31


Virtual Machine Image Guide

There is a utility called virt-sysprep, that performs various cleanup tasks such as removing the MAC
address references. It will clean up a virtual machine image in place:

# virt-sysprep -d centos

Undefine the libvirt domain

Now that you can upload the image to the Image service, you no longer need to have this virtual machine
image managed by libvirt. Use the virsh undefine vm-image command to inform libvirt:

# virsh undefine centos

Image is complete

The underlying image file that you created with the qemu-img create command is ready to be uploaded.
For example, you can upload the /tmp/centos.qcow2 image to the Image service by using the openstack
image create command. For more information, see the python-openstackclient command list.

Example: Ubuntu image

This example installs an Ubuntu 14.04 (Trusty Tahr) image. To create an image for a different version of
Ubuntu, follow these steps with the noted differences.

Download an Ubuntu installation ISO

Because the goal is to make the smallest possible base image, this example uses the network installation
ISO. The Ubuntu 64-bit 14.04 network installation ISO is at the Ubuntu download page.

Start the installation process

Start the installation process by using either virt-manager or virt-install as described in the previous
section. If you use virt-install, do not forget to connect your VNC client to the virtual machine.
Assume that the name of your virtual machine image is ubuntu-14.04, which you need to know when
you use virsh commands to manipulate the state of the image.
If you are using virt-manager, the commands should look something like this:

# qemu-img create -f qcow2 /tmp/trusty.qcow2 10G


# virt-install --virt-type kvm --name trusty --ram 1024 \
--cdrom=/data/isos/trusty-64-mini.iso \
--disk /tmp/trusty.qcow2,format=qcow2 \
--network network=default \
--graphics vnc,listen=0.0.0.0 --noautoconsole \
--os-type=linux --os-variant=ubuntutrusty

32 Create images manually


Virtual Machine Image Guide

Step through the installation

At the initial Installer boot menu, choose the Install option. Step through the installation prompts, the
defaults should be fine.

Hostname

The installer may ask you to choose a host name. The default (ubuntu) is fine. We will install the cloud-init
package later, which will set the host name on boot when a new instance is provisioned using this image.

Select a mirror

The default mirror proposed by the installer should be fine.

Step through the install

Step through the install, using the default options. When prompted for a user name, the default (ubuntu)
is fine.

Partition the disks

There are different options for partitioning the disks. The default installation will use LVM partitions, and
will create three partitions (/boot, /, swap), and this will work fine. Alternatively, you may wish to create

Create images manually 33


Virtual Machine Image Guide

a single ext4 partition, mounted to “/”, should also work fine.


If unsure, we recommend you use the installer’s default partition scheme, since there is no clear advantage
to one scheme or another.

Automatic updates

The Ubuntu installer will ask how you want to manage upgrades on your system. This option depends on
your specific use case. If your virtual machine instances will be connected to the Internet, we recommend
“Install security updates automatically”.

Software selection: OpenSSH server

Choose OpenSSH server so that you will be able to SSH into the virtual machine when it launches inside
of an OpenStack cloud.

Install GRUB boot loader

Select Yes when asked about installing the GRUB boot loader to the master boot record.

34 Create images manually


Virtual Machine Image Guide

For more information on configuring Grub, see the section called “Ensure image writes boot log to con-
sole”.

Detach the CD-ROM and reboot

Select the defaults for all of the remaining options. When the installation is complete, you will be prompted
to remove the CD-ROM.

Create images manually 35


Virtual Machine Image Guide

Note: There is a known bug in Ubuntu 14.04; when you select Continue, the virtual machine will shut
down, even though it says it will reboot.

To eject a disk using virsh, libvirt requires that you attach an empty disk at the same target that the
CDROM was previously attached, which should be hdc. You can confirm the appropriate target using the
virsh dumpxml vm-image command.

# virsh dumpxml trusty


<domain type='kvm'>
<name>trusty</name>
...
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw'/>
<target dev='hdc' bus='ide'/>
<readonly/>
<address type='drive' controller='0' bus='1' target='0' unit='0'/>
</disk>
...
</domain>

Run the following commands in the host as root to start up the machine again as paused, eject the disk and
resume. If you are using virt-manager, you may use the GUI instead.

36 Create images manually


Virtual Machine Image Guide

# virsh start trusty --paused


# virsh attach-disk --type cdrom --mode readonly trusty "" hdc
# virsh resume trusty

Note: In the previous example, you paused the instance, ejected the disk, and unpaused the instance. In
theory, you could have ejected the disk at the Installation complete screen. However, our testing indicates
that the Ubuntu installer locks the drive so that it cannot be ejected at that point.

Log in to newly created image

When you boot for the first time after install, it may ask you about authentication tools, you can just choose
Exit. Then, log in as root using the root password you specified.

Install cloud-init

The cloud-init script starts on instance boot and will search for a metadata provider to fetch a public
key from. The public key will be placed in the default user account for the image.
Install the cloud-init package:

# apt-get install cloud-init

When building Ubuntu images cloud-init must be explicitly configured for the metadata source in use.
The OpenStack metadata server emulates the EC2 metadata service used by images in Amazon EC2.
To set the metadata source to be used by the image run the dpkg-reconfigure command against the
cloud-init package. When prompted select the EC2 data source:

# dpkg-reconfigure cloud-init

The account varies by distribution. On Ubuntu-based virtual machines, the account is called ubuntu. On
Fedora-based virtual machines, the account is called ec2-user.
You can change the name of the account used by cloud-init by editing the /etc/cloud/cloud.cfg
file and adding a line with a different user. For example, to configure cloud-init to put the key in an
account named admin, use the following syntax in the configuration file:

users:
- name: admin
(...)

Shut down the instance

From inside the instance, as root:

# /sbin/shutdown -h now

Create images manually 37


Virtual Machine Image Guide

Clean up (remove MAC address details)

The operating system records the MAC address of the virtual Ethernet card in locations such as /etc/
udev/rules.d/70-persistent-net.rules during the installation process. However, each time the
image boots up, the virtual Ethernet card will have a different MAC address, so this information must be
deleted from the configuration file.
There is a utility called virt-sysprep, that performs various cleanup tasks such as removing the MAC
address references. It will clean up a virtual machine image in place:

# virt-sysprep -d trusty

Undefine the libvirt domain

Now that the image is ready to be uploaded to the Image service, you no longer need to have this virtual
machine image managed by libvirt. Use the virsh undefine vm-image command to inform libvirt:

# virsh undefine trusty

Image is complete

The underlying image file that you created with the qemu-img create command, such as /tmp/trusty.
qcow2, is now ready for uploading to the Image service by using the openstack image create com-
mand. For more information, see the Glance User Guide.

Example: Fedora image

This example shows you how to install a Fedora image and focuses mainly on Fedora 25. Because the
Fedora installation process might differ across versions, the installation steps might differ if you use a
different version of Fedora.

Download a Fedora install ISO

1. Visit the Fedora download site.


2. Navigate to the Download Fedora Server page for a Fedora Server ISO image.
3. Choose the ISO image you want to download.
For example, the Netinstall Image is a good choice because it is a smaller image that downloads
missing packages from the Internet during installation.

Start the installation process

Start the installation process using either the virt-manager or the virt-install command as described
previously. If you use the virt-install command, do not forget to connect your VNC client to the virtual
machine.
Assume that:

38 Create images manually


Virtual Machine Image Guide

• The name of your virtual machine image is fedora; you need this name when you use virsh com-
mands to manipulate the state of the image.
• You saved the netinstall ISO image to the /tmp directory.
If you use the virt-install command, the commands should look something like this:

# qemu-img create -f qcow2 /tmp/fedora.qcow2 10G


# virt-install --virt-type kvm --name fedora --ram 1024 \
--disk /tmp/fedora.qcow2,format=qcow2 \
--network network=default \
--graphics vnc,listen=0.0.0.0 --noautoconsole \
--os-type=linux --os-variant=fedora23 \
--location=/tmp/Fedora-Server-netinst-x86_64-25-1.3.iso

Step through the installation

After the installation program starts, choose your preferred language and click Continue to get to the in-
stallation summary. Accept the defaults.

Review the Ethernet status

Ensure that the Ethernet setting is ON. Additionally, make sure that IPv4 Settings' Method is
Automatic (DHCP), which is the default.

Hostname

The installer allows you to choose a host name. The default (localhost.localdomain) is fine. You
install the cloud-init package later, which sets the host name on boot when a new instance is provisioned
using this image.

Partition the disks

There are different options for partitioning the disks. The default installation uses LVM partitions, and
creates three partitions (/boot, /, swap), which works fine. Alternatively, you might want to create a
single ext4 partition that is mounted to /, which also works fine.
If unsure, use the default partition scheme for the installer. While no scheme is inherently better than
another, having the partition that you want to dynamically grow at the end of the list will allow it to grow
without crossing another partition’s boundary.

Select software to install

Step through the installation, using the default options. The simplest thing to do is to choose the Minimal
Install install, which installs an SSH server.

Create images manually 39


Virtual Machine Image Guide

Set the root password

During the installation, remember to set the root password when prompted.

Detach the CD-ROM and reboot

Wait until the installation is complete.


To eject a disk by using the virsh command, libvirt requires that you attach an empty disk at the same
target that the CD-ROM was previously attached, which may be hda. You can confirm the appropriate
target using the virsh dumpxml vm-image command.

# virsh dumpxml fedora


<domain type='kvm' id='30'>
<name>fedora</name>
...
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/tmp/Fedora-Server-netinst-x86_64-25-1.3.iso'/>
<backingStore/>
<target dev='hda' bus='ide'/>
<readonly/>
<alias name='ide0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
...
</domain>

Run the following commands from the host to eject the disk and reboot using virsh, as root. If you are
using virt-manager, the commands below will work, but you can also use the GUI to detach and reboot
it by manually stopping and starting.

# virsh attach-disk --type cdrom --mode readonly fedora "" hda


# virsh reboot fedora

Install the ACPI service

To enable the hypervisor to reboot or shutdown an instance, you must install and run the acpid service on
the guest system.
Log in as root to the Fedora guest and run the following commands to install the ACPI service and configure
it to start when the system boots:

# dnf install acpid


# systemctl enable acpid

Configure cloud-init to fetch metadata

An instance must interact with the metadata service to perform several tasks on start up. For example, the
instance must get the ssh public key and run the user data script. To ensure that the instance performs these
tasks, use the cloud-init package.

40 Create images manually


Virtual Machine Image Guide

The cloud-init package automatically fetches the public key from the metadata server and places the
key in an account. Install cloud-init inside the Fedora guest by running:

# yum install cloud-init

The account varies by distribution. On Fedora-based virtual machines, the account is called fedora.
You can change the name of the account used by cloud-init by editing the /etc/cloud/cloud.cfg
file and adding a line with a different user. For example, to configure cloud-init to put the key in an
account named admin, use the following syntax in the configuration file:

users:
- name: admin
(...)

Install cloud-utils-growpart to allow partitions to resize

In order for the root partition to properly resize, install the cloud-utils-growpart package, which con-
tains the proper tools to allow the disk to resize using cloud-init.

# dnf install cloud-utils-growpart

Disable the zeroconf route

For the instance to access the metadata service, you must disable the default zeroconf route:

# echo "NOZEROCONF=yes" >> /etc/sysconfig/network

Configure console

For the nova console-log command to work properly on Fedora, you might need to do the following
steps:
1. Edit the /etc/default/grub file and configure the GRUB_CMDLINE_LINUX option. Delete the
rhgb quiet and add console=tty0 console=ttyS0,115200n8 to the option. For example:

...
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap console=tty0�
,→console=ttyS0,115200n8"

2. Run the following command to save the changes:

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.10.10-200.fc25.x86_64
Found initrd image: /boot/initramfs-4.10.10-200.fc25.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-c613978614c7426ea3e550527f63710c
Found initrd image: /boot/initramfs-0-rescue-c613978614c7426ea3e550527f63710c.img
done

Create images manually 41


Virtual Machine Image Guide

Shut down the instance

From inside the instance, run as root:

# poweroff

Clean up (remove MAC address details)

The operating system records the MAC address of the virtual Ethernet card in locations such as /etc/
sysconfig/network-scripts/ifcfg-eth0 during the instance process. However, each time the image
boots up, the virtual Ethernet card will have a different MAC address, so this information must be deleted
from the configuration file.
There is a utility called virt-sysprep, that performs various cleanup tasks such as removing the MAC
address references. It will clean up a virtual machine image in place:

# virt-sysprep -d fedora

Undefine the libvirt domain

Now that you can upload the image to the Image service, you no longer need to have this virtual machine
image managed by libvirt. Use the virsh undefine vm-image command to inform libvirt:

# virsh undefine fedora

Image is complete

The underlying image file that you created with the qemu-img create command is ready to be uploaded.
For example, you can upload the /tmp/fedora.qcow2 image to the Image service by using the openstack
image create command. For more information, see the python-openstackclient command list.

Example: Microsoft Windows image

This example creates a Windows Server 2012 qcow2 image, using the virt-install command and the
KVM hypervisor.
1. Follow these steps to prepare the installation:
1. Download a Windows Server 2012 installation ISO. Evaluation images are available on the
Microsoft website (registration required).
2. Download the signed VirtIO drivers ISO from the Fedora website.
3. Create a 15 GB qcow2 image:

$ qemu-img create -f qcow2 ws2012.qcow2 15G

2. Start the Windows Server 2012 installation with the virt-install command:

42 Create images manually


Virtual Machine Image Guide

# virt-install --connect qemu:///system \


--name ws2012 --ram 2048 --vcpus 2 \
--network network=default,model=virtio \
--disk path=ws2012.qcow2,format=qcow2,device=disk,bus=virtio \
--cdrom /path/to/en_windows_server_2012_x64_dvd.iso \
--disk path=/path/to/virtio-win-0.1-XX.iso,device=cdrom \
--vnc --os-type windows --os-variant win2k12 \
--os-distro windows --os-version 2012

Use virt-manager or virt-viewer to connect to the VM and start the Windows installation.
3. Enable the VirtIO drivers.
The disk is not detected by default by the Windows installer. When requested to choose an in-
stallation target, click Load driver and browse the file system to select the E:\virtio-win-0.
1XX\viostor\2k12\amd64 folder. The Windows installer displays a list of drivers to install. Select
the VirtIO SCSI and network drivers and continue the installation.
Once the installation is completed, the VM restarts. Define a password for the administrator when
prompted.
4. Log in as administrator and start a command window.
5. Complete the VirtIO drivers installation by running the following command:

C:\pnputil -i -a E:\virtio-win-0.1XX\viostor\2k12\amd64\*.INF

6. To allow the Cloudbase-Init to run scripts during an instance boot, set the PowerShell execution
policy to be unrestricted:

C:\powershell
C:\Set-ExecutionPolicy Unrestricted

7. Download and install the Cloudbase-Init:

C:\Invoke-WebRequest -UseBasicParsing https://cloudbase.it/downloads/


,→CloudbaseInitSetup_Stable_x64.msi -OutFile cloudbaseinit.msi
C:\.\cloudbaseinit.msi

In the configuration options window, change the following settings:


• Username: Administrator
• Network adapter to configure: Red Hat VirtIO Ethernet Adapter
• Serial port for logging: COM1
When the installation is done, in the Complete the Cloudbase-Init Setup Wizard window, select the
Run Sysprep and Shutdown check boxes and click Finish.
Wait for the machine shutdown.
Your image is ready to upload to the Image service:

$ openstack image create --disk-format qcow2 --file ws2012.qcow2 WS2012

Create images manually 43


Virtual Machine Image Guide

Example: FreeBSD image

This example creates a minimal FreeBSD image that is compatible with OpenStack and bsd-cloudinit.
The bsd-cloudinit program is independently maintained and in active development. The best source of
information on the current state of the project is at bsd-cloudinit.
KVM with virtio drivers is used as the virtualization platform because that is the most widely used among
OpenStack operators. If you use a different platform for your cloud virtualization, use that same platform
in the image creation step.
This example shows how to create a FreeBSD 10 image. To create a FreeBSD 9.2 image, follow these
steps with the noted differences.
To create a FreeBSD image
1. Make a virtual drive:

$ qemu-img create -f qcow2 freebsd.qcow2 1G

The minimum supported disk size for FreeBSD is 1 GB. Because the goal is to make the smallest
possible base image, the example uses that minimum size. This size is sufficient to include the
optional doc, games, and lib32 collections. To include the ports collection, add another 1 GB. To
include src, add 512 MB.
2. Get the installer ISO:

$ curl ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/10.1/
,→FreeBSD-10.1-RELEASE-amd64-bootonly.iso \
> FreeBSD-10.1-RELEASE-amd64-bootonly.iso

3. Launch a VM on your local workstation. Use the same hypervisor, virtual disk, and virtual network
drivers as you use in your production environment.
The following command uses the minimum amount of RAM, which is 256 MB:

$ kvm -smp 1 -m 256 -cdrom FreeBSD-10.1-RELEASE-amd64-bootonly.iso \


-drive if=virtio,file=freebsd.qcow2 \
-net nic,model=virtio -net user

You can specify up to 1 GB additional RAM to make the installation process run faster.
This VM must also have Internet access to download packages.

Note: By using the same hypervisor, you can ensure that you emulate the same devices that exist
in production. However, if you use full hardware virtualization instead of paravirtualization, you do
not need to use the same hypervisor; you must use the same type of virtualized hardware because
FreeBSD device names are related to their drivers. If the name of your root block device or primary
network interface in production differs than the names used during image creation, errors can occur.

You now have a VM that boots from the downloaded install ISO and is connected to the blank virtual
disk that you created previously.
4. To install the operating system, complete the following steps inside the VM:
1. When prompted, choose to run the ISO in Install mode.
2. Accept the default keymap or select an appropriate mapping for your needs.

44 Create images manually


Virtual Machine Image Guide

3. Provide a host name for your image. If you use bsd-cloudinit, it overrides this value with
the name provided by OpenStack when an instance boots from this image.
4. When prompted about the optional doc, games, lib32, ports, and src system components,
select only those that you need. It is possible to have a fully functional installation without
selecting additional components selected. As noted previously, a minimal system with a 1 GB
virtual disk supports doc, games, and lib32 inclusive. The ports collection requires at least
1 GB additional space and possibly more if you plan to install many ports. The src collection
requires an additional 512 MB.
5. Configure the primary network interface to use DHCP. In this example, which uses a virtio
network device, this interface is named vtnet0.
6. Accept the default network mirror.
7. Set up disk partitioning.
Disk partitioning is a critical element of the image creation process and the auto-generated
default partitioning scheme does not work with bsd-cloudinit at this time.
Because the default does not work, you must select manual partitioning. The partition editor
should list only one block device. If you use virtio for the disk device driver, it is named vtbd0.
Select this device and run the create command three times:
1. Select Create to create a partition table. This action is the default when no partition table
exists. Then, select GPT GUID Partition Table from the list. This choice is the default.
2. Create two partitions:
• First partition: A 64 kB freebsd-boot partition with no mount point.
• Second partition: A freebsd-ufs partition with a mount point of / with all remain-
ing free space.
The following figure shows a completed partition table with a 1 GB virtual disk:

Select Finish and then Commit to commit your changes.

Create images manually 45


Virtual Machine Image Guide

Note: If you modify this example, the root partition, which is mounted on /, must be the last
partition on the drive so that it can expand at run time to the disk size that your instance type
provides. Also note that bsd-cloudinit currently has a hard-coded assumption that this is
the second partition.

5. Select a root password.


6. Select the CMOS time zone.
The virtualized CMOS almost always stores its time in UTC, so unless you know otherwise, select
UTC.
7. Select the time zone appropriate to your environment.
8. From the list of services to start on boot, you must select ssh. Optionally, select other services.
9. Optionally, add users.
You do not need to add users at this time. The bsd-cloudinit program adds a freebsd user
account if one does not exist. The ssh keys for this user are associated with OpenStack. To customize
this user account, you can create it now. For example, you might want to customize the shell for the
user.
10. Final config
This menu enables you to update previous settings. Check that the settings are correct, and click
exit.
11. After you exit, you can open a shell to complete manual configuration steps. Select Yes to make a
few OpenStack-specific changes:
1. Set up the console:

# echo 'console="comconsole,vidconsole"' >> /boot/loader.conf

This sets console output to go to the serial console, which is displayed by nova consolelog,
and the video console for sites with VNC or Spice configured.
2. Minimize boot delay:

# echo 'autoboot_delay="1"' >> /boot/loader.conf

3. Download the latest bsd-cloudinit-installer. The download commands differ between


FreeBSD 10.1 and 9.2 because of differences in how the fetch command handles HTTPS
URLs.
In FreeBSD 10.1 the fetch command verifies SSL peers by default, so you need to install the
ca_root_nss package that contains certificate authority root certificates and tell fetch where
to find them. For FreeBSD 10.1 run these commands:

# pkg install ca_root_nss


# fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt \
https://raw.github.com/pellaeon/bsd-cloudinit-installer/master/installer.sh

FreeBSD 9.2 fetch does not support peer-verification for https. For FreeBSD 9.2, run this
command:

46 Create images manually


Virtual Machine Image Guide

# fetch https://raw.github.com/pellaeon/bsd-cloudinit-installer/master/
,→installer.sh

4. Run the installer:

# sh ./installer.sh

Issue this command to download and install the latest bsd-cloudinit package, and install
the necessary prerequisites.
5. Install sudo and configure the freebsd user to have passwordless access:

# pkg install sudo


# echo 'freebsd ALL=(ALL) NOPASSWD: ALL' > /usr/local/etc/sudoers.d/10-
,→cloudinit

12. Power off the system:

# shutdown -h now

Creating a new image is a step done outside of your OpenStack installation. You create the new image
manually on your own system and then upload the image to your cloud.
To create a new image, you will need the installation CD or DVD ISO file for the guest operating system.
You will also need access to a virtualization tool. You can use KVM for this. Or, if you have a GUI desktop
virtualization tool (such as, VMware Fusion or VirtualBox), you can use that instead. Convert the file to
raw once you are done.
When you create a new virtual machine image, you will need to connect to the graphical console of the
hypervisor, which acts as the virtual machine’s display and allows you to interact with the guest operating
system’s installer using your keyboard and mouse. KVM can expose the graphical console using the VNC
(Virtual Network Computing) protocol or the newer SPICE protocol. We will use the VNC protocol here,
since you are more likely to find a VNC client that works on your local desktop.
To create an image for the Database service, see Building Guest Images for OpenStack Trove.

Tool support for image creation

There are several tools that are designed to automate image creation.

Diskimage-builder

Diskimage-builder is an automated disk image creation tool that supports a variety of distributions and
architectures. Diskimage-builder (DIB) can build images for Fedora, Red Hat Enterprise Linux, Ubuntu,
Debian, CentOS, and openSUSE. DIB is organized in a series of elements that build on top of each other
to create specific images.
To build an image, call the following script:

# disk-image-create ubuntu vm

This example creates a generic, bootable Ubuntu image of the latest release.

Tool support for image creation 47


Virtual Machine Image Guide

Further customization could be accomplished by setting environment variables or adding elements to the
command-line:

# disk-image-create -a armhf ubuntu vm

This example creates the image as before, but for arm architecture. More elements are available in the git
source directory and documented in the diskimage-builder elements documentation.

Oz

Oz is a command-line tool that automates the process of creating a virtual machine image file. Oz is a
Python app that interacts with KVM to step through the process of installing a virtual machine.
It uses a predefined set of kickstart (Red Hat-based systems) and preseed files (Debian-based systems) for
operating systems that it supports, and it can also be used to create Microsoft Windows images.
A full treatment of Oz is beyond the scope of this document, but we will provide an example. You can
find additional examples of Oz template files on GitHub at rcbops/oz-image-build/tree/master/templates.
Here’s how you would create a CentOS 6.4 image with Oz.
Create a template file called centos64.tdl with the following contents. The only entry you will need to
change is the <rootpw> contents.

<template>
<name>centos64</name>
<os>
<name>CentOS-6</name>
<version>4</version>
<arch>x86_64</arch>
<install type='iso'>
<iso>http://mirror.rackspace.com/CentOS/6/isos/x86_64/CentOS-6.4-x86_64-bin-DVD1.
,→iso</iso>
</install>
<rootpw>CHANGE THIS TO YOUR ROOT PASSWORD</rootpw>
</os>
<description>CentOS 6.4 x86_64</description>
<repositories>
<repository name='epel-6'>
<url>http://download.fedoraproject.org/pub/epel/6/$basearch</url>
<signed>no</signed>
</repository>
</repositories>
<packages>
<package name='epel-release'/>
<package name='cloud-utils'/>
<package name='cloud-init'/>
</packages>
<commands>
<command name='update'>
yum -y update
yum clean all
sed -i '/^HWADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0
echo -n > /etc/udev/rules.d/70-persistent-net.rules
echo -n > /lib/udev/rules.d/75-persistent-net-generator.rules
</command>
(continues on next page)

48 Tool support for image creation


Virtual Machine Image Guide

(continued from previous page)


</commands>
</template>

This Oz template specifies where to download the Centos 6.4 install ISO. Oz will use the version informa-
tion to identify which kickstart file to use. In this case, it will be RHEL6.auto. It adds EPEL as a repository
and install the epel-release, cloud-utils, and cloud-init packages, as specified in the packages
section of the file.
After Oz completes the initial OS install using the kickstart file, it customizes the image with an update.
It also removes any reference to the eth0 device that libvirt creates while Oz does the customizing, as
specified in the command section of the XML file.
To run this:

# oz-install -d3 -u centos64.tdl -x centos64-libvirt.xml

• The -d3 flag tells Oz to show status information as it runs.


• The -u tells Oz to do the customization (install extra packages, run the commands) once it does the
initial install.
• The -x flag tells Oz what filename to use to write out a libvirt XML file (otherwise it will default to
something like centos64Apr_03_2013-12:39:42).
If you leave out the -u flag, or you want to edit the file to do additional customizations, you can use the
oz-customize command, using the libvirt XML file that oz-install creates. For example:

# oz-customize -d3 centos64.tdl centos64-libvirt.xml

Oz will invoke libvirt to boot the image inside of KVM, then Oz will ssh into the instance and perform the
customizations.

VeeWee

VeeWee is often used to build Vagrant boxes, but it can also be used to build the KVM images.

Packer

Packer is a tool for creating machine images for multiple platforms from a single source configuration.

image-bootstrap

image-bootstrap is a command line tool that generates bootable virtual machine images with support of
Arch, Debian, Gentoo, Ubuntu, and is prepared for use with OpenStack.

imagefactory

imagefactory is a newer tool designed to automate the building, converting, and uploading images to dif-
ferent cloud providers. It uses Oz as its back-end and includes support for OpenStack-based clouds.

Tool support for image creation 49


Virtual Machine Image Guide

KIWI

The KIWI OS image builder provides an operating system image builder for various Linux supported
hardware platforms as well as for virtualization and cloud systems. It allows building of images based
on openSUSE, SUSE Linux Enterprise, and Red Hat Enterprise Linux. The openSUSE Documentation
explains how to use KIWI.

virt-builder

Virt-builder is a tool for quickly building new virtual machines. You can build a variety of VMs for local
or cloud use, usually within a few minutes or less. Virt-builder also has many ways to customize these
VMs. Everything is run from the command line and nothing requires root privileges, so automation and
scripting is simple.
To build an image, call the following script:

# virt-builder fedora-23 -o image.qcow2 --format qcow2 \


--update --selinux-relabel --size 20G

To list the operating systems available to install:

$ virt-builder --list

To import it into libvirt with virsh:

# virt-install --name fedora --ram 2048 \


--disk path=image.qcow2,format=qcow2 --import

openstack-debian-images

openstack-debian-images is the tool Debian uses to create its official OpenStack image. It is made of a
single very simple shell script that is easy to understand and modify. It supports Grub and Syslinux, BIOS
or EFI, amd64 and arm64 arch.
openstack-debian-images can also be used to create a bootable image directly on a hard disk, instead of
using the Debian installer.
To build an image, type this:

# build-openstack-debian-image --release stretch

More parameters can be added to further customize the image:

# build-openstack-debian-image --release stretch \


--hook-script /root/my-hook-script.sh \
--debootstrap-url http://ftp.fr.debian.org \
--sources.list-mirror http://ftp.fr.debian.org \
--login myusername \
--extra-packages vim,emacs

The file /root/my-hook-script.sh will recieve 2 environment variable: BODI_CHROOT_PATH path


where the image is mounted, and BODI_RELEASE which is the name of the Debian release that is being
bootstraped. Here’s an example for customizing the motd:

50 Tool support for image creation


Virtual Machine Image Guide

# #!/bin/sh
set -e
echo "My message" >${BODI_CHROOT_PATH}/etc/motd

This hook script will conveniently be called at the correct moment of the build process, when everything
is installed, but before unmounting the partition.

Converting between image formats

Converting images from one format to another is generally straightforward.

qemu-img convert: raw, qcow2, qed, vdi, vmdk, vhd

The qemu-img convert command can do conversion between multiple formats, including qcow2, qed,
raw, vdi, vhd, and vmdk.

Table 2: qemu-img format strings


Image format Argument to qemu-img
QCOW2 (KVM, Xen) qcow2
QED (KVM) qed
raw raw
VDI (VirtualBox) vdi
VHD (Hyper-V) vpc
VMDK (VMware) vmdk

This example will convert a raw image file named image.img to a qcow2 image file.

$ qemu-img convert -f raw -O qcow2 image.img image.qcow2

Run the following command to convert a vmdk image file to a raw image file.

$ qemu-img convert -f vmdk -O raw image.vmdk image.img

Run the following command to convert a vmdk image file to a qcow2 image file.

$ qemu-img convert -f vmdk -O qcow2 image.vmdk image.qcow2

Note: The -f format flag is optional. If omitted, qemu-img will try to infer the image format.
When converting an image file with Windows, ensure the virtio driver is installed. Otherwise, you will get
a blue screen when launching the image due to lack of the virtio driver. Another option is to set the image
properties as below when you update the image in the Image service to avoid this issue, but it will reduce
virtual machine performance significantly.

$ openstack image set --property hw_disk_bus='ide' image_name_or_id

Converting between image formats 51


Virtual Machine Image Guide

VBoxManage: VDI (VirtualBox) to raw

If you’ve created a VDI image using VirtualBox, you can convert it to raw format using the VBoxManage
command-line tool that ships with VirtualBox. On Mac OS X, and Linux, VirtualBox stores images by
default in the ~/VirtualBox VMs/ directory. The following example creates a raw image in the current
directory from a VirtualBox VDI image.

$ VBoxManage clonehd ~/VirtualBox\ VMs/image.vdi image.img --format raw

Image sharing

Image producers and consumers are both OpenStack users, or projects. Image producers create and share
images with image consumers, allowing the consumers to use the shared image when booting a server.
The producer shares an image with the consumer by making the consumer a member of that image. The
consumer then accepts or rejects the image by changing the image member status. After it is accepted,
the image appears in the consumer’s image list. As long as the consumer is a member of the image, the
consumer can use the image, regardless of the image member status, if the consumer knows the image ID.

Note: In the OpenStack Image API, the image member status serves three purposes:
• The member status controls whether image appears in the consumer’s image list. If the image mem-
ber status is accepted, the image appears in the consumer’s image list. Otherwise, the image does
not appear in the image list. The image may still be used as long as the consumer knows the image
ID.
• The member status can be used to filter the consumer’s image list.
• The member status lets the producer know whether the consumer has seen and acted on the shared
image. If the status is accepted or rejected, the consumer has definitely seen the shared image.
If the status is pending, the consumer may not be aware that an image was shared.

Image producers and consumers have different abilities and responsibilities regarding image sharing, which
the following list shows.
• Image producers add members to images, or remove members from images, but they may not modify
the member status of an image member.
• Image producers and consumers view the status of image members. When listing image members,
the producers see all the image members, and the consumers see only themselves.
• Image consumers change their own member status, but they may not add or remove themselves as
an image member.
• Image consumers can boot from any image shared by the image producer, regardless of the member
status, as long as the consumer knows the image ID.

Sharing an image

The following procedure is a workflow for image sharing after image creation.

52 Image sharing
Virtual Machine Image Guide

Communications between the image producer and the consumer, such as those described in this exam-
ple, must be arranged independently of the OpenStack Image API. The consumer and producer can send
notifications by using email, phone, Twitter, or other channels.
1. The producer posts the availability of specific images for consumers to review.
2. A potential consumer provides the producer with the consumer’s project ID. Optionally, the producer
might request the consumer’s email address for notification purposes, but this is outside the scope
of the API.
3. The producer shares the image with the consumer, by using the Create image member API oper-
ation.
4. Optionally, the producer notifies the consumer that the image has been shared and provides the
image’s ID (UUID).
5. If the consumer wants the image to appear in the image list, the consumer uses the OpenStack Image
API to change the image member status to accepted, by using the Update image member API
operation.
6. If the consumer subsequently wants to hide the image, the consumer uses the OpenStack Image API
to change the image member status to rejected. If the consumer wants to hide the image, but is
open to the possibility of being reminded by the producer that the image is available, the consumer
uses the OpenStack Image API to change the image member status back to pending, by using the
Update image member API operation.

Appendix

Community support

The following resources are available to help you run and use OpenStack. The OpenStack community
constantly improves and adds to the main features of OpenStack, but if you have any questions, do not
hesitate to ask. Use the following resources to get OpenStack support and troubleshoot your installations.

Documentation

For the available OpenStack documentation, see docs.openstack.org.


The following guides explain how to install a Proof-of-Concept OpenStack cloud and its associated com-
ponents:
• Rocky Installation Guides
The following books explain how to configure and run an OpenStack cloud:
• Architecture Design Guide
• Rocky Administrator Guides
• Rocky Configuration Guides
• Rocky Networking Guide
• High Availability Guide
• Security Guide

Appendix 53
Virtual Machine Image Guide

• Virtual Machine Image Guide


The following book explains how to use the command-line clients:
• Rocky API Bindings
The following documentation provides reference and guidance information for the OpenStack APIs:
• API Documentation
The following guide provides information on how to contribute to OpenStack documentation:
• Documentation Contributor Guide

ask.openstack.org

During the set up or testing of OpenStack, you might have questions about how a specific task is completed
or be in a situation where a feature does not work correctly. Use the ask.openstack.org site to ask questions
and get answers. When you visit the Ask OpenStack site, scan the recently asked questions to see whether
your question has already been answered. If not, ask a new question. Be sure to give a clear, concise
summary in the title and provide as much detail as possible in the description. Paste in your command
output or stack traces, links to screen shots, and any other information which might be useful.

The OpenStack wiki

The OpenStack wiki contains a broad range of topics but some of the information can be difficult to find
or is a few pages deep. Fortunately, the wiki search feature enables you to search by title or content. If
you search for specific information, such as about networking or OpenStack Compute, you can find a large
amount of relevant material. More is being added all the time, so be sure to check back often. You can
find the search box in the upper-right corner of any OpenStack wiki page.

The Launchpad bugs area

The OpenStack community values your set up and testing efforts and wants your feedback. To log a bug,
you must sign up for a Launchpad account. You can view existing bugs and report bugs in the Launchpad
Bugs area. Use the search feature to determine whether the bug has already been reported or already been
fixed. If it still seems like your bug is unreported, fill out a bug report.
Some tips:
• Give a clear, concise summary.
• Provide as much detail as possible in the description. Paste in your command output or stack traces,
links to screen shots, and any other information which might be useful.
• Be sure to include the software and package versions that you are using, especially
if you are using a development branch, such as, "Kilo release" vs git commit
bc79c3ecc55929bac585d04a03475b72e06a3208.

• Any deployment-specific information is helpful, such as whether you are using Ubuntu 14.04 or are
performing a multi-node installation.
The following Launchpad Bugs areas are available:
• Bugs: OpenStack Block Storage (cinder)

54 Appendix
Virtual Machine Image Guide

• Bugs: OpenStack Compute (nova)


• Bugs: OpenStack Dashboard (horizon)
• Bugs: OpenStack Identity (keystone)
• Bugs: OpenStack Image service (glance)
• Bugs: OpenStack Networking (neutron)
• Bugs: OpenStack Object Storage (swift)
• Bugs: Application catalog (murano)
• Bugs: Bare metal service (ironic)
• Bugs: Clustering service (senlin)
• Bugs: Container Infrastructure Management service (magnum)
• Bugs: Data processing service (sahara)
• Bugs: Database service (trove)
• Bugs: DNS service (designate)
• Bugs: Key Manager Service (barbican)
• Bugs: Monitoring (monasca)
• Bugs: Orchestration (heat)
• Bugs: Rating (cloudkitty)
• Bugs: Shared file systems (manila)
• Bugs: Telemetry (ceilometer)
• Bugs: Telemetry v3 (gnocchi)
• Bugs: Workflow service (mistral)
• Bugs: Messaging service (zaqar)
• Bugs: Container service (zun)
• Bugs: OpenStack API Documentation (developer.openstack.org)
• Bugs: OpenStack Documentation (docs.openstack.org)

Documentation feedback

To provide feedback on documentation, join our IRC channel #openstack-doc on the Freenode IRC
network, or report a bug in Launchpad and choose the particular project that the documentation is a part
of.

The OpenStack IRC channel

The OpenStack community lives in the #openstack IRC channel on the Freenode network. You can hang
out, ask questions, or get immediate feedback for urgent and pressing issues. To install an IRC client or
use a browser-based client, go to https://webchat.freenode.net/. You can also use Colloquy (Mac OS X),
mIRC (Windows), or XChat (Linux). When you are in the IRC channel and want to share code or command

Appendix 55
Virtual Machine Image Guide

output, the generally accepted method is to use a Paste Bin. The OpenStack project has one at Paste. Just
paste your longer amounts of text or logs in the web form and you get a URL that you can paste into the
channel. The OpenStack IRC channel is #openstack on irc.freenode.net. You can find a list of all
OpenStack IRC channels on the IRC page on the wiki.

OpenStack mailing lists

A great way to get answers and insights is to post your question or problematic scenario to the OpenStack
mailing list. You can learn from and help others who might have similar issues. To subscribe or view
the archives, go to the general OpenStack mailing list. If you are interested in the other mailing lists for
specific projects or development, refer to Mailing Lists.

OpenStack distribution packages

The following Linux distributions provide community-supported packages for OpenStack:


• CentOS, Fedora, and Red Hat Enterprise Linux: https://www.rdoproject.org/
• openSUSE and SUSE Linux Enterprise Server: https://en.opensuse.org/Portal:OpenStack
• Ubuntu: https://wiki.ubuntu.com/OpenStack/CloudArchive

Glossary

This glossary offers a list of terms and definitions to define a vocabulary for OpenStack-related concepts.
To add to OpenStack glossary, clone the openstack/openstack-manuals repository and update the source
file doc/common/glossary.rst through the OpenStack contribution process.

0-9

6to4 A mechanism that allows IPv6 packets to be transmitted over an IPv4 network, providing a strategy
for migrating to IPv6.

absolute limit Impassable limits for guest VMs. Settings include total RAM size, maximum number of
vCPUs, and maximum disk size.
access control list (ACL) A list of permissions attached to an object. An ACL specifies which users
or system processes have access to objects. It also defines which operations can be performed on
specified objects. Each entry in a typical ACL specifies a subject and an operation. For instance,
the ACL entry (Alice, delete) for a file gives Alice permission to delete the file.
access key Alternative term for an Amazon EC2 access key. See EC2 access key.
account The Object Storage context of an account. Do not confuse with a user account from an authenti-
cation service, such as Active Directory, /etc/passwd, OpenLDAP, OpenStack Identity, and so on.
account auditor Checks for missing replicas and incorrect or corrupted objects in a specified Object Stor-
age account by running queries against the back-end SQLite database.

56 Appendix
Virtual Machine Image Guide

account database A SQLite database that contains Object Storage accounts and related metadata and that
the accounts server accesses.
account reaper An Object Storage worker that scans for and deletes account databases and that the ac-
count server has marked for deletion.
account server Lists containers in Object Storage and stores container information in the account
database.
account service An Object Storage component that provides account services such as list, create, modify,
and audit. Do not confuse with OpenStack Identity service, OpenLDAP, or similar user-account
services.
accounting The Compute service provides accounting information through the event notification and sys-
tem usage data facilities.
Active Directory Authentication and identity service by Microsoft, based on LDAP. Supported in Open-
Stack.
active/active configuration In a high-availability setup with an active/active configuration, several sys-
tems share the load together and if one fails, the load is distributed to the remaining systems.
active/passive configuration In a high-availability setup with an active/passive configuration, systems
are set up to bring additional resources online to replace those that have failed.
address pool A group of fixed and/or floating IP addresses that are assigned to a project and can be used
by or assigned to the VM instances in a project.
Address Resolution Protocol (ARP) The protocol by which layer-3 IP addresses are resolved into layer-2
link local addresses.
admin API A subset of API calls that are accessible to authorized administrators and are generally not
accessible to end users or the public Internet. They can exist as a separate service (keystone) or can
be a subset of another API (nova).
admin server In the context of the Identity service, the worker process that provides access to the admin
API.
administrator The person responsible for installing, configuring, and managing an OpenStack cloud.
Advanced Message Queuing Protocol (AMQP) The open standard messaging protocol used by Open-
Stack components for intra-service communications, provided by RabbitMQ, Qpid, or ZeroMQ.
Advanced RISC Machine (ARM) Lower power consumption CPU often found in mobile and embedded
devices. Supported by OpenStack.
alert The Compute service can send alerts through its notification system, which includes a facility to
create custom notification drivers. Alerts can be sent to and displayed on the dashboard.
allocate The process of taking a floating IP address from the address pool so it can be associated with a
fixed IP on a guest VM instance.
Amazon Kernel Image (AKI) Both a VM container format and disk format. Supported by Image service.
Amazon Machine Image (AMI) Both a VM container format and disk format. Supported by Image ser-
vice.
Amazon Ramdisk Image (ARI) Both a VM container format and disk format. Supported by Image ser-
vice.
Anvil A project that ports the shell script-based project named DevStack to Python.

Appendix 57
Virtual Machine Image Guide

aodh Part of the OpenStack Telemetry service; provides alarming functionality.


Apache The Apache Software Foundation supports the Apache community of open-source software
projects. These projects provide software products for the public good.
Apache License 2.0 All OpenStack core projects are provided under the terms of the Apache License 2.0
license.
Apache Web Server The most common web server software currently used on the Internet.
API endpoint The daemon, worker, or service that a client communicates with to access an API. API end-
points can provide any number of services, such as authentication, sales data, performance meters,
Compute VM commands, census data, and so on.
API extension Custom modules that extend some OpenStack core APIs.
API extension plug-in Alternative term for a Networking plug-in or Networking API extension.
API key Alternative term for an API token.
API server Any node running a daemon or worker that provides an API endpoint.
API token Passed to API requests and used by OpenStack to verify that the client is authorized to run the
requested operation.
API version In OpenStack, the API version for a project is part of the URL. For example, example.com/
nova/v1/foobar.

applet A Java program that can be embedded into a web page.


Application Catalog service (murano) The project that provides an application catalog service so that
users can compose and deploy composite environments on an application abstraction level while
managing the application lifecycle.
Application Programming Interface (API) A collection of specifications used to access a service, ap-
plication, or program. Includes service calls, required parameters for each call, and the expected
return values.
application server A piece of software that makes available another piece of software over a network.
Application Service Provider (ASP) Companies that rent specialized applications that help businesses
and organizations provide additional services with lower cost.
arptables Tool used for maintaining Address Resolution Protocol packet filter rules in the Linux kernel
firewall modules. Used along with iptables, ebtables, and ip6tables in Compute to provide firewall
services for VMs.
associate The process associating a Compute floating IP address with a fixed IP address.
Asynchronous JavaScript and XML (AJAX) A group of interrelated web development techniques used
on the client-side to create asynchronous web applications. Used extensively in horizon.
ATA over Ethernet (AoE) A disk storage protocol tunneled within Ethernet.
attach The process of connecting a VIF or vNIC to a L2 network in Networking. In the context of Com-
pute, this process connects a storage volume to an instance.
attachment (network) Association of an interface ID to a logical port. Plugs an interface into a port.
auditing Provided in Compute through the system usage data facility.

58 Appendix
Virtual Machine Image Guide

auditor A worker process that verifies the integrity of Object Storage objects, containers, and accounts.
Auditors is the collective term for the Object Storage account auditor, container auditor, and object
auditor.
Austin The code name for the initial release of OpenStack. The first design summit took place in Austin,
Texas, US.
auth node Alternative term for an Object Storage authorization node.
authentication The process that confirms that the user, process, or client is really who they say they are
through private key, secret token, password, fingerprint, or similar method.
authentication token A string of text provided to the client after authentication. Must be provided by the
user or process in subsequent requests to the API endpoint.
AuthN The Identity service component that provides authentication services.
authorization The act of verifying that a user, process, or client is authorized to perform an action.
authorization node An Object Storage node that provides authorization services.
AuthZ The Identity component that provides high-level authorization services.
Auto ACK Configuration setting within RabbitMQ that enables or disables message acknowledgment.
Enabled by default.
auto declare A Compute RabbitMQ setting that determines whether a message exchange is automatically
created when the program starts.
availability zone An Amazon EC2 concept of an isolated area that is used for fault tolerance. Do not
confuse with an OpenStack Compute zone or cell.
AWS CloudFormation template AWS CloudFormation allows Amazon Web Services (AWS) users
to create and manage a collection of related resources. The Orchestration service supports a
CloudFormation-compatible format (CFN).

back end Interactions and processes that are obfuscated from the user, such as Compute volume mount,
data transmission to an iSCSI target by a daemon, or Object Storage object integrity checks.
back-end catalog The storage method used by the Identity service catalog service to store and retrieve
information about API endpoints that are available to the client. Examples include an SQL database,
LDAP database, or KVS back end.
back-end store The persistent data store used to save and retrieve information for a service, such as lists of
Object Storage objects, current state of guest VMs, lists of user names, and so on. Also, the method
that the Image service uses to get and store VM images. Options include Object Storage, locally
mounted file system, RADOS block devices, VMware datastore, and HTTP.
Backup, Restore, and Disaster Recovery service (freezer) The project that provides integrated tooling
for backing up, restoring, and recovering file systems, instances, or database backups.
bandwidth The amount of available data used by communication resources, such as the Internet. Repre-
sents the amount of data that is used to download things or the amount of data available to download.
barbican Code name of the Key Manager service.
bare An Image service container format that indicates that no container exists for the VM image.

Appendix 59
Virtual Machine Image Guide

Bare Metal service (ironic) The OpenStack service that provides a service and associated libraries capa-
ble of managing and provisioning physical machines in a security-aware and fault-tolerant manner.
base image An OpenStack-provided image.
Bell-LaPadula model A security model that focuses on data confidentiality and controlled access to clas-
sified information. This model divides the entities into subjects and objects. The clearance of a
subject is compared to the classification of the object to determine if the subject is authorized for the
specific access mode. The clearance or classification scheme is expressed in terms of a lattice.
Benchmark service (rally) OpenStack project that provides a framework for performance analysis and
benchmarking of individual OpenStack components as well as full production OpenStack cloud
deployments.
Bexar A grouped release of projects related to OpenStack that came out in February of 2011. It included
only Compute (nova) and Object Storage (swift). Bexar is the code name for the second release of
OpenStack. The design summit took place in San Antonio, Texas, US, which is the county seat for
Bexar county.
binary Information that consists solely of ones and zeroes, which is the language of computers.
bit A bit is a single digit number that is in base of 2 (either a zero or one). Bandwidth usage is measured
in bits per second.
bits per second (BPS) The universal measurement of how quickly data is transferred from place to place.
block device A device that moves data in the form of blocks. These device nodes interface the devices,
such as hard disks, CD-ROM drives, flash drives, and other addressable regions of memory.
block migration A method of VM live migration used by KVM to evacuate instances from one host to
another with very little downtime during a user-initiated switchover. Does not require shared storage.
Supported by Compute.
Block Storage API An API on a separate endpoint for attaching, detaching, and creating block storage
for compute VMs.
Block Storage service (cinder) The OpenStack service that implement services and libraries to provide
on-demand, self-service access to Block Storage resources via abstraction and automation on top of
other block storage devices.
BMC (Baseboard Management Controller) The intelligence in the IPMI architecture, which is a spe-
cialized micro-controller that is embedded on the motherboard of a computer and acts as a server.
Manages the interface between system management software and platform hardware.
bootable disk image A type of VM image that exists as a single, bootable file.
Bootstrap Protocol (BOOTP) A network protocol used by a network client to obtain an IP address from
a configuration server. Provided in Compute through the dnsmasq daemon when using either the
FlatDHCP manager or VLAN manager network manager.
Border Gateway Protocol (BGP) The Border Gateway Protocol is a dynamic routing protocol that con-
nects autonomous systems. Considered the backbone of the Internet, this protocol connects disparate
networks to form a larger network.
browser Any client software that enables a computer or device to access the Internet.
builder file Contains configuration information that Object Storage uses to reconfigure a ring or to re-
create it from scratch after a serious failure.

60 Appendix
Virtual Machine Image Guide

bursting The practice of utilizing a secondary environment to elastically build instances on-demand when
the primary environment is resource constrained.
button class A group of related button types within horizon. Buttons to start, stop, and suspend VMs are
in one class. Buttons to associate and disassociate floating IP addresses are in another class, and so
on.
byte Set of bits that make up a single character; there are usually 8 bits to a byte.

cache pruner A program that keeps the Image service VM image cache at or below its configured maxi-
mum size.
Cactus An OpenStack grouped release of projects that came out in the spring of 2011. It included Compute
(nova), Object Storage (swift), and the Image service (glance). Cactus is a city in Texas, US and
is the code name for the third release of OpenStack. When OpenStack releases went from three to
six months long, the code name of the release changed to match a geography nearest the previous
summit.
CALL One of the RPC primitives used by the OpenStack message queue software. Sends a message and
waits for a response.
capability Defines resources for a cell, including CPU, storage, and networking. Can apply to the specific
services within a cell or a whole cell.
capacity cache A Compute back-end database table that contains the current workload, amount of free
RAM, and number of VMs running on each host. Used to determine on which host a VM starts.
capacity updater A notification driver that monitors VM instances and updates the capacity cache as
needed.
CAST One of the RPC primitives used by the OpenStack message queue software. Sends a message and
does not wait for a response.
catalog A list of API endpoints that are available to a user after authentication with the Identity service.
catalog service An Identity service that lists API endpoints that are available to a user after authentication
with the Identity service.
ceilometer Part of the OpenStack Telemetry service; gathers and stores metrics from other OpenStack
services.
cell Provides logical partitioning of Compute resources in a child and parent relationship. Requests are
passed from parent cells to child cells if the parent cannot provide the requested resource.
cell forwarding A Compute option that enables parent cells to pass resource requests to child cells if the
parent cannot provide the requested resource.
cell manager The Compute component that contains a list of the current capabilities of each host within
the cell and routes requests as appropriate.
CentOS A Linux distribution that is compatible with OpenStack.
Ceph Massively scalable distributed storage system that consists of an object store, block store, and
POSIX-compatible distributed file system. Compatible with OpenStack.
CephFS The POSIX-compliant file system provided by Ceph.

Appendix 61
Virtual Machine Image Guide

certificate authority (CA) In cryptography, an entity that issues digital certificates. The digital certificate
certifies the ownership of a public key by the named subject of the certificate. This enables others
(relying parties) to rely upon signatures or assertions made by the private key that corresponds to
the certified public key. In this model of trust relationships, a CA is a trusted third party for both the
subject (owner) of the certificate and the party relying upon the certificate. CAs are characteristic
of many public key infrastructure (PKI) schemes. In OpenStack, a simple certificate authority is
provided by Compute for cloudpipe VPNs and VM image decryption.
Challenge-Handshake Authentication Protocol (CHAP) An iSCSI authentication method supported
by Compute.
chance scheduler A scheduling method used by Compute that randomly chooses an available host from
the pool.
changes since A Compute API parameter that downloads changes to the requested item since your last
request, instead of downloading a new, fresh set of data and comparing it against the old data.
Chef An operating system configuration management tool supporting OpenStack deployments.
child cell If a requested resource such as CPU time, disk storage, or memory is not available in the parent
cell, the request is forwarded to its associated child cells. If the child cell can fulfill the request, it
does. Otherwise, it attempts to pass the request to any of its children.
cinder Codename for Block Storage service.
CirrOS A minimal Linux distribution designed for use as a test image on clouds such as OpenStack.
Cisco neutron plug-in A Networking plug-in for Cisco devices and technologies, including UCS and
Nexus.
cloud architect A person who plans, designs, and oversees the creation of clouds.
Cloud Auditing Data Federation (CADF) Cloud Auditing Data Federation (CADF) is a specification
for audit event data. CADF is supported by OpenStack Identity.
cloud computing A model that enables access to a shared pool of configurable computing resources, such
as networks, servers, storage, applications, and services, that can be rapidly provisioned and released
with minimal management effort or service provider interaction.
cloud controller Collection of Compute components that represent the global state of the cloud; talks to
services, such as Identity authentication, Object Storage, and node/storage workers through a queue.
cloud controller node A node that runs network, volume, API, scheduler, and image services. Each ser-
vice may be broken out into separate nodes for scalability or availability.
Cloud Data Management Interface (CDMI) SINA standard that defines a RESTful API for managing
objects in the cloud, currently unsupported in OpenStack.
Cloud Infrastructure Management Interface (CIMI) An in-progress specification for cloud manage-
ment. Currently unsupported in OpenStack.
cloud-init A package commonly installed in VM images that performs initialization of an instance after
boot using information that it retrieves from the metadata service, such as the SSH public key and
user data.
cloudadmin One of the default roles in the Compute RBAC system. Grants complete system access.
Cloudbase-Init A Windows project providing guest initialization features, similar to cloud-init.
cloudpipe A compute service that creates VPNs on a per-project basis.

62 Appendix
Virtual Machine Image Guide

cloudpipe image A pre-made VM image that serves as a cloudpipe server. Essentially, OpenVPN running
on Linux.
Clustering service (senlin) The project that implements clustering services and libraries for the manage-
ment of groups of homogeneous objects exposed by other OpenStack services.
command filter Lists allowed commands within the Compute rootwrap facility.
Common Internet File System (CIFS) A file sharing protocol. It is a public or open variation of the
original Server Message Block (SMB) protocol developed and used by Microsoft. Like the SMB
protocol, CIFS runs at a higher level and uses the TCP/IP protocol.
Common Libraries (oslo) The project that produces a set of python libraries containing code shared by
OpenStack projects. The APIs provided by these libraries should be high quality, stable, consistent,
documented and generally applicable.
community project A project that is not officially endorsed by the OpenStack Foundation. If the project
is successful enough, it might be elevated to an incubated project and then to a core project, or it
might be merged with the main code trunk.
compression Reducing the size of files by special encoding, the file can be decompressed again to its
original content. OpenStack supports compression at the Linux file system level but does not support
compression for things such as Object Storage objects or Image service VM images.
Compute API (Nova API) The nova-api daemon provides access to nova services. Can communicate
with other APIs, such as the Amazon EC2 API.
compute controller The Compute component that chooses suitable hosts on which to start VM instances.
compute host Physical host dedicated to running compute nodes.
compute node A node that runs the nova-compute daemon that manages VM instances that provide a
wide range of services, such as web applications and analytics.
Compute service (nova) The OpenStack core project that implements services and associated libraries
to provide massively-scalable, on-demand, self-service access to compute resources, including bare
metal, virtual machines, and containers.
compute worker The Compute component that runs on each compute node and manages the VM instance
lifecycle, including run, reboot, terminate, attach/detach volumes, and so on. Provided by the nova-
compute daemon.
concatenated object A set of segment objects that Object Storage combines and sends to the client.
conductor In Compute, conductor is the process that proxies database requests from the compute process.
Using conductor improves security because compute nodes do not need direct access to the database.
congress Code name for the Governance service.
consistency window The amount of time it takes for a new Object Storage object to become accessible to
all clients.
console log Contains the output from a Linux VM console in Compute.
container Organizes and stores objects in Object Storage. Similar to the concept of a Linux directory but
cannot be nested. Alternative term for an Image service container format.
container auditor Checks for missing replicas or incorrect objects in specified Object Storage containers
through queries to the SQLite back-end database.

Appendix 63
Virtual Machine Image Guide

container database A SQLite database that stores Object Storage containers and container metadata. The
container server accesses this database.
container format A wrapper used by the Image service that contains a VM image and its associated
metadata, such as machine state, OS disk size, and so on.
Container Infrastructure Management service (magnum) The project which provides a set of services
for provisioning, scaling, and managing container orchestration engines.
container server An Object Storage server that manages containers.
container service The Object Storage component that provides container services, such as create, delete,
list, and so on.
content delivery network (CDN) A content delivery network is a specialized network that is used to
distribute content to clients, typically located close to the client for increased performance.
controller node Alternative term for a cloud controller node.
core API Depending on context, the core API is either the OpenStack API or the main API of a specific
core project, such as Compute, Networking, Image service, and so on.
core service An official OpenStack service defined as core by DefCore Committee. Currently, consists of
Block Storage service (cinder), Compute service (nova), Identity service (keystone), Image service
(glance), Networking service (neutron), and Object Storage service (swift).
cost Under the Compute distributed scheduler, this is calculated by looking at the capabilities of each host
relative to the flavor of the VM instance being requested.
credentials Data that is only known to or accessible by a user and used to verify that the user is who
he says he is. Credentials are presented to the server during authentication. Examples include a
password, secret key, digital certificate, and fingerprint.
CRL A Certificate Revocation List (CRL) in a PKI model is a list of certificates that have been revoked.
End entities presenting these certificates should not be trusted.
Cross-Origin Resource Sharing (CORS) A mechanism that allows many resources (for example, fonts,
JavaScript) on a web page to be requested from another domain outside the domain from which the
resource originated. In particular, JavaScript’s AJAX calls can use the XMLHttpRequest mecha-
nism.
Crowbar An open source community project by SUSE that aims to provide all necessary services to
quickly deploy and manage clouds.
current workload An element of the Compute capacity cache that is calculated based on the number of
build, snapshot, migrate, and resize operations currently in progress on a given host.
customer Alternative term for project.
customization module A user-created Python module that is loaded by horizon to change the look and
feel of the dashboard.

daemon A process that runs in the background and waits for requests. May or may not listen on a TCP or
UDP port. Do not confuse with a worker.
Dashboard (horizon) OpenStack project which provides an extensible, unified, web-based user interface
for all OpenStack services.

64 Appendix
Virtual Machine Image Guide

data encryption Both Image service and Compute support encrypted virtual machine (VM) images (but
not instances). In-transit data encryption is supported in OpenStack using technologies such as
HTTPS, SSL, TLS, and SSH. Object Storage does not support object encryption at the application
level but may support storage that uses disk encryption.
Data loss prevention (DLP) software Software programs used to protect sensitive information and pre-
vent it from leaking outside a network boundary through the detection and denying of the data trans-
portation.
Data Processing service (sahara) OpenStack project that provides a scalable data-processing stack and
associated management interfaces.
data store A database engine supported by the Database service.
database ID A unique ID given to each replica of an Object Storage database.
database replicator An Object Storage component that copies changes in the account, container, and
object databases to other nodes.
Database service (trove) An integrated project that provides scalable and reliable Cloud Database-as-a-
Service functionality for both relational and non-relational database engines.
deallocate The process of removing the association between a floating IP address and a fixed IP address.
Once this association is removed, the floating IP returns to the address pool.
Debian A Linux distribution that is compatible with OpenStack.
deduplication The process of finding duplicate data at the disk block, file, and/or object level to minimize
storage use—currently unsupported within OpenStack.
default panel The default panel that is displayed when a user accesses the dashboard.
default project New users are assigned to this project if no project is specified when a user is created.
default token An Identity service token that is not associated with a specific project and is exchanged for
a scoped token.
delayed delete An option within Image service so that an image is deleted after a predefined number of
seconds instead of immediately.
delivery mode Setting for the Compute RabbitMQ message delivery mode; can be set to either transient
or persistent.
denial of service (DoS) Denial of service (DoS) is a short form for denial-of-service attack. This is a
malicious attempt to prevent legitimate users from using a service.
deprecated auth An option within Compute that enables administrators to create and manage users
through the nova-manage command as opposed to using the Identity service.
designate Code name for the DNS service.
Desktop-as-a-Service A platform that provides a suite of desktop environments that users access to re-
ceive a desktop experience from any location. This may provide general use, development, or even
homogeneous testing environments.
developer One of the default roles in the Compute RBAC system and the default role assigned to a new
user.
device ID Maps Object Storage partitions to physical storage devices.
device weight Distributes partitions proportionately across Object Storage devices based on the storage
capacity of each device.

Appendix 65
Virtual Machine Image Guide

DevStack Community project that uses shell scripts to quickly build complete OpenStack development
environments.
DHCP agent OpenStack Networking agent that provides DHCP services for virtual networks.
Diablo A grouped release of projects related to OpenStack that came out in the fall of 2011, the fourth
release of OpenStack. It included Compute (nova 2011.3), Object Storage (swift 1.4.3), and the
Image service (glance). Diablo is the code name for the fourth release of OpenStack. The design
summit took place in the Bay Area near Santa Clara, California, US and Diablo is a nearby city.
direct consumer An element of the Compute RabbitMQ that comes to life when a RPC call is executed. It
connects to a direct exchange through a unique exclusive queue, sends the message, and terminates.
direct exchange A routing table that is created within the Compute RabbitMQ during RPC calls; one is
created for each RPC call that is invoked.
direct publisher Element of RabbitMQ that provides a response to an incoming MQ message.
disassociate The process of removing the association between a floating IP address and fixed IP and thus
returning the floating IP address to the address pool.
Discretionary Access Control (DAC) Governs the ability of subjects to access objects, while enabling
users to make policy decisions and assign security attributes. The traditional UNIX system of users,
groups, and read-write-execute permissions is an example of DAC.
disk encryption The ability to encrypt data at the file system, disk partition, or whole-disk level. Sup-
ported within Compute VMs.
disk format The underlying format that a disk image for a VM is stored as within the Image service
back-end store. For example, AMI, ISO, QCOW2, VMDK, and so on.
dispersion In Object Storage, tools to test and ensure dispersion of objects and containers to ensure fault
tolerance.
distributed virtual router (DVR) Mechanism for highly available multi-host routing when using Open-
Stack Networking (neutron).
Django A web framework used extensively in horizon.
DNS record A record that specifies information about a particular domain and belongs to the domain.
DNS service (designate) OpenStack project that provides scalable, on demand, self service access to au-
thoritative DNS services, in a technology-agnostic manner.
dnsmasq Daemon that provides DNS, DHCP, BOOTP, and TFTP services for virtual networks.
domain An Identity API v3 entity. Represents a collection of projects, groups and users that defines
administrative boundaries for managing OpenStack Identity entities. On the Internet, separates a
website from other sites. Often, the domain name has two or more parts that are separated by dots.
For example, yahoo.com, usa.gov, harvard.edu, or mail.yahoo.com. Also, a domain is an entity or
container of all DNS-related information containing one or more records.
Domain Name System (DNS) A system by which Internet domain name-to-address and address-to-name
resolutions are determined. DNS helps navigate the Internet by translating the IP address into an
address that is easier to remember. For example, translating 111.111.111.1 into www.yahoo.com.
All domains and their components, such as mail servers, utilize DNS to resolve to the appropriate
locations. DNS servers are usually set up in a master-slave relationship such that failure of the
master invokes the slave. DNS servers might also be clustered or replicated such that changes made
to one DNS server are automatically propagated to other active servers. In Compute, the support

66 Appendix
Virtual Machine Image Guide

that enables associating DNS entries with floating IP addresses, nodes, or cells so that hostnames
are consistent across reboots.
download The transfer of data, usually in the form of files, from one computer to another.
durable exchange The Compute RabbitMQ message exchange that remains active when the server
restarts.
durable queue A Compute RabbitMQ message queue that remains active when the server restarts.
Dynamic Host Configuration Protocol (DHCP) A network protocol that configures devices that are
connected to a network so that they can communicate on that network by using the Internet Protocol
(IP). The protocol is implemented in a client-server model where DHCP clients request configura-
tion data, such as an IP address, a default route, and one or more DNS server addresses from a DHCP
server. A method to automatically configure networking for a host at boot time. Provided by both
Networking and Compute.
Dynamic HyperText Markup Language (DHTML) Pages that use HTML, JavaScript, and Cascading
Style Sheets to enable users to interact with a web page or show simple animation.

east-west traffic Network traffic between servers in the same cloud or data center. See also north-south
traffic.
EBS boot volume An Amazon EBS storage volume that contains a bootable VM image, currently unsup-
ported in OpenStack.
ebtables Filtering tool for a Linux bridging firewall, enabling filtering of network traffic passing through
a Linux bridge. Used in Compute along with arptables, iptables, and ip6tables to ensure isolation of
network communications.
EC2 The Amazon commercial compute product, similar to Compute.
EC2 access key Used along with an EC2 secret key to access the Compute EC2 API.
EC2 API OpenStack supports accessing the Amazon EC2 API through Compute.
EC2 Compatibility API A Compute component that enables OpenStack to communicate with Amazon
EC2.
EC2 secret key Used along with an EC2 access key when communicating with the Compute EC2 API;
used to digitally sign each request.
Elastic Block Storage (EBS) The Amazon commercial block storage product.
encapsulation The practice of placing one packet type within another for the purposes of abstracting or
securing data. Examples include GRE, MPLS, or IPsec.
encryption OpenStack supports encryption technologies such as HTTPS, SSH, SSL, TLS, digital certifi-
cates, and data encryption.
endpoint See API endpoint.
endpoint registry Alternative term for an Identity service catalog.
endpoint template A list of URL and port number endpoints that indicate where a service, such as Object
Storage, Compute, Identity, and so on, can be accessed.

Appendix 67
Virtual Machine Image Guide

entity Any piece of hardware or software that wants to connect to the network services provided by Net-
working, the network connectivity service. An entity can make use of Networking by implementing
a VIF.
ephemeral image A VM image that does not save changes made to its volumes and reverts them to their
original state after the instance is terminated.
ephemeral volume Volume that does not save the changes made to it and reverts to its original state when
the current user relinquishes control.
Essex A grouped release of projects related to OpenStack that came out in April 2012, the fifth release of
OpenStack. It included Compute (nova 2012.1), Object Storage (swift 1.4.8), Image (glance), Iden-
tity (keystone), and Dashboard (horizon). Essex is the code name for the fifth release of OpenStack.
The design summit took place in Boston, Massachusetts, US and Essex is a nearby city.
ESXi An OpenStack-supported hypervisor.
ETag MD5 hash of an object within Object Storage, used to ensure data integrity.
euca2ools A collection of command-line tools for administering VMs; most are compatible with Open-
Stack.
Eucalyptus Kernel Image (EKI) Used along with an ERI to create an EMI.
Eucalyptus Machine Image (EMI) VM image container format supported by Image service.
Eucalyptus Ramdisk Image (ERI) Used along with an EKI to create an EMI.
evacuate The process of migrating one or all virtual machine (VM) instances from one host to another,
compatible with both shared storage live migration and block migration.
exchange Alternative term for a RabbitMQ message exchange.
exchange type A routing algorithm in the Compute RabbitMQ.
exclusive queue Connected to by a direct consumer in RabbitMQ—Compute, the message can be con-
sumed only by the current connection.
extended attributes (xattr) File system option that enables storage of additional information beyond
owner, group, permissions, modification time, and so on. The underlying Object Storage file system
must support extended attributes.
extension Alternative term for an API extension or plug-in. In the context of Identity service, this is a call
that is specific to the implementation, such as adding support for OpenID.
external network A network segment typically used for instance Internet access.
extra specs Specifies additional requirements when Compute determines where to start a new instance.
Examples include a minimum amount of network bandwidth or a GPU.

FakeLDAP An easy method to create a local LDAP directory for testing Identity and Compute. Requires
Redis.
fan-out exchange Within RabbitMQ and Compute, it is the messaging interface that is used by the sched-
uler service to receive capability messages from the compute, volume, and network nodes.
federated identity A method to establish trusts between identity providers and the OpenStack cloud.
Fedora A Linux distribution compatible with OpenStack.

68 Appendix
Virtual Machine Image Guide

Fibre Channel Storage protocol similar in concept to TCP/IP; encapsulates SCSI commands and data.
Fibre Channel over Ethernet (FCoE) The fibre channel protocol tunneled within Ethernet.
fill-first scheduler The Compute scheduling method that attempts to fill a host with VMs rather than
starting new VMs on a variety of hosts.
filter The step in the Compute scheduling process when hosts that cannot run VMs are eliminated and not
chosen.
firewall Used to restrict communications between hosts and/or nodes, implemented in Compute using
iptables, arptables, ip6tables, and ebtables.
FireWall-as-a-Service (FWaaS) A Networking extension that provides perimeter firewall functionality.
fixed IP address An IP address that is associated with the same instance each time that instance boots,
is generally not accessible to end users or the public Internet, and is used for management of the
instance.
Flat Manager The Compute component that gives IP addresses to authorized nodes and assumes DHCP,
DNS, and routing configuration and services are provided by something else.
flat mode injection A Compute networking method where the OS network configuration information is
injected into the VM image before the instance starts.
flat network Virtual network type that uses neither VLANs nor tunnels to segregate project traffic. Each
flat network typically requires a separate underlying physical interface defined by bridge mappings.
However, a flat network can contain multiple subnets.
FlatDHCP Manager The Compute component that provides dnsmasq (DHCP, DNS, BOOTP, TFTP) and
radvd (routing) services.
flavor Alternative term for a VM instance type.
flavor ID UUID for each Compute or Image service VM flavor or instance type.
floating IP address An IP address that a project can associate with a VM so that the instance has the same
public IP address each time that it boots. You create a pool of floating IP addresses and assign them to
instances as they are launched to maintain a consistent IP address for maintaining DNS assignment.
Folsom A grouped release of projects related to OpenStack that came out in the fall of 2012, the sixth
release of OpenStack. It includes Compute (nova), Object Storage (swift), Identity (keystone), Net-
working (neutron), Image service (glance), and Volumes or Block Storage (cinder). Folsom is the
code name for the sixth release of OpenStack. The design summit took place in San Francisco,
California, US and Folsom is a nearby city.
FormPost Object Storage middleware that uploads (posts) an image through a form on a web page.
freezer Code name for the Backup, Restore, and Disaster Recovery service.
front end The point where a user interacts with a service; can be an API endpoint, the dashboard, or a
command-line tool.

gateway An IP address, typically assigned to a router, that passes network traffic between different net-
works.
generic receive offload (GRO) Feature of certain network interface drivers that combines many smaller
received packets into a large packet before delivery to the kernel IP stack.

Appendix 69
Virtual Machine Image Guide

generic routing encapsulation (GRE) Protocol that encapsulates a wide variety of network layer proto-
cols inside virtual point-to-point links.
glance Codename for the Image service.
glance API server Alternative name for the Image API.
glance registry Alternative term for the Image service image registry.
global endpoint template The Identity service endpoint template that contains services available to all
projects.
GlusterFS A file system designed to aggregate NAS hosts, compatible with OpenStack.
gnocchi Part of the OpenStack Telemetry service; provides an indexer and time-series database.
golden image A method of operating system installation where a finalized disk image is created and then
used by all nodes without modification.
Governance service (congress) The project that provides Governance-as-a-Service across any collection
of cloud services in order to monitor, enforce, and audit policy over dynamic infrastructure.
Graphic Interchange Format (GIF) A type of image file that is commonly used for animated images on
web pages.
Graphics Processing Unit (GPU) Choosing a host based on the existence of a GPU is currently unsup-
ported in OpenStack.
Green Threads The cooperative threading model used by Python; reduces race conditions and only con-
text switches when specific library calls are made. Each OpenStack service is its own thread.
Grizzly The code name for the seventh release of OpenStack. The design summit took place in San Diego,
California, US and Grizzly is an element of the state flag of California.
Group An Identity v3 API entity. Represents a collection of users that is owned by a specific domain.
guest OS An operating system instance running under the control of a hypervisor.

Hadoop Apache Hadoop is an open source software framework that supports data-intensive distributed
applications.
Hadoop Distributed File System (HDFS) A distributed, highly fault-tolerant file system designed to run
on low-cost commodity hardware.
handover An object state in Object Storage where a new replica of the object is automatically created due
to a drive failure.
HAProxy Provides a load balancer for TCP and HTTP-based applications that spreads requests across
multiple servers.
hard reboot A type of reboot where a physical or virtual power button is pressed as opposed to a graceful,
proper shutdown of the operating system.
Havana The code name for the eighth release of OpenStack. The design summit took place in Portland,
Oregon, US and Havana is an unincorporated community in Oregon.
health monitor Determines whether back-end members of a VIP pool can process a request. A pool can
have several health monitors associated with it. When a pool has several monitors associated with

70 Appendix
Virtual Machine Image Guide

it, all monitors check each member of the pool. All monitors must declare a member to be healthy
for it to stay active.
heat Codename for the Orchestration service.
Heat Orchestration Template (HOT) Heat input in the format native to OpenStack.
high availability (HA) A high availability system design approach and associated service implementa-
tion ensures that a prearranged level of operational performance will be met during a contractual
measurement period. High availability systems seek to minimize system downtime and data loss.
horizon Codename for the Dashboard.
horizon plug-in A plug-in for the OpenStack Dashboard (horizon).
host A physical computer, not a VM instance (node).
host aggregate A method to further subdivide availability zones into hypervisor pools, a collection of
common hosts.
Host Bus Adapter (HBA) Device plugged into a PCI slot, such as a fibre channel or network card.
hybrid cloud A hybrid cloud is a composition of two or more clouds (private, community or public) that
remain distinct entities but are bound together, offering the benefits of multiple deployment models.
Hybrid cloud can also mean the ability to connect colocation, managed and/or dedicated services
with cloud resources.
Hyper-V One of the hypervisors supported by OpenStack.
hyperlink Any kind of text that contains a link to some other site, commonly found in documents where
clicking on a word or words opens up a different website.
Hypertext Transfer Protocol (HTTP) An application protocol for distributed, collaborative, hypermedia
information systems. It is the foundation of data communication for the World Wide Web. Hypertext
is structured text that uses logical links (hyperlinks) between nodes containing text. HTTP is the
protocol to exchange or transfer hypertext.
Hypertext Transfer Protocol Secure (HTTPS) An encrypted communications protocol for secure com-
munication over a computer network, with especially wide deployment on the Internet. Technically,
it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer
Protocol (HTTP) on top of the TLS or SSL protocol, thus adding the security capabilities of TLS or
SSL to standard HTTP communications. Most OpenStack API endpoints and many inter-component
communications support HTTPS communication.
hypervisor Software that arbitrates and controls VM access to the actual underlying hardware.
hypervisor pool A collection of hypervisors grouped together through host aggregates.

Icehouse The code name for the ninth release of OpenStack. The design summit took place in Hong Kong
and Ice House is a street in that city.
ID number Unique numeric ID associated with each user in Identity, conceptually similar to a Linux or
LDAP UID.
Identity API Alternative term for the Identity service API.
Identity back end The source used by Identity service to retrieve user information; an OpenLDAP server,
for example.

Appendix 71
Virtual Machine Image Guide

identity provider A directory service, which allows users to login with a user name and password. It is a
typical source of authentication tokens.
Identity service (keystone) The project that facilitates API client authentication, service discovery, dis-
tributed multi-project authorization, and auditing. It provides a central directory of users mapped to
the OpenStack services they can access. It also registers endpoints for OpenStack services and acts
as a common authentication system.
Identity service API The API used to access the OpenStack Identity service provided through keystone.
IETF Internet Engineering Task Force (IETF) is an open standards organization that develops Internet
standards, particularly the standards pertaining to TCP/IP.
image A collection of files for a specific operating system (OS) that you use to create or rebuild a server.
OpenStack provides pre-built images. You can also create custom images, or snapshots, from servers
that you have launched. Custom images can be used for data backups or as “gold” images for addi-
tional servers.
Image API The Image service API endpoint for management of VM images. Processes client requests
for VMs, updates Image service metadata on the registry server, and communicates with the store
adapter to upload VM images from the back-end store.
image cache Used by Image service to obtain images on the local host rather than re-downloading them
from the image server each time one is requested.
image ID Combination of a URI and UUID used to access Image service VM images through the image
API.
image membership A list of projects that can access a given VM image within Image service.
image owner The project who owns an Image service virtual machine image.
image registry A list of VM images that are available through Image service.
Image service (glance) The OpenStack service that provide services and associated libraries to store,
browse, share, distribute and manage bootable disk images, other data closely associated with ini-
tializing compute resources, and metadata definitions.
image status The current status of a VM image in Image service, not to be confused with the status of a
running instance.
image store The back-end store used by Image service to store VM images, options include Object Stor-
age, locally mounted file system, RADOS block devices, VMware datastore, or HTTP.
image UUID UUID used by Image service to uniquely identify each VM image.
incubated project A community project may be elevated to this status and is then promoted to a core
project.
Infrastructure Optimization service (watcher) OpenStack project that aims to provide a flexible and
scalable resource optimization service for multi-project OpenStack-based clouds.
Infrastructure-as-a-Service (IaaS) IaaS is a provisioning model in which an organization outsources
physical components of a data center, such as storage, hardware, servers, and networking compo-
nents. A service provider owns the equipment and is responsible for housing, operating and main-
taining it. The client typically pays on a per-use basis. IaaS is a model for providing cloud services.
ingress filtering The process of filtering incoming network traffic. Supported by Compute.
INI format The OpenStack configuration files use an INI format to describe options and their values. It
consists of sections and key value pairs.

72 Appendix
Virtual Machine Image Guide

injection The process of putting a file into a virtual machine image before the instance is started.
Input/Output Operations Per Second (IOPS) IOPS are a common performance measurement used to
benchmark computer storage devices like hard disk drives, solid state drives, and storage area net-
works.
instance A running VM, or a VM in a known state such as suspended, that can be used like a hardware
server.
instance ID Alternative term for instance UUID.
instance state The current state of a guest VM image.
instance tunnels network A network segment used for instance traffic tunnels between compute nodes
and the network node.
instance type Describes the parameters of the various virtual machine images that are available to users;
includes parameters such as CPU, storage, and memory. Alternative term for flavor.
instance type ID Alternative term for a flavor ID.
instance UUID Unique ID assigned to each guest VM instance.
Intelligent Platform Management Interface (IPMI) IPMI is a standardized computer system interface
used by system administrators for out-of-band management of computer systems and monitoring
of their operation. In layman’s terms, it is a way to manage a computer using a direct network
connection, whether it is turned on or not; connecting to the hardware rather than an operating system
or login shell.
interface A physical or virtual device that provides connectivity to another device or medium.
interface ID Unique ID for a Networking VIF or vNIC in the form of a UUID.
Internet Control Message Protocol (ICMP) A network protocol used by network devices for control
messages. For example, ping uses ICMP to test connectivity.
Internet protocol (IP) Principal communications protocol in the internet protocol suite for relaying data-
grams across network boundaries.
Internet Service Provider (ISP) Any business that provides Internet access to individuals or businesses.
Internet Small Computer System Interface (iSCSI) Storage protocol that encapsulates SCSI frames for
transport over IP networks. Supported by Compute, Object Storage, and Image service.
IP address Number that is unique to every computer system on the Internet. Two versions of the Internet
Protocol (IP) are in use for addresses: IPv4 and IPv6.
IP Address Management (IPAM) The process of automating IP address allocation, deallocation, and
management. Currently provided by Compute, melange, and Networking.
ip6tables Tool used to set up, maintain, and inspect the tables of IPv6 packet filter rules in the Linux
kernel. In OpenStack Compute, ip6tables is used along with arptables, ebtables, and iptables to
create firewalls for both nodes and VMs.
ipset Extension to iptables that allows creation of firewall rules that match entire “sets” of IP addresses
simultaneously. These sets reside in indexed data structures to increase efficiency, particularly on
systems with a large quantity of rules.
iptables Used along with arptables and ebtables, iptables create firewalls in Compute. iptables are the
tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the
chains and rules it stores. Different kernel modules and programs are currently used for different

Appendix 73
Virtual Machine Image Guide

protocols: iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet
frames. Requires root privilege to manipulate.
ironic Codename for the Bare Metal service.
iSCSI Qualified Name (IQN) IQN is the format most commonly used for iSCSI names, which uniquely
identify nodes in an iSCSI network. All IQNs follow the pattern iqn.yyyy-mm.domain:identifier,
where ‘yyyy-mm’ is the year and month in which the domain was registered, ‘domain’ is the reversed
domain name of the issuing organization, and ‘identifier’ is an optional string which makes each IQN
under the same domain unique. For example, ‘iqn.2015-10.org.openstack.408ae959bce1’.
ISO9660 One of the VM image disk formats supported by Image service.
itsec A default role in the Compute RBAC system that can quarantine an instance in any project.

Java A programming language that is used to create systems that involve more than one computer by way
of a network.
JavaScript A scripting language that is used to build web pages.
JavaScript Object Notation (JSON) One of the supported response formats in OpenStack.
jumbo frame Feature in modern Ethernet networks that supports frames up to approximately 9000 bytes.
Juno The code name for the tenth release of OpenStack. The design summit took place in Atlanta, Georgia,
US and Juno is an unincorporated community in Georgia.

Kerberos A network authentication protocol which works on the basis of tickets. Kerberos allows nodes
communication over a non-secure network, and allows nodes to prove their identity to one another
in a secure manner.
kernel-based VM (KVM) An OpenStack-supported hypervisor. KVM is a full virtualization solution
for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V), ARM, IBM
Power, and IBM zSeries. It consists of a loadable kernel module, that provides the core virtualization
infrastructure and a processor specific module.
Key Manager service (barbican) The project that produces a secret storage and generation system capa-
ble of providing key management for services wishing to enable encryption features.
keystone Codename of the Identity service.
Kickstart A tool to automate system configuration and installation on Red Hat, Fedora, and CentOS-based
Linux distributions.
Kilo The code name for the eleventh release of OpenStack. The design summit took place in Paris, France.
Due to delays in the name selection, the release was known only as K. Because k is the unit symbol
for kilo and the kilogram reference artifact is stored near Paris in the Pavillon de Breteuil in Sèvres,
the community chose Kilo as the release name.

large object An object within Object Storage that is larger than 5 GB.

74 Appendix
Virtual Machine Image Guide

Launchpad The collaboration site for OpenStack.


Layer-2 (L2) agent OpenStack Networking agent that provides layer-2 connectivity for virtual networks.
Layer-2 network Term used in the OSI network architecture for the data link layer. The data link layer is
responsible for media access control, flow control and detecting and possibly correcting errors that
may occur in the physical layer.
Layer-3 (L3) agent OpenStack Networking agent that provides layer-3 (routing) services for virtual net-
works.
Layer-3 network Term used in the OSI network architecture for the network layer. The network layer is
responsible for packet forwarding including routing from one node to another.
Liberty The code name for the twelfth release of OpenStack. The design summit took place in Vancouver,
Canada and Liberty is the name of a village in the Canadian province of Saskatchewan.
libvirt Virtualization API library used by OpenStack to interact with many of its supported hypervisors.
Lightweight Directory Access Protocol (LDAP) An application protocol for accessing and maintaining
distributed directory information services over an IP network.
Linux Unix-like computer operating system assembled under the model of free and open-source software
development and distribution.
Linux bridge Software that enables multiple VMs to share a single physical NIC within Compute.
Linux Bridge neutron plug-in Enables a Linux bridge to understand a Networking port, interface attach-
ment, and other abstractions.
Linux containers (LXC) An OpenStack-supported hypervisor.
live migration The ability within Compute to move running virtual machine instances from one host to
another with only a small service interruption during switchover.
load balancer A load balancer is a logical device that belongs to a cloud account. It is used to distribute
workloads between multiple back-end systems or services, based on the criteria defined as part of
its configuration.
load balancing The process of spreading client requests between two or more nodes to improve perfor-
mance and availability.
Load-Balancer-as-a-Service (LBaaS) Enables Networking to distribute incoming requests evenly be-
tween designated instances.
Load-balancing service (octavia) The project that aims to provide scalable, on demand, self service ac-
cess to load-balancer services, in technology-agnostic manner.
Logical Volume Manager (LVM) Provides a method of allocating space on mass-storage devices that is
more flexible than conventional partitioning schemes.

magnum Code name for the Containers Infrastructure Management service.


management API Alternative term for an admin API.
management network A network segment used for administration, not accessible to the public Internet.
manager Logical groupings of related code, such as the Block Storage volume manager or network man-
ager.

Appendix 75
Virtual Machine Image Guide

manifest Used to track segments of a large object within Object Storage.


manifest object A special Object Storage object that contains the manifest for a large object.
manila Codename for OpenStack Shared File Systems service.
manila-share Responsible for managing Shared File System Service devices, specifically the back-end
devices.
maximum transmission unit (MTU) Maximum frame or packet size for a particular network medium.
Typically 1500 bytes for Ethernet networks.
mechanism driver A driver for the Modular Layer 2 (ML2) neutron plug-in that provides layer-2 con-
nectivity for virtual instances. A single OpenStack installation can use multiple mechanism drivers.
melange Project name for OpenStack Network Information Service. To be merged with Networking.
membership The association between an Image service VM image and a project. Enables images to be
shared with specified projects.
membership list A list of projects that can access a given VM image within Image service.
memcached A distributed memory object caching system that is used by Object Storage for caching.
memory overcommit The ability to start new VM instances based on the actual memory usage of a host, as
opposed to basing the decision on the amount of RAM each running instance thinks it has available.
Also known as RAM overcommit.
message broker The software package used to provide AMQP messaging capabilities within Compute.
Default package is RabbitMQ.
message bus The main virtual communication line used by all AMQP messages for inter-cloud commu-
nications within Compute.
message queue Passes requests from clients to the appropriate workers and returns the output to the client
after the job completes.
Message service (zaqar) The project that provides a messaging service that affords a variety of distributed
application patterns in an efficient, scalable and highly available manner, and to create and maintain
associated Python libraries and documentation.
Meta-Data Server (MDS) Stores CephFS metadata.
Metadata agent OpenStack Networking agent that provides metadata services for instances.
migration The process of moving a VM instance from one host to another.
mistral Code name for Workflow service.
Mitaka The code name for the thirteenth release of OpenStack. The design summit took place in Tokyo,
Japan. Mitaka is a city in Tokyo.
Modular Layer 2 (ML2) neutron plug-in Can concurrently use multiple layer-2 networking technolo-
gies, such as 802.1Q and VXLAN, in Networking.
monasca Codename for OpenStack Monitoring.
Monitor (LBaaS) LBaaS feature that provides availability monitoring using the ping command, TCP,
and HTTP/HTTPS GET.
Monitor (Mon) A Ceph component that communicates with external clients, checks data state and con-
sistency, and performs quorum functions.

76 Appendix
Virtual Machine Image Guide

Monitoring (monasca) The OpenStack service that provides a multi-project, highly scalable, performant,
fault-tolerant monitoring-as-a-service solution for metrics, complex event processing and logging.
To build an extensible platform for advanced monitoring services that can be used by both operators
and projects to gain operational insight and visibility, ensuring availability and stability.
multi-factor authentication Authentication method that uses two or more credentials, such as a password
and a private key. Currently not supported in Identity.
multi-host High-availability mode for legacy (nova) networking. Each compute node handles NAT and
DHCP and acts as a gateway for all of the VMs on it. A networking failure on one compute node
doesn’t affect VMs on other compute nodes.
multinic Facility in Compute that allows each virtual machine instance to have more than one VIF con-
nected to it.
murano Codename for the Application Catalog service.

Nebula Released as open source by NASA in 2010 and is the basis for Compute.
netadmin One of the default roles in the Compute RBAC system. Enables the user to allocate publicly
accessible IP addresses to instances and change firewall rules.
NetApp volume driver Enables Compute to communicate with NetApp storage devices through the Ne-
tApp OnCommand Provisioning Manager.
network A virtual network that provides connectivity between entities. For example, a collection of vir-
tual ports that share network connectivity. In Networking terminology, a network is always a layer-2
network.
Network Address Translation (NAT) Process of modifying IP address information while in transit. Sup-
ported by Compute and Networking.
network controller A Compute daemon that orchestrates the network configuration of nodes, including
IP addresses, VLANs, and bridging. Also manages routing for both public and private networks.
Network File System (NFS) A method for making file systems available over the network. Supported
by OpenStack.
network ID Unique ID assigned to each network segment within Networking. Same as network UUID.
network manager The Compute component that manages various network components, such as firewall
rules, IP address allocation, and so on.
network namespace Linux kernel feature that provides independent virtual networking instances on a
single host with separate routing tables and interfaces. Similar to virtual routing and forwarding
(VRF) services on physical network equipment.
network node Any compute node that runs the network worker daemon.
network segment Represents a virtual, isolated OSI layer-2 subnet in Networking.
Network Service Header (NSH) Provides a mechanism for metadata exchange along the instantiated ser-
vice path.
Network Time Protocol (NTP) Method of keeping a clock for a host or node correct via communication
with a trusted, accurate time source.
network UUID Unique ID for a Networking network segment.

Appendix 77
Virtual Machine Image Guide

network worker The nova-network worker daemon; provides services such as giving an IP address to
a booting nova instance.
Networking API (Neutron API) API used to access OpenStack Networking. Provides an extensible ar-
chitecture to enable custom plug-in creation.
Networking service (neutron) The OpenStack project which implements services and associated li-
braries to provide on-demand, scalable, and technology-agnostic network abstraction.
neutron Codename for OpenStack Networking service.
neutron API An alternative name for Networking API.
neutron manager Enables Compute and Networking integration, which enables Networking to perform
network management for guest VMs.
neutron plug-in Interface within Networking that enables organizations to create custom plug-ins for ad-
vanced features, such as QoS, ACLs, or IDS.
Newton The code name for the fourteenth release of OpenStack. The design summit took place in Austin,
Texas, US. The release is named after “Newton House” which is located at 1013 E. Ninth St., Austin,
TX. which is listed on the National Register of Historic Places.
Nexenta volume driver Provides support for NexentaStor devices in Compute.
NFV Orchestration Service (tacker) OpenStack service that aims to implement Network Function Vir-
tualization (NFV) orchestration services and libraries for end-to-end life-cycle management of net-
work services and Virtual Network Functions (VNFs).
Nginx An HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server.
No ACK Disables server-side message acknowledgment in the Compute RabbitMQ. Increases perfor-
mance but decreases reliability.
node A VM instance that runs on a host.
non-durable exchange Message exchange that is cleared when the service restarts. Its data is not written
to persistent storage.
non-durable queue Message queue that is cleared when the service restarts. Its data is not written to
persistent storage.
non-persistent volume Alternative term for an ephemeral volume.
north-south traffic Network traffic between a user or client (north) and a server (south), or traffic into
the cloud (south) and out of the cloud (north). See also east-west traffic.
nova Codename for OpenStack Compute service.
Nova API Alternative term for the Compute API.
nova-network A Compute component that manages IP address allocation, firewalls, and other network-
related tasks. This is the legacy networking option and an alternative to Networking.

object A BLOB of data held by Object Storage; can be in any format.


object auditor Opens all objects for an object server and verifies the MD5 hash, size, and metadata for
each object.

78 Appendix
Virtual Machine Image Guide

object expiration A configurable option within Object Storage to automatically delete objects after a
specified amount of time has passed or a certain date is reached.
object hash Unique ID for an Object Storage object.
object path hash Used by Object Storage to determine the location of an object in the ring. Maps objects
to partitions.
object replicator An Object Storage component that copies an object to remote partitions for fault toler-
ance.
object server An Object Storage component that is responsible for managing objects.
Object Storage API API used to access OpenStack Object Storage.
Object Storage Device (OSD) The Ceph storage daemon.
Object Storage service (swift) The OpenStack core project that provides eventually consistent and re-
dundant storage and retrieval of fixed digital content.
object versioning Allows a user to set a flag on an Object Storage container so that all objects within the
container are versioned.
Ocata The code name for the fifteenth release of OpenStack. The design summit took place in Barcelona,
Spain. Ocata is a beach north of Barcelona.
Octavia Code name for the Load-balancing service.
Oldie Term for an Object Storage process that runs for a long time. Can indicate a hung process.
Open Cloud Computing Interface (OCCI) A standardized interface for managing compute, data, and
network resources, currently unsupported in OpenStack.
Open Virtualization Format (OVF) Standard for packaging VM images. Supported in OpenStack.
Open vSwitch Open vSwitch is a production quality, multilayer virtual switch licensed under the open
source Apache 2.0 license. It is designed to enable massive network automation through program-
matic extension, while still supporting standard management interfaces and protocols (for example
NetFlow, sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag).
Open vSwitch (OVS) agent Provides an interface to the underlying Open vSwitch service for the Net-
working plug-in.
Open vSwitch neutron plug-in Provides support for Open vSwitch in Networking.
OpenLDAP An open source LDAP server. Supported by both Compute and Identity.
OpenStack OpenStack is a cloud operating system that controls large pools of compute, storage, and net-
working resources throughout a data center, all managed through a dashboard that gives administra-
tors control while empowering their users to provision resources through a web interface. OpenStack
is an open source project licensed under the Apache License 2.0.
OpenStack code name Each OpenStack release has a code name. Code names ascend in alphabetical
order: Austin, Bexar, Cactus, Diablo, Essex, Folsom, Grizzly, Havana, Icehouse, Juno, Kilo, Liberty,
Mitaka, Newton, Ocata, Pike, Queens, Rocky, Stein, and Train. Code names are cities or counties
near where the corresponding OpenStack design summit took place. An exception, called the Waldon
exception, is granted to elements of the state flag that sound especially cool. Code names are chosen
by popular vote.
openSUSE A Linux distribution that is compatible with OpenStack.
operator The person responsible for planning and maintaining an OpenStack installation.

Appendix 79
Virtual Machine Image Guide

optional service An official OpenStack service defined as optional by DefCore Committee. Cur-
rently, consists of Dashboard (horizon), Telemetry service (Telemetry), Orchestration service (heat),
Database service (trove), Bare Metal service (ironic), and so on.
Orchestration service (heat) The OpenStack service which orchestrates composite cloud applications
using a declarative template format through an OpenStack-native REST API.
orphan In the context of Object Storage, this is a process that is not terminated after an upgrade, restart,
or reload of the service.
Oslo Codename for the Common Libraries project.

panko Part of the OpenStack Telemetry service; provides event storage.


parent cell If a requested resource, such as CPU time, disk storage, or memory, is not available in the
parent cell, the request is forwarded to associated child cells.
partition A unit of storage within Object Storage used to store objects. It exists on top of devices and is
replicated for fault tolerance.
partition index Contains the locations of all Object Storage partitions within the ring.
partition shift value Used by Object Storage to determine which partition data should reside on.
path MTU discovery (PMTUD) Mechanism in IP networks to detect end-to-end MTU and adjust packet
size accordingly.
pause A VM state where no changes occur (no changes in memory, network communications stop, etc);
the VM is frozen but not shut down.
PCI passthrough Gives guest VMs exclusive access to a PCI device. Currently supported in OpenStack
Havana and later releases.
persistent message A message that is stored both in memory and on disk. The message is not lost after a
failure or restart.
persistent volume Changes to these types of disk volumes are saved.
personality file A file used to customize a Compute instance. It can be used to inject SSH keys or a
specific network configuration.
Pike The code name for the sixteenth release of OpenStack. The OpenStack summit took place in Boston,
Massachusetts, US. The release is named after the Massachusetts Turnpike, abbreviated commonly
as the Mass Pike, which is the easternmost stretch of Interstate 90.
Platform-as-a-Service (PaaS) Provides to the consumer an operating system and, often, a language run-
time and libraries (collectively, the “platform”) upon which they can run their own application code,
without providing any control over the underlying infrastructure. Examples of Platform-as-a-Service
providers include Cloud Foundry and OpenShift.
plug-in Software component providing the actual implementation for Networking APIs, or for Compute
APIs, depending on the context.
policy service Component of Identity that provides a rule-management interface and a rule-based autho-
rization engine.
policy-based routing (PBR) Provides a mechanism to implement packet forwarding and routing accord-
ing to the policies defined by the network administrator.

80 Appendix
Virtual Machine Image Guide

pool A logical set of devices, such as web servers, that you group together to receive and process traf-
fic. The load balancing function chooses which member of the pool handles the new requests or
connections received on the VIP address. Each VIP has one pool.
pool member An application that runs on the back-end server in a load-balancing system.
port A virtual network port within Networking; VIFs / vNICs are connected to a port.
port UUID Unique ID for a Networking port.
preseed A tool to automate system configuration and installation on Debian-based Linux distributions.
private image An Image service VM image that is only available to specified projects.
private IP address An IP address used for management and administration, not available to the public
Internet.
private network The Network Controller provides virtual networks to enable compute servers to interact
with each other and with the public network. All machines must have a public and private network
interface. A private network interface can be a flat or VLAN network interface. A flat network inter-
face is controlled by the flat_interface with flat managers. A VLAN network interface is controlled
by the vlan_interface option with VLAN managers.
project Projects represent the base unit of “ownership” in OpenStack, in that all resources in OpenStack
should be owned by a specific project. In OpenStack Identity, a project must be owned by a specific
domain.
project ID Unique ID assigned to each project by the Identity service.
project VPN Alternative term for a cloudpipe.
promiscuous mode Causes the network interface to pass all traffic it receives to the host rather than pass-
ing only the frames addressed to it.
protected property Generally, extra properties on an Image service image to which only cloud adminis-
trators have access. Limits which user roles can perform CRUD operations on that property. The
cloud administrator can configure any image property as protected.
provider An administrator who has access to all hosts and instances.
proxy node A node that provides the Object Storage proxy service.
proxy server Users of Object Storage interact with the service through the proxy server, which in turn
looks up the location of the requested data within the ring and returns the results to the user.
public API An API endpoint used for both service-to-service communication and end-user interactions.
public image An Image service VM image that is available to all projects.
public IP address An IP address that is accessible to end-users.
public key authentication Authentication method that uses keys rather than passwords.
public network The Network Controller provides virtual networks to enable compute servers to interact
with each other and with the public network. All machines must have a public and private network
interface. The public network interface is controlled by the public_interface option.
Puppet An operating system configuration-management tool supported by OpenStack.
Python Programming language used extensively in OpenStack.

Appendix 81
Virtual Machine Image Guide

QEMU Copy On Write 2 (QCOW2) One of the VM image disk formats supported by Image service.
Qpid Message queue software supported by OpenStack; an alternative to RabbitMQ.
Quality of Service (QoS) The ability to guarantee certain network or storage requirements to satisfy a
Service Level Agreement (SLA) between an application provider and end users. Typically includes
performance requirements like networking bandwidth, latency, jitter correction, and reliability as
well as storage performance in Input/Output Operations Per Second (IOPS), throttling agreements,
and performance expectations at peak load.
quarantine If Object Storage finds objects, containers, or accounts that are corrupt, they are placed in this
state, are not replicated, cannot be read by clients, and a correct copy is re-replicated.
Queens The code name for the seventeenth release of OpenStack. The OpenStack summit took place in
Sydney, Australia. The release is named after the Queens Pound river in the South Coast region of
New South Wales.
Quick EMUlator (QEMU) QEMU is a generic and open source machine emulator and virtualizer. One
of the hypervisors supported by OpenStack, generally used for development purposes.
quota In Compute and Block Storage, the ability to set resource limits on a per-project basis.

RabbitMQ The default message queue software used by OpenStack.


Rackspace Cloud Files Released as open source by Rackspace in 2010; the basis for Object Storage.
RADOS Block Device (RBD) Ceph component that enables a Linux block device to be striped over mul-
tiple distributed data stores.
radvd The router advertisement daemon, used by the Compute VLAN manager and FlatDHCP manager
to provide routing services for VM instances.
rally Codename for the Benchmark service.
RAM filter The Compute setting that enables or disables RAM overcommitment.
RAM overcommit The ability to start new VM instances based on the actual memory usage of a host, as
opposed to basing the decision on the amount of RAM each running instance thinks it has available.
Also known as memory overcommit.
rate limit Configurable option within Object Storage to limit database writes on a per-account and/or
per-container basis.
raw One of the VM image disk formats supported by Image service; an unstructured disk image.
rebalance The process of distributing Object Storage partitions across all drives in the ring; used during
initial ring creation and after ring reconfiguration.
reboot Either a soft or hard reboot of a server. With a soft reboot, the operating system is signaled to
restart, which enables a graceful shutdown of all processes. A hard reboot is the equivalent of power
cycling the server. The virtualization platform should ensure that the reboot action has completed
successfully, even in cases in which the underlying domain/VM is paused or halted/stopped.
rebuild Removes all data on the server and replaces it with the specified image. Server ID and IP addresses
remain the same.

82 Appendix
Virtual Machine Image Guide

Recon An Object Storage component that collects meters.


record Belongs to a particular domain and is used to specify information about the domain. There are
several types of DNS records. Each record type contains particular information used to describe
the purpose of that record. Examples include mail exchange (MX) records, which specify the mail
server for a particular domain; and name server (NS) records, which specify the authoritative name
servers for a domain.
record ID A number within a database that is incremented each time a change is made. Used by Object
Storage when replicating.
Red Hat Enterprise Linux (RHEL) A Linux distribution that is compatible with OpenStack.
reference architecture A recommended architecture for an OpenStack cloud.
region A discrete OpenStack environment with dedicated API endpoints that typically shares only the
Identity (keystone) with other regions.
registry Alternative term for the Image service registry.
registry server An Image service that provides VM image metadata information to clients.
Reliable, Autonomic Distributed Object Store (RADOS)
A collection of components that provides object storage within Ceph. Similar to OpenStack Object
Storage.
Remote Procedure Call (RPC) The method used by the Compute RabbitMQ for intra-service commu-
nications.
replica Provides data redundancy and fault tolerance by creating copies of Object Storage objects, ac-
counts, and containers so that they are not lost when the underlying storage fails.
replica count The number of replicas of the data in an Object Storage ring.
replication The process of copying data to a separate physical device for fault tolerance and performance.
replicator The Object Storage back-end process that creates and manages object replicas.
request ID Unique ID assigned to each request sent to Compute.
rescue image A special type of VM image that is booted when an instance is placed into rescue mode.
Allows an administrator to mount the file systems for an instance to correct the problem.
resize Converts an existing server to a different flavor, which scales the server up or down. The original
server is saved to enable rollback if a problem occurs. All resizes must be tested and explicitly
confirmed, at which time the original server is removed.
RESTful A kind of web service API that uses REST, or Representational State Transfer. REST is the style
of architecture for hypermedia systems that is used for the World Wide Web.
ring An entity that maps Object Storage data to partitions. A separate ring exists for each service, such as
account, object, and container.
ring builder Builds and manages rings within Object Storage, assigns partitions to devices, and pushes
the configuration to other storage nodes.
Rocky The code name for the eightteenth release of OpenStack. The OpenStack summit took place in
Vancouver, Canada. The release is named after the Rocky Mountains.
role A personality that a user assumes to perform a specific set of operations. A role includes a set of
rights and privileges. A user assuming that role inherits those rights and privileges.

Appendix 83
Virtual Machine Image Guide

Role Based Access Control (RBAC) Provides a predefined list of actions that the user can perform, such
as start or stop VMs, reset passwords, and so on. Supported in both Identity and Compute and can
be configured using the dashboard.
role ID Alphanumeric ID assigned to each Identity service role.
Root Cause Analysis (RCA) service (Vitrage) OpenStack project that aims to organize, analyze and vi-
sualize OpenStack alarms and events, yield insights regarding the root cause of problems and deduce
their existence before they are directly detected.
rootwrap A feature of Compute that allows the unprivileged “nova” user to run a specified list of com-
mands as the Linux root user.
round-robin scheduler Type of Compute scheduler that evenly distributes instances among available
hosts.
router A physical or virtual network device that passes network traffic between different networks.
routing key The Compute direct exchanges, fanout exchanges, and topic exchanges use this key to deter-
mine how to process a message; processing varies depending on exchange type.
RPC driver Modular system that allows the underlying message queue software of Compute to be
changed. For example, from RabbitMQ to ZeroMQ or Qpid.
rsync Used by Object Storage to push object replicas.
RXTX cap Absolute limit on the amount of network traffic a Compute VM instance can send and receive.
RXTX quota Soft limit on the amount of network traffic a Compute VM instance can send and receive.

sahara Codename for the Data Processing service.


SAML assertion Contains information about a user as provided by the identity provider. It is an indication
that a user has been authenticated.
scheduler manager A Compute component that determines where VM instances should start. Uses mod-
ular design to support a variety of scheduler types.
scoped token An Identity service API access token that is associated with a specific project.
scrubber Checks for and deletes unused VMs; the component of Image service that implements delayed
delete.
secret key String of text known only by the user; used along with an access key to make requests to the
Compute API.
secure boot Process whereby the system firmware validates the authenticity of the code involved in the
boot process.
secure shell (SSH) Open source tool used to access remote hosts through an encrypted communications
channel, SSH key injection is supported by Compute.
security group A set of network traffic filtering rules that are applied to a Compute instance.
segmented object An Object Storage large object that has been broken up into pieces. The re-assembled
object is called a concatenated object.
self-service For IaaS, ability for a regular (non-privileged) account to manage a virtual infrastructure com-
ponent such as networks without involving an administrator.

84 Appendix
Virtual Machine Image Guide

SELinux Linux kernel security module that provides the mechanism for supporting access control poli-
cies.
senlin Code name for the Clustering service.
server Computer that provides explicit services to the client software running on that system, often man-
aging a variety of computer operations. A server is a VM instance in the Compute system. Flavor
and image are requisite elements when creating a server.
server image Alternative term for a VM image.
server UUID Unique ID assigned to each guest VM instance.
service An OpenStack service, such as Compute, Object Storage, or Image service. Provides one or more
endpoints through which users can access resources and perform operations.
service catalog Alternative term for the Identity service catalog.
Service Function Chain (SFC) For a given service, SFC is the abstracted view of the required service
functions and the order in which they are to be applied.
service ID Unique ID assigned to each service that is available in the Identity service catalog.
Service Level Agreement (SLA) Contractual obligations that ensure the availability of a service.
service project Special project that contains all services that are listed in the catalog.
service provider A system that provides services to other system entities. In case of federated identity,
OpenStack Identity is the service provider.
service registration An Identity service feature that enables services, such as Compute, to automatically
register with the catalog.
service token An administrator-defined token used by Compute to communicate securely with the Identity
service.
session back end The method of storage used by horizon to track client sessions, such as local memory,
cookies, a database, or memcached.
session persistence A feature of the load-balancing service. It attempts to force subsequent connections
to a service to be redirected to the same node as long as it is online.
session storage A horizon component that stores and tracks client session information. Implemented
through the Django sessions framework.
share A remote, mountable file system in the context of the Shared File Systems service. You can mount
a share to, and access a share from, several hosts by several users at a time.
share network An entity in the context of the Shared File Systems service that encapsulates interaction
with the Networking service. If the driver you selected runs in the mode requiring such kind of
interaction, you need to specify the share network to create a share.
Shared File Systems API A Shared File Systems service that provides a stable RESTful API. The service
authenticates and routes requests throughout the Shared File Systems service. There is python-
manilaclient to interact with the API.
Shared File Systems service (manila) The service that provides a set of services for management of
shared file systems in a multi-project cloud environment, similar to how OpenStack provides block-
based storage management through the OpenStack Block Storage service project. With the Shared
File Systems service, you can create a remote file system and mount the file system on your instances.
You can also read and write data from your instances to and from your file system.

Appendix 85
Virtual Machine Image Guide

shared IP address An IP address that can be assigned to a VM instance within the shared IP group. Public
IP addresses can be shared across multiple servers for use in various high-availability scenarios.
When an IP address is shared to another server, the cloud network restrictions are modified to enable
each server to listen to and respond on that IP address. You can optionally specify that the target
server network configuration be modified. Shared IP addresses can be used with many standard
heartbeat facilities, such as keepalive, that monitor for failure and manage IP failover.
shared IP group A collection of servers that can share IPs with other members of the group. Any server
in a group can share one or more public IPs with any other server in the group. With the exception
of the first server in a shared IP group, servers must be launched into shared IP groups. A server
may be a member of only one shared IP group.
shared storage Block storage that is simultaneously accessible by multiple clients, for example, NFS.
Sheepdog Distributed block storage system for QEMU, supported by OpenStack.
Simple Cloud Identity Management (SCIM) Specification for managing identity in the cloud, currently
unsupported by OpenStack.
Simple Protocol for Independent Computing Environments (SPICE) SPICE provides remote desk-
top access to guest virtual machines. It is an alternative to VNC. SPICE is supported by OpenStack.
Single-root I/O Virtualization (SR-IOV) A specification that, when implemented by a physical PCIe de-
vice, enables it to appear as multiple separate PCIe devices. This enables multiple virtualized guests
to share direct access to the physical device, offering improved performance over an equivalent
virtual device. Currently supported in OpenStack Havana and later releases.
SmokeStack Runs automated tests against the core OpenStack API; written in Rails.
snapshot A point-in-time copy of an OpenStack storage volume or image. Use storage volume snapshots
to back up volumes. Use image snapshots to back up data, or as “gold” images for additional servers.
soft reboot A controlled reboot where a VM instance is properly restarted through operating system com-
mands.
Software Development Lifecycle Automation service (solum) OpenStack project that aims to make
cloud services easier to consume and integrate with application development process by automating
the source-to-image process, and simplifying app-centric deployment.
Software-defined networking (SDN) Provides an approach for network administrators to manage com-
puter network services through abstraction of lower-level functionality.
SolidFire Volume Driver The Block Storage driver for the SolidFire iSCSI storage appliance.
solum Code name for the Software Development Lifecycle Automation service.
spread-first scheduler The Compute VM scheduling algorithm that attempts to start a new VM on the
host with the least amount of load.
SQLAlchemy An open source SQL toolkit for Python, used in OpenStack.
SQLite A lightweight SQL database, used as the default persistent storage method in many OpenStack
services.
stack A set of OpenStack resources created and managed by the Orchestration service according to a given
template (either an AWS CloudFormation template or a Heat Orchestration Template (HOT)).
StackTach Community project that captures Compute AMQP communications; useful for debugging.
static IP address Alternative term for a fixed IP address.

86 Appendix
Virtual Machine Image Guide

StaticWeb WSGI middleware component of Object Storage that serves container data as a static web
page.
Stein The code name for the nineteenth release of OpenStack. The OpenStack Summit took place in
Berlin, Germany. The release is named after the street Steinstraße in Berlin.
storage back end The method that a service uses for persistent storage, such as iSCSI, NFS, or local disk.
storage manager A XenAPI component that provides a pluggable interface to support a wide variety of
persistent storage back ends.
storage manager back end A persistent storage method supported by XenAPI, such as iSCSI or NFS.
storage node An Object Storage node that provides container services, account services, and object ser-
vices; controls the account databases, container databases, and object storage.
storage services Collective name for the Object Storage object services, container services, and account
services.
strategy Specifies the authentication source used by Image service or Identity. In the Database service, it
refers to the extensions implemented for a data store.
subdomain A domain within a parent domain. Subdomains cannot be registered. Subdomains enable
you to delegate domains. Subdomains can themselves have subdomains, so third-level, fourth-level,
fifth-level, and deeper levels of nesting are possible.
subnet Logical subdivision of an IP network.
SUSE Linux Enterprise Server (SLES) A Linux distribution that is compatible with OpenStack.
suspend The VM instance is paused and its state is saved to disk of the host.
swap Disk-based virtual memory used by operating systems to provide more memory than is actually
available on the system.
swauth An authentication and authorization service for Object Storage, implemented through WSGI mid-
dleware; uses Object Storage itself as the persistent backing store.
swift Codename for OpenStack Object Storage service.
swift All in One (SAIO) Creates a full Object Storage development environment within a single VM.
swift middleware Collective term for Object Storage components that provide additional functionality.
swift proxy server Acts as the gatekeeper to Object Storage and is responsible for authenticating the user.
swift storage node A node that runs Object Storage account, container, and object services.
sync point Point in time since the last container and accounts database sync among nodes within Object
Storage.
sysadmin One of the default roles in the Compute RBAC system. Enables a user to add other users
to a project, interact with VM images that are associated with the project, and start and stop VM
instances.
system usage A Compute component that, along with the notification system, collects meters and usage
information. This information can be used for billing.

tacker Code name for the NFV Orchestration service

Appendix 87
Virtual Machine Image Guide

Telemetry service (telemetry) The OpenStack project which collects measurements of the utilization of
the physical and virtual resources comprising deployed clouds, persists this data for subsequent
retrieval and analysis, and triggers actions when defined criteria are met.
TempAuth An authentication facility within Object Storage that enables Object Storage itself to perform
authentication and authorization. Frequently used in testing and development.
Tempest Automated software test suite designed to run against the trunk of the OpenStack core project.
TempURL An Object Storage middleware component that enables creation of URLs for temporary object
access.
tenant A group of users; used to isolate access to Compute resources. An alternative term for a project.
Tenant API An API that is accessible to projects.
tenant endpoint An Identity service API endpoint that is associated with one or more projects.
tenant ID An alternative term for project ID.
token An alpha-numeric string of text used to access OpenStack APIs and resources.
token services An Identity service component that manages and validates tokens after a user or project
has been authenticated.
tombstone Used to mark Object Storage objects that have been deleted; ensures that the object is not
updated on another node after it has been deleted.
topic publisher A process that is created when a RPC call is executed; used to push the message to the
topic exchange.
Torpedo Community project used to run automated tests against the OpenStack API.
Train The code name for the twentieth release of OpenStack. The OpenStack Infrastructure Summit will
take place in Denver, Colorado, US.
Two Project Team Gathering meetings in Denver were held at a hotel next to the train line from
downtown to the airport. The crossing signals there had some sort of malfunction in the past causing
them to not stop the cars when a train was coming properly. As a result the trains were required
to blow their horns when passing through that area. Obviously staying in a hotel, by trains that are
blowing their horns 24/7 was less than ideal. As a result, many jokes popped up about Denver and
trains - and thus the release is called train.
transaction ID Unique ID assigned to each Object Storage request; used for debugging and tracing.
transient Alternative term for non-durable.
transient exchange Alternative term for a non-durable exchange.
transient message A message that is stored in memory and is lost after the server is restarted.
transient queue Alternative term for a non-durable queue.
TripleO OpenStack-on-OpenStack program. The code name for the OpenStack Deployment program.
trove Codename for OpenStack Database service.
trusted platform module (TPM) Specialized microprocessor for incorporating cryptographic keys into
devices for authenticating and securing a hardware platform.

88 Appendix
Virtual Machine Image Guide

Ubuntu A Debian-based Linux distribution.


unscoped token Alternative term for an Identity service default token.
updater Collective term for a group of Object Storage components that processes queued and failed up-
dates for containers and objects.
user In OpenStack Identity, entities represent individual API consumers and are owned by a specific do-
main. In OpenStack Compute, a user can be associated with roles, projects, or both.
user data A blob of data that the user can specify when they launch an instance. The instance can access
this data through the metadata service or config drive. Commonly used to pass a shell script that the
instance runs on boot.
User Mode Linux (UML) An OpenStack-supported hypervisor.

VIF UUID Unique ID assigned to each Networking VIF.


Virtual Central Processing Unit (vCPU) Subdivides physical CPUs. Instances can then use those divi-
sions.
Virtual Disk Image (VDI) One of the VM image disk formats supported by Image service.
Virtual Extensible LAN (VXLAN) A network virtualization technology that attempts to reduce the scal-
ability problems associated with large cloud computing deployments. It uses a VLAN-like encap-
sulation technique to encapsulate Ethernet frames within UDP packets.
Virtual Hard Disk (VHD) One of the VM image disk formats supported by Image service.
virtual IP address (VIP) An Internet Protocol (IP) address configured on the load balancer for use by
clients connecting to a service that is load balanced. Incoming connections are distributed to back-
end nodes based on the configuration of the load balancer.
virtual machine (VM) An operating system instance that runs on top of a hypervisor. Multiple VMs can
run at the same time on the same physical host.
virtual network An L2 network segment within Networking.
Virtual Network Computing (VNC) Open source GUI and CLI tools used for remote console access to
VMs. Supported by Compute.
Virtual Network InterFace (VIF) An interface that is plugged into a port in a Networking network. Typ-
ically a virtual network interface belonging to a VM.
virtual networking A generic term for virtualization of network functions such as switching, routing, load
balancing, and security using a combination of VMs and overlays on physical network infrastructure.
virtual port Attachment point where a virtual interface connects to a virtual network.
virtual private network (VPN) Provided by Compute in the form of cloudpipes, specialized instances
that are used to create VPNs on a per-project basis.
virtual server Alternative term for a VM or guest.
virtual switch (vSwitch) Software that runs on a host or node and provides the features and functions of
a hardware-based network switch.

Appendix 89
Virtual Machine Image Guide

virtual VLAN Alternative term for a virtual network.


VirtualBox An OpenStack-supported hypervisor.
Vitrage Code name for the Root Cause Analysis service.
VLAN manager A Compute component that provides dnsmasq and radvd and sets up forwarding to and
from cloudpipe instances.
VLAN network The Network Controller provides virtual networks to enable compute servers to inter-
act with each other and with the public network. All machines must have a public and private
network interface. A VLAN network is a private network interface, which is controlled by the
vlan_interface option with VLAN managers.

VM disk (VMDK) One of the VM image disk formats supported by Image service.
VM image Alternative term for an image.
VM Remote Control (VMRC) Method to access VM instance consoles using a web browser. Supported
by Compute.
VMware API Supports interaction with VMware products in Compute.
VMware NSX Neutron plug-in Provides support for VMware NSX in Neutron.
VNC proxy A Compute component that provides users access to the consoles of their VM instances
through VNC or VMRC.
volume Disk-based data storage generally represented as an iSCSI target with a file system that supports
extended attributes; can be persistent or ephemeral.
Volume API Alternative name for the Block Storage API.
volume controller A Block Storage component that oversees and coordinates storage volume actions.
volume driver Alternative term for a volume plug-in.
volume ID Unique ID applied to each storage volume under the Block Storage control.
volume manager A Block Storage component that creates, attaches, and detaches persistent storage vol-
umes.
volume node A Block Storage node that runs the cinder-volume daemon.
volume plug-in Provides support for new and specialized types of back-end storage for the Block Storage
volume manager.
volume worker A cinder component that interacts with back-end storage to manage the creation and dele-
tion of volumes and the creation of compute volumes, provided by the cinder-volume daemon.
vSphere An OpenStack-supported hypervisor.

Watcher Code name for the Infrastructure Optimization service.


weight Used by Object Storage devices to determine which storage devices are suitable for the job. De-
vices are weighted by size.
weighted cost The sum of each cost used when deciding where to start a new VM instance in Compute.

90 Appendix
Virtual Machine Image Guide

weighting A Compute process that determines the suitability of the VM instances for a job for a particular
host. For example, not enough RAM on the host, too many CPUs on the host, and so on.
worker A daemon that listens to a queue and carries out tasks in response to messages. For example, the
cinder-volume worker manages volume creation and deletion on storage arrays.
Workflow service (mistral) The OpenStack service that provides a simple YAML-based language to
write workflows (tasks and transition rules) and a service that allows to upload them, modify, run
them at scale and in a highly available manner, manage and monitor workflow execution state and
state of individual tasks.

X.509 X.509 is the most widely used standard for defining digital certificates. It is a data structure that
contains the subject (entity) identifiable information such as its name along with its public key. The
certificate can contain a few other attributes as well depending upon the version. The most recent
and standard version of X.509 is v3.
Xen Xen is a hypervisor using a microkernel design, providing services that allow multiple computer
operating systems to execute on the same computer hardware concurrently.
Xen API The Xen administrative API, which is supported by Compute.
Xen Cloud Platform (XCP) An OpenStack-supported hypervisor.
Xen Storage Manager Volume Driver A Block Storage volume plug-in that enables communication
with the Xen Storage Manager API.
XenServer An OpenStack-supported hypervisor.
XFS High-performance 64-bit file system created by Silicon Graphics. Excels in parallel I/O operations
and data consistency.

zaqar Codename for the Message service.


ZeroMQ Message queue software supported by OpenStack. An alternative to RabbitMQ. Also spelled
0MQ.
Zuul Tool used in OpenStack development to ensure correctly ordered testing of changes in parallel.

Appendix 91
INDEX

Non-alphabetical API version, 58


6to4, 56 applet, 58
Application Catalog service (murano), 58
A Application Programming Interface (API),
absolute limit, 56 58
access control list (ACL), 56 application server, 58
access key, 56 Application Service Provider (ASP), 58
account, 56 arptables, 58
account auditor, 56 associate, 58
account database, 57 Asynchronous JavaScript and XML (AJAX),
account reaper, 57 58
account server, 57 ATA over Ethernet (AoE), 58
account service, 57 attach, 58
accounting, 57 attachment (network), 58
Active Directory, 57 auditing, 58
active/active configuration, 57 auditor, 59
active/passive configuration, 57 Austin, 59
address pool, 57 auth node, 59
Address Resolution Protocol (ARP), 57 authentication, 59
admin API, 57 authentication token, 59
admin server, 57 AuthN, 59
administrator, 57 authorization, 59
Advanced Message Queuing Protocol authorization node, 59
(AMQP), 57 AuthZ, 59
Advanced RISC Machine (ARM), 57 Auto ACK, 59
alert, 57 auto declare, 59
allocate, 57 availability zone, 59
Amazon Kernel Image (AKI), 57 AWS CloudFormation template, 59
Amazon Machine Image (AMI), 57
Amazon Ramdisk Image (ARI), 57
B
Anvil, 57 back end, 59
aodh, 58 back-end catalog, 59
Apache, 58 back-end store, 59
Apache License 2.0, 58 Backup, Restore, and Disaster Recovery
Apache Web Server, 58 service (freezer), 59
API endpoint, 58 bandwidth, 59
API extension, 58 barbican, 59
API extension plug-in, 58 bare, 59
API key, 58 Bare Metal service (ironic), 60
API server, 58 base image, 60
API token, 58 Bell-LaPadula model, 60

92
Virtual Machine Image Guide

Benchmark service (rally), 60 Cloud Data Management Interface (CDMI),


Bexar, 60 62
binary, 60 Cloud Infrastructure Management
bit, 60 Interface (CIMI), 62
bits per second (BPS), 60 cloudadmin, 62
block device, 60 Cloudbase-Init, 62
block migration, 60 cloud-init, 62
Block Storage API, 60 cloudpipe, 62
Block Storage service (cinder), 60 cloudpipe image, 63
BMC (Baseboard Management Controller), 60 Clustering service (senlin), 63
bootable disk image, 60 command filter, 63
Bootstrap Protocol (BOOTP), 60 Common Internet File System (CIFS), 63
Border Gateway Protocol (BGP), 60 Common Libraries (oslo), 63
browser, 60 community project, 63
builder file, 60 compression, 63
bursting, 61 Compute API (Nova API), 63
button class, 61 compute controller, 63
byte, 61 compute host, 63
compute node, 63
C Compute service (nova), 63
cache pruner, 61 compute worker, 63
Cactus, 61 concatenated object, 63
CALL, 61 conductor, 63
capability, 61 congress, 63
capacity cache, 61 consistency window, 63
capacity updater, 61 console log, 63
CAST, 61 container, 63
catalog, 61 container auditor, 63
catalog service, 61 container database, 64
ceilometer, 61 container format, 64
cell, 61 Container Infrastructure Management
cell forwarding, 61 service (magnum), 64
cell manager, 61 container server, 64
CentOS, 61 container service, 64
Ceph, 61 content delivery network (CDN), 64
CephFS, 61 controller node, 64
certificate authority (CA), 62 core API, 64
Challenge-Handshake Authentication core service, 64
Protocol (CHAP), 62 cost, 64
chance scheduler, 62 credentials, 64
changes since, 62 CRL, 64
Chef, 62 Cross-Origin Resource Sharing (CORS), 64
child cell, 62 Crowbar, 64
cinder, 62 current workload, 64
CirrOS, 62 customer, 64
Cisco neutron plug-in, 62 customization module, 64
cloud architect, 62
Cloud Auditing Data Federation (CADF), 62 D
cloud computing, 62 daemon, 64
cloud controller, 62 Dashboard (horizon), 64
cloud controller node, 62 data encryption, 65

Index 93
Virtual Machine Image Guide

Data loss prevention (DLP) software, 65 EC2, 67


Data Processing service (sahara), 65 EC2 access key, 67
data store, 65 EC2 API, 67
database ID, 65 EC2 Compatibility API, 67
database replicator, 65 EC2 secret key, 67
Database service (trove), 65 Elastic Block Storage (EBS), 67
deallocate, 65 encapsulation, 67
Debian, 65 encryption, 67
deduplication, 65 endpoint, 67
default panel, 65 endpoint registry, 67
default project, 65 endpoint template, 67
default token, 65 entity, 68
delayed delete, 65 ephemeral image, 68
delivery mode, 65 ephemeral volume, 68
denial of service (DoS), 65 Essex, 68
deprecated auth, 65 ESXi, 68
designate, 65 ETag, 68
Desktop-as-a-Service, 65 euca2ools, 68
developer, 65 Eucalyptus Kernel Image (EKI), 68
device ID, 65 Eucalyptus Machine Image (EMI), 68
device weight, 65 Eucalyptus Ramdisk Image (ERI), 68
DevStack, 66 evacuate, 68
DHCP agent, 66 exchange, 68
Diablo, 66 exchange type, 68
direct consumer, 66 exclusive queue, 68
direct exchange, 66 extended attributes (xattr), 68
direct publisher, 66 extension, 68
disassociate, 66 external network, 68
Discretionary Access Control (DAC), 66 extra specs, 68
disk encryption, 66
disk format, 66 F
dispersion, 66 FakeLDAP, 68
distributed virtual router (DVR), 66 fan-out exchange, 68
Django, 66 federated identity, 68
DNS record, 66 Fedora, 68
DNS service (designate), 66 Fibre Channel, 69
dnsmasq, 66 Fibre Channel over Ethernet (FCoE), 69
domain, 66 fill-first scheduler, 69
Domain Name System (DNS), 66 filter, 69
download, 67 firewall, 69
durable exchange, 67 FireWall-as-a-Service (FWaaS), 69
durable queue, 67 fixed IP address, 69
Dynamic Host Configuration Protocol Flat Manager, 69
(DHCP), 67 flat mode injection, 69
Dynamic HyperText Markup Language flat network, 69
(DHTML), 67 FlatDHCP Manager, 69
flavor, 69
E flavor ID, 69
east-west traffic, 67 floating IP address, 69
EBS boot volume, 67 Folsom, 69
ebtables, 67 FormPost, 69

94 Index
Virtual Machine Image Guide

freezer, 69 identity provider, 72


front end, 69 Identity service (keystone), 72
Identity service API, 72
G IETF, 72
gateway, 69 image, 72
generic receive offload (GRO), 69 Image API, 72
generic routing encapsulation (GRE), 70 image cache, 72
glance, 70 image ID, 72
glance API server, 70 image membership, 72
glance registry, 70 image owner, 72
global endpoint template, 70 image registry, 72
GlusterFS, 70 Image service (glance), 72
gnocchi, 70 image status, 72
golden image, 70 image store, 72
Governance service (congress), 70 image UUID, 72
Graphic Interchange Format (GIF), 70 incubated project, 72
Graphics Processing Unit (GPU), 70 Infrastructure Optimization service
Green Threads, 70 (watcher), 72
Grizzly, 70 Infrastructure-as-a-Service (IaaS), 72
Group, 70 ingress filtering, 72
guest OS, 70 INI format, 72
injection, 73
H Input/Output Operations Per Second
Hadoop, 70 (IOPS), 73
Hadoop Distributed File System (HDFS), 70 instance, 73
handover, 70 instance ID, 73
HAProxy, 70 instance state, 73
hard reboot, 70 instance tunnels network, 73
Havana, 70 instance type, 73
health monitor, 70 instance type ID, 73
heat, 71 instance UUID, 73
Heat Orchestration Template (HOT), 71 Intelligent Platform Management
high availability (HA), 71 Interface (IPMI), 73
horizon, 71 interface, 73
horizon plug-in, 71 interface ID, 73
host, 71 Internet Control Message Protocol
host aggregate, 71 (ICMP), 73
Host Bus Adapter (HBA), 71 Internet protocol (IP), 73
hybrid cloud, 71 Internet Service Provider (ISP), 73
hyperlink, 71 Internet Small Computer System
Hypertext Transfer Protocol (HTTP), 71 Interface (iSCSI), 73
Hypertext Transfer Protocol Secure IP address, 73
(HTTPS), 71 IP Address Management (IPAM), 73
Hyper-V, 71 ip6tables, 73
hypervisor, 71 ipset, 73
hypervisor pool, 71 iptables, 73
ironic, 74
I
iSCSI Qualified Name (IQN), 74
Icehouse, 71 ISO9660, 74
ID number, 71 itsec, 74
Identity API, 71
Identity back end, 71

Index 95
Virtual Machine Image Guide

J memcached, 76
Java, 74 memory overcommit, 76
JavaScript, 74 message broker, 76
JavaScript Object Notation (JSON), 74 message bus, 76
jumbo frame, 74 message queue, 76
Juno, 74 Message service (zaqar), 76
Metadata agent, 76
K Meta-Data Server (MDS), 76
Kerberos, 74 migration, 76
kernel-based VM (KVM), 74 mistral, 76
Key Manager service (barbican), 74 Mitaka, 76
keystone, 74 Modular Layer 2 (ML2) neutron plug-in,
Kickstart, 74 76
Kilo, 74 monasca, 76
Monitor (LBaaS), 76
L Monitor (Mon), 76
large object, 74 Monitoring (monasca), 77
Launchpad, 75 multi-factor authentication, 77
Layer-2 (L2) agent, 75 multi-host, 77
Layer-2 network, 75 multinic, 77
Layer-3 (L3) agent, 75 murano, 77
Layer-3 network, 75
Liberty, 75
N
libvirt, 75 Nebula, 77
Lightweight Directory Access Protocol netadmin, 77
(LDAP), 75 NetApp volume driver, 77
Linux, 75 network, 77
Linux bridge, 75 Network Address Translation (NAT), 77
Linux Bridge neutron plug-in, 75 network controller, 77
Linux containers (LXC), 75 Network File System (NFS), 77
live migration, 75 network ID, 77
load balancer, 75 network manager, 77
load balancing, 75 network namespace, 77
Load-Balancer-as-a-Service (LBaaS), 75 network node, 77
Load-balancing service (octavia), 75 network segment, 77
Logical Volume Manager (LVM), 75 Network Service Header (NSH), 77
Network Time Protocol (NTP), 77
M network UUID, 77
magnum, 75 network worker, 78
management API, 75 Networking API (Neutron API), 78
management network, 75 Networking service (neutron), 78
manager, 75 neutron, 78
manifest, 76 neutron API, 78
manifest object, 76 neutron manager, 78
manila, 76 neutron plug-in, 78
manila-share, 76 Newton, 78
maximum transmission unit (MTU), 76 Nexenta volume driver, 78
mechanism driver, 76 NFV Orchestration Service (tacker), 78
melange, 76 Nginx, 78
membership, 76 No ACK, 78
membership list, 76 node, 78

96 Index
Virtual Machine Image Guide

non-durable exchange, 78 plug-in, 80


non-durable queue, 78 policy service, 80
non-persistent volume, 78 policy-based routing (PBR), 80
north-south traffic, 78 pool, 81
nova, 78 pool member, 81
Nova API, 78 port, 81
nova-network, 78 port UUID, 81
preseed, 81
O private image, 81
object, 78 private IP address, 81
object auditor, 78 private network, 81
object expiration, 79 project, 81
object hash, 79 project ID, 81
object path hash, 79 project VPN, 81
object replicator, 79 promiscuous mode, 81
object server, 79 protected property, 81
Object Storage API, 79 provider, 81
Object Storage Device (OSD), 79 proxy node, 81
Object Storage service (swift), 79 proxy server, 81
object versioning, 79 public API, 81
Ocata, 79 public image, 81
Octavia, 79 public IP address, 81
Oldie, 79 public key authentication, 81
Open Cloud Computing Interface (OCCI), 79 public network, 81
Open Virtualization Format (OVF), 79 Puppet, 81
Open vSwitch, 79 Python, 81
Open vSwitch (OVS) agent, 79
Open vSwitch neutron plug-in, 79 Q
OpenLDAP, 79 QEMU Copy On Write 2 (QCOW2), 82
OpenStack, 79 Qpid, 82
OpenStack code name, 79 Quality of Service (QoS), 82
openSUSE, 79 quarantine, 82
operator, 79 Queens, 82
optional service, 80 Quick EMUlator (QEMU), 82
Orchestration service (heat), 80 quota, 82
orphan, 80
Oslo, 80
R
RabbitMQ, 82
P Rackspace Cloud Files, 82
panko, 80 RADOS Block Device (RBD), 82
parent cell, 80 radvd, 82
partition, 80 rally, 82
partition index, 80 RAM filter, 82
partition shift value, 80 RAM overcommit, 82
path MTU discovery (PMTUD), 80 rate limit, 82
pause, 80 raw, 82
PCI passthrough, 80 rebalance, 82
persistent message, 80 reboot, 82
persistent volume, 80 rebuild, 82
personality file, 80 Recon, 83
Pike, 80 record, 83
Platform-as-a-Service (PaaS), 80 record ID, 83

Index 97
Virtual Machine Image Guide

Red Hat Enterprise Linux (RHEL), 83 service catalog, 85


reference architecture, 83 Service Function Chain (SFC), 85
region, 83 service ID, 85
registry, 83 Service Level Agreement (SLA), 85
registry server, 83 service project, 85
Reliable, Autonomic Distributed Object service provider, 85
Store, 83 service registration, 85
Remote Procedure Call (RPC), 83 service token, 85
replica, 83 session back end, 85
replica count, 83 session persistence, 85
replication, 83 session storage, 85
replicator, 83 share, 85
request ID, 83 share network, 85
rescue image, 83 Shared File Systems API, 85
resize, 83 Shared File Systems service (manila), 85
RESTful, 83 shared IP address, 86
ring, 83 shared IP group, 86
ring builder, 83 shared storage, 86
Rocky, 83 Sheepdog, 86
role, 83 Simple Cloud Identity Management (SCIM),
Role Based Access Control (RBAC), 84 86
role ID, 84 Simple Protocol for Independent
Root Cause Analysis (RCA) service (Vit- Computing Environments (SPICE), 86
rage), 84 Single-root I/O Virtualization (SR-IOV),
rootwrap, 84 86
round-robin scheduler, 84 SmokeStack, 86
router, 84 snapshot, 86
routing key, 84 soft reboot, 86
RPC driver, 84 Software Development Lifecycle
rsync, 84 Automation service (solum), 86
RXTX cap, 84 Software-defined networking (SDN), 86
RXTX quota, 84 SolidFire Volume Driver, 86
solum, 86
S spread-first scheduler, 86
sahara, 84 SQLAlchemy, 86
SAML assertion, 84 SQLite, 86
scheduler manager, 84 stack, 86
scoped token, 84 StackTach, 86
scrubber, 84 static IP address, 86
secret key, 84 StaticWeb, 87
secure boot, 84 Stein, 87
secure shell (SSH), 84 storage back end, 87
security group, 84 storage manager, 87
segmented object, 84 storage manager back end, 87
self-service, 84 storage node, 87
SELinux, 85 storage services, 87
senlin, 85 strategy, 87
server, 85 subdomain, 87
server image, 85 subnet, 87
server UUID, 85 SUSE Linux Enterprise Server (SLES), 87
service, 85 suspend, 87

98 Index
Virtual Machine Image Guide

swap, 87 virtual machine (VM), 89


swauth, 87 virtual network, 89
swift, 87 Virtual Network Computing (VNC), 89
swift All in One (SAIO), 87 Virtual Network InterFace (VIF), 89
swift middleware, 87 virtual networking, 89
swift proxy server, 87 virtual port, 89
swift storage node, 87 virtual private network (VPN), 89
sync point, 87 virtual server, 89
sysadmin, 87 virtual switch (vSwitch), 89
system usage, 87 virtual VLAN, 90
VirtualBox, 90
T Vitrage, 90
tacker, 87 VLAN manager, 90
Telemetry service (telemetry), 88 VLAN network, 90
TempAuth, 88 VM disk (VMDK), 90
Tempest, 88 VM image, 90
TempURL, 88 VM Remote Control (VMRC), 90
tenant, 88 VMware API, 90
Tenant API, 88 VMware NSX Neutron plug-in, 90
tenant endpoint, 88 VNC proxy, 90
tenant ID, 88 volume, 90
token, 88 Volume API, 90
token services, 88 volume controller, 90
tombstone, 88 volume driver, 90
topic publisher, 88 volume ID, 90
Torpedo, 88 volume manager, 90
Train, 88 volume node, 90
transaction ID, 88 volume plug-in, 90
transient, 88 volume worker, 90
transient exchange, 88 vSphere, 90
transient message, 88
transient queue, 88 W
TripleO, 88 Watcher, 90
trove, 88 weight, 90
trusted platform module (TPM), 88 weighted cost, 90
weighting, 91
U worker, 91
Ubuntu, 89 Workflow service (mistral), 91
unscoped token, 89
updater, 89 X
user, 89 X.509, 91
user data, 89 Xen, 91
User Mode Linux (UML), 89 Xen API, 91
Xen Cloud Platform (XCP), 91
V Xen Storage Manager Volume Driver, 91
VIF UUID, 89 XenServer, 91
Virtual Central Processing Unit (vCPU), XFS, 91
89
Virtual Disk Image (VDI), 89 Z
Virtual Extensible LAN (VXLAN), 89 zaqar, 91
Virtual Hard Disk (VHD), 89 ZeroMQ, 91
virtual IP address (VIP), 89 Zuul, 91

Index 99

You might also like