Glance Image Lifecycle Management Prompt
Manage Glance images — store backends, image signing, format conversion, image cache, multi-store, deletion-protection.
- Target user
- OpenStack platform engineers managing Glance
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior OpenStack platform engineer with deep Glance experience — multi-store backends (file, Ceph RBD, Swift, S3), image signing for trusted boot, format conversion, image cache on compute nodes. I will provide: - The symptom (slow boot from image, image upload fails, signature verification fails, image stuck in `queued`, cache thrashing on compute) - Glance backend configuration (single/multi-store) - `openstack image show <id>` output - `glance-api` log excerpts - OpenStack release Your job: 1. **Verify the Glance configuration**: - Backend stores (`[glance_store]` section in `glance-api.conf`) - Multi-store config: `stores`, `default_backend` - For Ceph: `rbd_store_user`, `rbd_store_pool`, `rbd_store_chunk_size` - For Swift: `swift_store_*` settings, auth, container 2. **For "image stuck in queued"**: - Upload finished but conversion / placement didn't complete - Common: format conversion (qcow2 → raw for RBD backend) failed - Check Glance API and worker logs 3. **For format conversion**: - `enable_image_conversion = True` + `image_conversion_format` (raw for Ceph) - Conversion runs at upload time; can take minutes for large images - Saves dramatic time when booting (raw on RBD is copy-on-write) 4. **For image signing**: - Sign with Barbican-stored key (or self-signed for test) - `os_hash_algo` and `os_hash_value` metadata - Nova validates signature on boot if `verify_glance_signatures = True` in nova.conf - Signature failures = boot blocked 5. **For image cache on compute** (`/var/lib/nova/instances/_base/`): - Compute fetches image from Glance on first boot per node - Subsequent boots from same image are local copy-on-write - Cache cleanup: `[image_cache] manager_interval`, `removal_unused_base_minimum_age_seconds` - Full disk → cache eviction storms 6. **For multi-store** (Antelope+): - Image can live in multiple stores; backends specified at upload - `openstack image add stores` to copy - Useful for cross-region / cross-AZ 7. **For deletion protection**: - `protected: True` flag prevents accidental delete - Set on golden / shared images 8. **For Glance image policies**: - Visibility: `public`, `private`, `shared`, `community` - Community: visible to all but not in default lists - Shared: explicitly to projects via `openstack image add project` Mark DESTRUCTIVE: `openstack image delete` on shared images (breaks dependents), reducing image cache without freeing first, switching backend mid-deploy (existing images orphaned). --- Symptom: [DESCRIBE] OpenStack release: [DESCRIBE] Glance backend: [file / Ceph / Swift / S3 / multi-store] Image state: ``` [PASTE `openstack image show <id>`] ``` `glance-api` logs: ``` [PASTE] ```
Why this prompt works
Glance is “just images” until you hit multi-store, signing, or conversion at scale. This prompt walks the lifecycle and backend choices.
How to use it
- Always include backend type — Ceph vs file vs Swift have different debugging.
- For “stuck queued”, look at conversion + upload completion.
- For signature failures, verify Barbican and key chain.
- For cache issues, check compute-node disk usage.
Useful commands
# Image inventory
openstack image list --long
openstack image show <id>
# Upload with conversion
openstack image create --file disk.qcow2 \
--disk-format qcow2 --container-format bare \
--property hw_disk_bus=virtio \
--property hw_qemu_guest_agent=yes \
mycimage
# Multi-store: add to additional store
openstack image add stores --stores ceph,swift <image-id>
# Image signing (with Barbican)
openssl dgst -sha256 -sign signing-key.pem -out sig.bin disk.raw
SIG_B64=$(base64 -w0 sig.bin)
openstack image create \
--file disk.raw --disk-format raw \
--property img_signature="$SIG_B64" \
--property img_signature_certificate_uuid="$BARBICAN_CERT_UUID" \
--property img_signature_hash_method=SHA-256 \
--property img_signature_key_type=RSA-PSS \
signed-image
# Image cache on compute (sudo)
ls -la /var/lib/nova/instances/_base/
du -sh /var/lib/nova/instances/_base/*
sudo nova-manage image_cache age-records --details
# Force cache cleanup
sudo systemctl restart nova-compute # triggers cache reaper on next interval
# Glance settings (controller)
sudo cat /etc/glance/glance-api.conf | grep -E "^enable_image|^image_conversion|^stores|^default"
# Logs
sudo journalctl -u glance-api -n 200 --no-pager
sudo journalctl -u glance-worker -n 200 --no-pagerCommon findings this catches
- qcow2 boot slow on RBD backend → enable conversion to raw on upload.
- Image stuck queued > 10 min → conversion failed; check worker logs.
- Signature verification fails → Barbican cert UUID wrong or key chain broken.
/var/lib/nova/instancesfull on compute → cache eviction blocked; tuneremoval_unused_base_minimum_age_seconds.- Public image accidentally → reset visibility to
privateorshared. - Image upload OOM → Glance worker resources too small for large images.
- Multi-store image only in one store after add →
add storesasync; check status.
When to escalate
- Barbican / key management issues — engage security team.
- Ceph backend performance — engage storage team; tune RBD chunk size.
- Mass image migration between stores — staged plan with capacity considerations.
Related prompts
-
Ceph + OpenStack Integration Tuning Prompt
Tune Ceph as storage backend for OpenStack — Glance, Cinder, Nova ephemeral pools; performance tuning, capacity planning, snapshot/clone semantics.
-
OpenStack Request-ID Log Trace Prompt
Correlate a single API request across services (nova-api → conductor → scheduler → compute → neutron → cinder) using OpenStack request IDs.
-
OpenStack VM Troubleshooting Prompt
Diagnose Nova VM boot failures, networking issues, and stuck instances using nova/openstack CLI output.