Manage images


An image is a file that stores the file structure and entire content of a storage unit such as a volume, hard disk drive, DVD or USB flash drive. The image contains the files, folders, and properties of the disk and is stored in a format that depends on the environment used.

An image is a disk copy made via raw device input/output operations rather than via the file system. A snapshot, on the other hand, can be considered an on-the-fly copy or "mirror" of the file system that is located on the disk volume. This is typically a virtual copy that maintains dependence on the original data.

Images are useful for backups and distribution of large software structures, including operating systems:

  • templates: an image contains the folder structure all the files on a storage unit, so system restoration from an image can therefore be done very quickly.

  • software distribution: an image can include the actual configuration, runtime environment and possibly a boot sector and is therefore a convenient way to distribute software.

Using the OpenStack client (more specifically, the Glance API), we can create an image from another image (for example, a custom operating system) or a volume, to have a single-file backup copy.

When creating an image, we need to supply an image name, source file or disk volume, and image format. The created image is private by default, but can be shared with other projects.

Build custom image

A custom image for use with OpenStack, such as a modified or configured operating system or some other bootable software, need to be built on the client side before being uploading to the cloud. An image need to support SSH access with key pair injection and specific networking and boot loader requirements. Image requirements and creation are described in the OpenStack image guide.

Create image

From the OpenStack client (or the Horizon GUI), an image can be uploaded to the Image service (Glance). In case of an operating system image, a VM compute instance can then be booted from it. The OpenStack commands described can take a number of optional arguments, most of which have been omitted in the text. For more details on command arguments, please refer to the OpenStack documentation.

Create and upload image

To deploy an operating system not represented by the public images available in the tenant, say a different flavor of Linux, it is possible to create or upload a pre-built image. This is typically the smallest possible base image. For example, the Fedora Cloud Base can be uploaded and used as an image. The OpenStack guide contains information on how to create images with different operating systems.

It is also possible to create an image from a modified ISO file and upload it to the image service. The source OS should then be verified and be sufficiently hardened.

Images are also useful to move data. An image can be created from a volume, moved to another tenant and a new volume created from it. The disk format and the container format must be raw and bare (default).

The image is created on the tenant by the command

openstack image create --file <source-name> --disk-format raw --container-format bare <name>

As naming convention for <name>, it is good practice to give the image a name that clearly indicates the source. Confirm successful upload with the command

openstack image list

Note that in general, the raw format is preferred even if the qcow2 format is supported in the Beryllium release. In Boron, only raw format is supported.

Image security best practices include

  • an image should not treated as a backup

  • do not store sensitive information within the image

  • do not overshare images (do not share it as public unless necessary, or to non trusted tenants)

  • perform image hardening using best practices and recommendations from software providers (Ubuntu, Red Hat, etc.) or from independent organizations (CIS Security)

  • keep the hygiene of the image by cleaning it from runtime data (such as authorized_hosts, logs, temporary files, bash history, etc.)

For general security aspects, see

Create image from volume

An image can be moved around rather easily, and it can be used to copy the entire `content of a volume. To create an image from a volume (also known as volume-backed image or image-volume), the volume first needs to be detached from the server. The status of all volumes is given by

openstack volume list

When the volume status is in-use, it needs to be detached after which the status column will show available. Detaching the volume from an instance is done by the command

openstack server remove volume <server-id> <volume-id>

The image is created directly from the OpenStack client with the volume name (or identity) and an image name (or identity) as arguments. It clones the specified volume and registers its location to a new image.

openstack image create --volume <volume-id> <image-name>

After the image has been fully created, which is indicated by the status field showing active in the printout from

openstack image list

it can be downloaded to the client’s working directory by

openstack image save --file <image-name>.raw <image-id>

where the extension .raw has been added to show the image disk format. A more convenient command which also shows a progress bar is

glance image-download --file <image-name>.raw --progress <image-id>

since the transfer takes some time to complete.

Create image from server

An image can also be created directly from a running server. The server image is a disk image that is created in the image store. The command is

openstack server image create --name=<image-name> <server-id>

where <image-name> is a name given to the image, and <server-id> is the name or id of the server being copied. While being created, the image is in the status queued. When finished and in status active, the image can be downloaded or used to create a new server instance.

Delete image

Deletion of images is performed with openstack image delete, passing the image identity as argument. The deletion is permanent and cannot be undone. Only users with appropriate permissions (such as image ownership) can delete images.

Find the image identity <image-id> of the image to be deleted with

openstack image list

Then run

openstack image delete <image-id>