How To Install OpenStack on Debian 13

OpenStack represents the pinnacle of open-source cloud computing infrastructure, transforming ordinary servers into powerful private cloud platforms. With Debian 13 (Trixie) delivering enhanced stability and performance, system administrators now have an ideal foundation for deploying robust OpenStack environments. This comprehensive guide walks through the complete installation process, from initial system preparation to launching virtual machines on your private cloud infrastructure.

Building a private cloud with OpenStack on Debian 13 offers unparalleled control over computing resources while maintaining the flexibility to scale as requirements grow. Whether deploying for development testing, educational purposes, or small-scale production environments, this installation method provides a solid foundation for cloud infrastructure management.

Understanding OpenStack Architecture

OpenStack operates through a collection of interconnected services, each handling specific aspects of cloud infrastructure management. The core components work together seamlessly to provide compute, storage, networking, and identity management capabilities.

Nova serves as the compute service, managing virtual machine lifecycles and providing the primary interface for launching instances. Keystone handles identity and access management, authenticating users and services while managing permissions across the entire cloud platform. Glance functions as the image service, storing and retrieving virtual machine images that serve as templates for new instances.

Neutron manages networking services, creating virtual networks, routers, and security groups that connect instances while maintaining isolation between different projects. These services depend on each other in a specific hierarchy, with Keystone forming the foundation for authentication, followed by Glance for image management, Nova for compute resources, and Neutron for networking connectivity.

Single-node deployments offer simplicity for testing and development environments, while multi-node configurations provide scalability for production workloads. Debian 13’s improved package management and enhanced security features make it particularly well-suited for OpenStack deployments.

System Requirements and Prerequisites

Hardware Requirements

OpenStack installation demands adequate hardware resources to ensure optimal performance across all services. The minimum system specifications include 8GB RAM, though 16GB provides better performance for multiple virtual machines. Four CPU cores represent the absolute minimum, with at least two cores supporting hardware virtualization extensions (VT-x for Intel or AMD-V for AMD processors).

Storage requirements vary based on intended usage, with 200GB representing the minimum for system files and initial virtual machine images. Production environments benefit from 500GB or more, preferably using SSD storage for improved I/O performance. Network interface cards should support Gigabit Ethernet, with multiple interfaces recommended for separating management, tenant, and external traffic.

Hardware virtualization must be enabled in BIOS settings, allowing KVM hypervisor to create and manage virtual machines efficiently. Modern processors typically include these extensions by default, but verification ensures optimal performance.

Software Prerequisites

Fresh Debian 13 (Trixie) installation provides the cleanest foundation for OpenStack deployment, minimizing potential conflicts with existing software packages. The installation should include SSH server access for remote management and basic networking configuration.

User account configuration requires sudo privileges for system administration tasks. Python 3 and essential development tools come pre-installed with Debian 13, but additional packages may be needed during the installation process. Internet connectivity enables package downloads and repository access throughout the installation procedure.

Time synchronization proves critical for OpenStack services, as authentication tokens and database operations depend on accurate timestamps across all components. Network connectivity should provide reliable access to Debian repositories and external resources required during installation.

Preparing the Debian 13 Environment

Initial System Setup

System preparation begins with hostname configuration, establishing the server’s identity within the network infrastructure. Execute the following command to set a fully qualified domain name:

sudo hostnamectl set-hostname openstack.example.com

Edit the /etc/hosts file to map the server’s IP address to the configured hostname, ensuring proper name resolution for OpenStack services:

sudo nano /etc/hosts

Add the following line, replacing the IP address with your server’s actual address:

192.168.1.100 openstack.example.com openstack

System updates ensure all packages use the latest versions with security patches applied:

sudo apt update && sudo apt upgrade -y

Time synchronization configuration prevents authentication failures and ensures consistent logging across services:

sudo nano /etc/systemd/timesyncd.conf

Configure NTP servers in the timesyncd configuration:

[Time]
NTP=pool.ntp.org

Restart and enable the time synchronization service:

sudo systemctl restart systemd-timesyncd
sudo systemctl enable systemd-timesyncd

Repository Configuration

Debian 13 package management requires proper repository configuration to access OpenStack packages and dependencies. The default repository configuration may need modification to include additional sources.

Create a new sources file for OpenStack repositories:

sudo nano /etc/apt/sources.list.d/debian.sources

Add the following configuration to enable access to main repositories and security updates:

Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb
URIs: https://security.debian.org/debian-security
Suites: trixie-security  
Components: main non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Update package indexes to reflect the new repository configuration:

sudo apt update

Firewall and Security Setup

UFW firewall configuration provides essential security while allowing necessary OpenStack service communication. Install and configure UFW with appropriate rules for OpenStack services:

sudo apt install ufw -y
sudo ufw enable

Configure firewall rules for essential OpenStack services:

# SSH access
sudo ufw allow 22/tcp

# Keystone Identity Service
sudo ufw allow 5000/tcp
sudo ufw allow 35357/tcp

# Glance Image Service
sudo ufw allow 9292/tcp

# Nova Compute Service
sudo ufw allow 8774/tcp
sudo ufw allow 8775/tcp

# Neutron Networking
sudo ufw allow 9696/tcp

# Horizon Dashboard
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# VNC Console Access
sudo ufw allow 6080/tcp

Security policies should restrict access to management interfaces while allowing necessary inter-service communication.

Installation Methods Overview

OpenStack deployment offers several approaches, each suited to different use cases and environments. Manual installation provides maximum control and understanding of component interactions, making it ideal for learning environments and custom configurations.

DevStack simplifies development and testing deployments through automated scripts that handle service configuration and dependency management. This approach works well for developers and those seeking rapid prototype environments.

The Debian OpenStack Cluster Installer (OCI) represents the official Debian approach, providing integrated package management and configuration tools specifically designed for Debian environments. OCI offers the advantage of seamless integration with Debian’s package management system while maintaining update compatibility.

For production deployments, manual installation with proper configuration management tools provides the most reliable and maintainable solution. Development and testing environments benefit from DevStack’s rapid deployment capabilities.

Core Services Installation

Database and Message Queue Setup

MariaDB serves as the primary database backend for OpenStack services, storing configuration data, user information, and service states. Install and configure MariaDB with appropriate security settings:

sudo apt install mariadb-server python3-pymysql -y

Secure the MariaDB installation:

sudo mysql_secure_installation

Create a configuration file for OpenStack database requirements:

sudo nano /etc/mysql/mariadb.conf.d/99-openstack.cnf

Add the following configuration:

[mysqld]
bind-address = 192.168.1.100
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8

Restart MariaDB to apply configuration changes:

sudo systemctl restart mariadb

RabbitMQ provides message queuing services for inter-service communication within OpenStack. Install and configure RabbitMQ with appropriate permissions:

sudo apt install rabbitmq-server -y
sudo systemctl enable rabbitmq-server
sudo systemctl start rabbitmq-server

Create an OpenStack user for RabbitMQ:

sudo rabbitmqctl add_user openstack RABBIT_PASS
sudo rabbitmqctl set_permissions openstack ".*" ".*" ".*"

Memcached installation provides session caching and token storage for improved performance:

sudo apt install memcached python3-memcache -y

Configure Memcached to listen on the management interface:

sudo nano /etc/memcached.conf

Modify the listening address:

-l 192.168.1.100

Restart Memcached:

sudo systemctl restart memcached

Keystone Identity Service

Keystone forms the foundation of OpenStack authentication and authorization, managing users, projects, and service endpoints. Database preparation begins the Keystone installation process:

sudo mysql

Create the Keystone database and user:

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
EXIT;

Install Keystone packages:

sudo apt install keystone -y

Configure Keystone by editing the main configuration file:

sudo nano /etc/keystone/keystone.conf

Key configuration sections include database connection and token provider settings:

[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@192.168.1.100/keystone

[token]  
provider = fernet

Populate the Keystone database:

sudo -s
keystone-manage db_sync
exit

Initialize Fernet key repositories:

sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap the identity service:

sudo keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
  --bootstrap-admin-url http://192.168.1.100:5000/v3/ \
  --bootstrap-internal-url http://192.168.1.100:5000/v3/ \
  --bootstrap-public-url http://192.168.1.100:5000/v3/ \
  --bootstrap-region-id RegionOne

Configure Apache HTTP server for Keystone:

echo "ServerName 192.168.1.100" | sudo tee -a /etc/apache2/apache2.conf
sudo systemctl restart apache2

Glance Image Service

Glance manages virtual machine images, providing storage and retrieval services for the OpenStack compute service. Database setup begins the installation process:

sudo mysql

Create Glance database and user:

CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'GLANCE_DBPASS';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'GLANCE_DBPASS';
EXIT;

Create OpenStack credentials environment:

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://192.168.1.100:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Create the Glance service user and endpoints:

openstack user create --domain default --password GLANCE_PASS glance
openstack role add --project service --user glance admin
openstack service create --name glance --description "OpenStack Image" image

openstack endpoint create --region RegionOne image public http://192.168.1.100:9292
openstack endpoint create --region RegionOne image internal http://192.168.1.100:9292  
openstack endpoint create --region RegionOne image admin http://192.168.1.100:9292

Install Glance packages:

sudo apt install glance -y

Configure Glance API settings:

sudo nano /etc/glance/glance-api.conf

Essential configuration includes database connection, authentication, and storage settings:

[database]
connection = mysql+pymysql://glance:GLANCE_DBPASS@192.168.1.100/glance

[keystone_authtoken]
www_authenticate_uri = http://192.168.1.100:5000
auth_url = http://192.168.1.100:5000
memcached_servers = 192.168.1.100:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default  
project_name = service
username = glance
password = GLANCE_PASS

[paste_deploy]
flavor = keystone

[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/

Populate the Glance database:

sudo -s
glance-manage db_sync
exit

Restart Glance services:

sudo systemctl restart glance-api
sudo systemctl enable glance-api

Nova Compute Service

Nova provides compute resources through virtual machine management, handling instance lifecycle operations and resource allocation. The installation process requires both controller and compute node configurations:

Database preparation follows the established pattern:

sudo mysql

Create Nova databases:

CREATE DATABASE nova_api;
CREATE DATABASE nova;
CREATE DATABASE nova_cell0;

GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY 'NOVA_DBPASS';
EXIT;

Create Nova service user and endpoints:

openstack user create --domain default --password NOVA_PASS nova
openstack role add --project service --user nova admin
openstack service create --name nova --description "OpenStack Compute" compute

openstack endpoint create --region RegionOne compute public http://192.168.1.100:8774/v2.1
openstack endpoint create --region RegionOne compute internal http://192.168.1.100:8774/v2.1
openstack endpoint create --region RegionOne compute admin http://192.168.1.100:8774/v2.1

Install Nova packages:

sudo apt install nova-api nova-conductor nova-scheduler nova-novncproxy placement-api nova-compute -y

Configure Nova controller services:

sudo nano /etc/nova/nova.conf

The configuration includes database connections, message queue settings, and service authentication:

[api_database]
connection = mysql+pymysql://nova:NOVA_DBPASS@192.168.1.100/nova_api

[database]
connection = mysql+pymysql://nova:NOVA_DBPASS@192.168.1.100/nova

[DEFAULT]
transport_url = rabbit://openstack:RABBIT_PASS@192.168.1.100:5672/
my_ip = 192.168.1.100
use_neutron = true
firewall_driver = nova.virt.firewall.NoopFirewallDriver

[keystone_authtoken]
www_authenticate_uri = http://192.168.1.100:5000/
auth_url = http://192.168.1.100:5000/
memcached_servers = 192.168.1.100:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = NOVA_PASS

[vnc]
enabled = true
server_listen = $my_ip
server_proxyclient_address = $my_ip

[glance]
api_servers = http://192.168.1.100:9292

[oslo_concurrency]
lock_path = /var/lib/nova/tmp

[placement]
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://192.168.1.100:5000/v3
username = placement
password = PLACEMENT_PASS

Populate Nova databases:

sudo -s
nova-manage api_db sync
nova-manage cell_v2 map_cell0
nova-manage cell_v2 create_cell --name=cell1 --verbose
nova-manage db sync
exit

Verify Nova cell configuration:

sudo nova-manage cell_v2 list_cells

Configure compute node for KVM virtualization:

sudo nano /etc/nova/nova-compute.conf

Add virtualization settings:

[libvirt]
virt_type = kvm

Restart Nova services:

sudo systemctl restart nova-api nova-scheduler nova-conductor nova-novncproxy nova-compute
sudo systemctl enable nova-api nova-scheduler nova-conductor nova-novncproxy nova-compute

Neutron Networking Service

Neutron provides networking services, creating virtual networks and managing connectivity between instances. Installation includes both server and agent components:

Database preparation follows the standard process:

sudo mysql

Create Neutron database:

CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'NEUTRON_DBPASS';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'NEUTRON_DBPASS';
EXIT;

Create Neutron service user and endpoints:

openstack user create --domain default --password NEUTRON_PASS neutron
openstack role add --project service --user neutron admin
openstack service create --name neutron --description "OpenStack Networking" network

openstack endpoint create --region RegionOne network public http://192.168.1.100:9696
openstack endpoint create --region RegionOne network internal http://192.168.1.100:9696
openstack endpoint create --region RegionOne network admin http://192.168.1.100:9696

Install Neutron packages:

sudo apt install neutron-server neutron-plugin-ml2 neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent -y

Configure Neutron server:

sudo nano /etc/neutron/neutron.conf

Primary configuration includes database connection and authentication:

[database]
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@192.168.1.100/neutron

[DEFAULT]
core_plugin = ml2
service_plugins = router
transport_url = rabbit://openstack:RABBIT_PASS@192.168.1.100:5672/
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true

[keystone_authtoken]
www_authenticate_uri = http://192.168.1.100:5000
auth_url = http://192.168.1.100:5000
memcached_servers = 192.168.1.100:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = neutron
password = NEUTRON_PASS

[nova]
auth_url = http://192.168.1.100:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = nova
password = NOVA_PASS

Configure ML2 plugin:

sudo nano /etc/neutron/plugins/ml2/ml2_conf.ini

Network type and mechanism settings:

[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security

[ml2_type_flat]
flat_networks = provider

[ml2_type_vxlan]
vni_ranges = 1:1000

[securitygroup]
enable_ipset = true

Configure Linux bridge agent:

sudo nano /etc/neutron/plugins/ml2/linuxbridge_agent.ini

Physical network mapping and security settings:

[linux_bridge]
physical_interface_mappings = provider:eno1

[vxlan]
enable_vxlan = true
local_ip = 192.168.1.100
l2_population = true

[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

Populate Neutron database:

sudo -s
neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head
exit

Restart networking services:

sudo systemctl restart neutron-server neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent
sudo systemctl enable neutron-server neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent

Dashboard Installation and Configuration

Horizon provides a web-based interface for managing OpenStack resources, offering an intuitive alternative to command-line tools. Installation integrates with Apache HTTP server for web serving capabilities:

sudo apt install openstack-dashboard -y

Configure Horizon dashboard:

sudo nano /etc/openstack-dashboard/local_settings.py

Key configuration parameters include OpenStack service endpoints and session settings:

OPENSTACK_HOST = "192.168.1.100"
ALLOWED_HOSTS = ['*']

OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"

OPENSTACK_API_VERSIONS = {
    "identity": 3,
    "image": 2,
    "volume": 3,
}

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"

TIME_ZONE = "UTC"

Restart Apache to apply configuration changes:

sudo systemctl restart apache2

Access the dashboard through a web browser at http://192.168.1.100/horizon using admin credentials configured during Keystone installation.

Post-Installation Configuration

Network Setup and Flavors

OpenStack flavors define virtual machine resource templates, specifying CPU, memory, and disk allocations for different instance types. Create basic flavors for testing and development purposes:

openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
openstack flavor create --id 1 --vcpus 1 --ram 512 --disk 1 m1.tiny  
openstack flavor create --id 2 --vcpus 1 --ram 2048 --disk 20 m1.small
openstack flavor create --id 3 --vcpus 2 --ram 4096 --disk 40 m1.medium

Provider network creation enables external connectivity for virtual machines:

openstack network create --share --external --provider-physical-network provider --provider-network-type flat provider

Create a subnet within the provider network:

openstack subnet create --network provider --allocation-pool start=192.168.1.200,end=192.168.1.250 --dns-nameserver 8.8.8.8 --gateway 192.168.1.1 --subnet-range 192.168.1.0/24 provider

Image Management

Virtual machine images serve as templates for launching instances. Download and upload a basic cloud image for testing purposes:

wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img

Upload the image to Glance:

openstack image create "cirros" --file cirros-0.4.0-x86_64-disk.img --disk-format qcow2 --container-format bare --public

Verify image availability:

openstack image list

Testing and Verification

SSH key pair generation enables secure access to launched instances:

openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey

Create a security group allowing SSH access:

openstack security group create allow_ssh
openstack security group rule create --protocol tcp --dst-port 22 allow_ssh

Launch a test instance to verify functionality:

openstack server create --flavor m1.nano --image cirros --nic net-id=provider --security-group allow_ssh --key-name mykey test-instance

Monitor instance status and obtain console access:

openstack server show test-instance
openstack console url show test-instance

Troubleshooting Common Issues

Service startup failures often result from configuration errors or dependency issues. Check service logs for specific error messages:

sudo journalctl -u nova-api
sudo journalctl -u neutron-server  
sudo journalctl -u keystone

Database connection problems typically involve authentication or network connectivity issues. Verify database credentials and network accessibility from the OpenStack services.

Network connectivity failures may require firewall rule verification and security group configuration review. Ensure that necessary ports remain open and security groups allow required traffic flows.

Log file analysis provides detailed information about service operations and error conditions:

sudo tail -f /var/log/nova/nova-api.log
sudo tail -f /var/log/neutron/neutron-server.log

Performance optimization involves memory allocation tuning, database connection pooling, and service worker configuration adjustments based on workload requirements.

Best Practices and Security

OpenStack security hardening begins with regular security updates and proper access control configuration. Implement strong passwords for all service accounts and enable SSL/TLS encryption for API endpoints where possible.

Regular backup procedures should include database dumps and configuration file archives. Automated backup scripts help maintain consistent backup schedules and facilitate disaster recovery planning.

Monitoring and logging setup provides visibility into system operations and security events. Configure centralized logging and implement alerting for critical service failures and security-related events.

Update and patch management requires coordination between OpenStack services and underlying system packages. Test updates in development environments before applying to production systems.

Advanced Topics and Next Steps

Scaling OpenStack deployments beyond single-node configurations involves additional compute nodes, dedicated network nodes, and storage cluster integration. Multi-node architectures provide improved performance and fault tolerance.

External storage integration enables advanced features like live migration and high availability. Ceph storage clusters provide scalable block, object, and file storage backends for OpenStack services.

Container orchestration integration allows OpenStack to work alongside Kubernetes and other container platforms, providing a complete cloud infrastructure solution.

Additional OpenStack services like Heat (orchestration), Cinder (block storage), and Swift (object storage) extend functionality beyond basic compute and networking capabilities.

The OpenStack community provides extensive documentation, forums, and support resources for continued learning and troubleshooting assistance.

Congratulations! You have successfully installed OpenStack. Thanks for using this tutorial for installing OpenStack on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official OpenStack website.