Thursday, 2018-08-02

*** dr_gogeta86 has quit IRC00:04
*** dr_gogeta86 has joined #openstack-swift00:07
*** gyee has quit IRC00:11
itlinux_DHE: it asked me to verify again..00:13
itlinux_not cool! since I was just on00:13
mattoliverauitlinux_: Swift (via keystone auth) only really has 2 types of users, or rather 3. Users who match as an operator, match as a reseller_admin and those who don't match. The first has access to the projects account, the second have access to every account and the last need to be given access via ACLs by the operators to access certain containers.00:32
mattoliverauitlinux_: the 'operator_roles' in the keystone middleware, simply says what keystone roles will map users to the first00:33
mattoliverauthe 'reseller_admin_role' says which keystone role maps to the second00:33
mattoliverauso in your example, 'operator_roles = admin, swiftoperator' just means anyone in the keystone roles admin or swiftoperator will be given swift_operator privilige.00:34
mattoliverauSo from a swift POV there is no difference.00:34
itlinux_so operator is user who can consume, create containers00:35
mattoliverauyes, for their projects account.00:36
itlinux_does the map identify that the user is admin and gets admin permissions?00:36
mattoliverauyour getting confused with whats in the list. which is just a map to keystone roles00:36
itlinux_or they still considered as operators00:36
mattoliverauanyone in a keystone role what appears in the 'operator_roles' list will be a swift operator00:37
mattoliverauanyone in the keystone role 'reseller_admin_role' will be an reseller admin00:37
mattoliverauanyone in the keystone role that appears in 'reseller_admin_role' will be an reseller admin00:38
itlinux_ahh ok so I now have one called swiftuser, and I create it in keystone which does nothing within openstack but user can consume since I added that user to the operators which means they can create and delete ttheir own conttainers, objects..00:38
itlinux_how do I check if the admin is mapped to reseller_admin?00:39
itlinux_since the proxy-server.conf does not show any admin just shows operator_roles..00:40
mattoliverauyeah, they can create containers and objects in the account they're tenant is. So everyone in the project that has the swiftuser group (in keystone) will be able to create/delete containers and objects in the AUTH_<project_id> account00:40
mattoliverauwhat does the 'reseller_admin_role' line say in the config?00:40
itlinux_yes that's what I want.. and it's working but I am trying to check what is mapped to admin00:41
itlinux_I do not have that line00:41
mattoliverauwhat do you mean the keystone group admin?00:41
itlinux_in the proxy-server.conf00:41
mattoliverauwhere does it appear in the keystoneauth mapping in proxy-server.conf00:42
mattoliverauif the 'reseller_admin_role' is missing, then it will default to the 'ResellerAdmin' group in keystone (if that exists).00:42
itlinux_one sec.. will share00:42
itlinux_I do have ResellerAdmin00:43
mattoliverauso admin in your case, _wont_ map to the reseller_admin_role00:43
mattoliverauif your talking about an admin group00:43
mattoliverauif admin is a user.. then just add them to the ResellerAdmin group in keystone00:43
mattoliverauif you want the admin group to be reseller_admins, then you need to specify: `reseller_admin_role = admin` in the keystoneauth section in proxy-server.conf. (and remove it from the operator-roles)00:45
mattoliverauso, those options maps the swift priviliges to keystone groups. Add keystone users to the groups that map the to piviliges you want them to have in keystone to give them the required rights in swift00:46
itlinux_what groups do you see.. am I missing something..00:47
mattoliverauitlinux_: ok, so in your example: operator_roles = admin, swiftoperator, ResellerAdmin, swiftuser00:48
itlinux_I have swiftuser which I added to a group now..00:48
itlinux_so that group which has access to the project does have permissions to use swift00:48
itlinux_and I set quota to the account00:49
itlinux_so I think that's the correct way to make it happen.00:49
mattoliverauyour saying any keystone user in one of the keystone groups (admin, swiftoperator, ResellerAdmin, swiftuser) is a swift operator in the project account00:50
itlinux_ok that do not have any other permissions other than using swift00:50
mattoliverauBecause you are missing 'reseller_admin_role', anyone in the ResellerAdmin group in keystone is a reseller_admin00:50
itlinux_what's the best way to check who is part of the ResellerAdmin?00:51
itlinux_I guess I can add the line reseller_admin = admin00:51
mattoliverauask keystone, any user in that group is a reseller admin00:51
itlinux_ok let me check one sec..00:52
mattoliverauyou should put ResellerAdmin in the operators role when it's also reseller_admins role. as that might confuse operators. Because anyone currently in that group is _more_ then an operator00:52
itlinux_ok so I should remove that user from the Operators..00:53
mattoliverauremember they are roles _not_ users.00:54
mattoliverauyou should remove the ResellerAdmin role from that list.00:54
itlinux_I see I do not remember to have assigned an ResellerAdmin to anyone..00:54
itlinux_or to any groups00:54
itlinux_so that's ok00:54
mattoliveraubut then you have no reselleradmins00:54
itlinux_in fact I do not think I have any reseller admin00:55
mattoliveraua reseller admin also have access to swift, but to anyones account00:55
itlinux_I am checking admin00:55
itlinux_looks like admin does have reseller admin00:57
mattoliverauyeah looks like it. so your admin user is a memeber of the swiftoperator, admin and ResellerAdmin roles. So it matches the operator_roles and the reseller_admin_role options in your config (ResellerAdmin matches reseller_admin_role because the option is missing so defults)00:59
mattoliverauwhich is fine.00:59
mattoliverauBecause ResellerAdmin matches the reseller_admin_role option you don't need it in the operator_roles option because they would already have access01:00
itlinux_ok super.. so I have it the way it should be now.. and created a new role called swiftclient and added to the list so anyone on that list is good to use swift01:01
itlinux_what I need now as you stated above I need a doc which describes the role type reselleradmin, swiftoperator etc..01:02
mattoliverauyup. for the project's swift account they're in that role in.  So if you have 1 user with in the swiftclient role in 2 different projects, they can access both project accounts as operators. If your a user but not in that group, then you can potentually create objects etc but only if an operator adds an ACL for you. So there is also giving people access that way.01:04
itlinux_yes I assigned swiftclient to the group..01:06
mattoliverauThe documentation is kinda spread out. So not really in one place. I'll try and find time to write something more clear and in one place and push up when I get the chance.01:06
itlinux_I really do not want to deal with single users..01:06
itlinux_thanks even it's 2-3 places if you have a link that's ok I will create a new intternal doc01:07
mattoliverauand a little:
*** links has joined #openstack-swift01:15
itlinux_thanks mattoliverau:01:16
*** itlinux_ has quit IRC01:26
*** psachin has joined #openstack-swift02:21
*** links has quit IRC02:37
*** vinsh has quit IRC04:41
viks_mattoliverau: Nice explanation.. Thanks05:31
mattoliverauviks_: ta05:36
openstackgerritMerged openstack/swift master: imported some docs from the old user-guide
*** ccamacho has joined #openstack-swift06:16
*** hoonetorg has quit IRC06:42
*** hoonetorg has joined #openstack-swift06:54
openstackgerritHCLTech-SSW proposed openstack/swift master: Add ability to undelete an account.
*** rcernin has quit IRC07:03
*** Guest62477 has quit IRC07:36
*** mvk_ has quit IRC07:46
*** eandersson has quit IRC07:46
openstackgerritHCLTech-SSW proposed openstack/python-swiftclient master: Add ability to exclude file from upload.
*** pcaruana has joined #openstack-swift09:00
*** ejat has joined #openstack-swift09:22
*** cbartz has joined #openstack-swift09:44
*** hoonetorg has quit IRC09:54
*** hoonetorg has joined #openstack-swift10:08
*** mikecmpbll has joined #openstack-swift10:12
*** cbartz has quit IRC10:56
*** viks_ has quit IRC11:04
*** mikecmpbll has quit IRC11:15
*** mikecmpbll has joined #openstack-swift11:21
*** mikecmpbll has quit IRC11:37
*** mvenesio has quit IRC12:25
*** dewanee has joined #openstack-swift12:53
dewaneehu all12:53
*** mikecmpbll has joined #openstack-swift13:30
*** ccamacho has quit IRC14:07
*** ccamacho has joined #openstack-swift14:07
*** ccamacho has quit IRC14:08
*** ccamacho has joined #openstack-swift14:08
thurloatif you use EC with low configured parity fragments, thats the best storage efficiency with swift, right?14:45
thurloatobviously, not excellent durability14:45
DHEN+M (Data+parity) fragments will survive M failed hard drives, and consumes (N+M)/N times the space of the file itself...14:50
DHEso, yes... but you can play with it by raising N as well14:50
DHEit's a bit extreme, but 20+5 would survive any 5 dead drives and only consume +25% the storage capacity14:51
tdasilvajust found this presentation concerning EC, looks pretty good, contains a bit of info on storage efficiency:
DHE10+5 is a more sensible policy I think14:52
thurloatbut the 10+5/20+5 is a ratio, right? or does it fly for the entire cluster? like if 5 disks die in 5k disks, we start having issues?14:53
thurloatbut rather if it happens that the 5 that die are the parity disks for that piece of data14:54
DHEthere's a notation difference here. I'm writing 10+5 (data + parity), but these guys write it as 10-of-15 (needed -of- total)14:54
DHEif you do have 5 disks fail and they happen to be all parity disks, that doesn't change much. at most it means that retrieving the object will not require much CPU work since no parity calculations are actually involved14:55
thurloatah this pdf answers all the questions, thanks tdasilva14:57
tdasilvathurloat: yw :)14:57
tdasilvabasically, there's more to it, it's not a simple answer :)14:58
DHEwhich is why a lot of the swift literature describes it as for "cold storage". It works best with lots of drives and there's a significant CPU cost.14:59
thurloatyea i haven't looked at anything EC related yet really.14:59
thurloatsignificant at the proxy server or object server level/14:59
thurloator both?14:59
DHEI did an experiment with a 3+2 EC scheme on swift and a Ryzen7 1700 (3 GHz) CPU doing the parity work. I estimate pegging a CPU core will give me around 400 megabits/second of IO14:59
DHEmostly the proxy, but recovering from failed hardware will require CPU on the object servers15:00
DHEfor the reconstruction15:00
tdasilvaah yes! reconstructor15:00
thurloatbeefy proxy servers aren't an issue to assemble, hoping to keep the cpu requirements of the object servers low though15:00
thurloatand if you set up a 20+5 configuration, and have a 200kb file, it's going to get chopped into 20 data pieces the same as a 2GB large object fragment, right?15:03
thurloator whatever size you roll15:04
*** ccamacho has quit IRC15:05
DHEI don't know the specific of chunk sizes... I mean, that's 10 kilobytes per node/drive...15:06
thurloatthrow a CDN infront of it, nonethewiser15:09
thurloatsmall files stay cached :P15:09
DHEdelayed reconstruction as a means of reducing network traffic for reconstructs...  interesting...15:09
DHEsmall files seeing a lot of use shouldn't use EC policies.15:10
thurloatyea this specific project is short-term archive15:10
thurloatwrite once, read twice15:11
thurloatjust under half a pb15:11
*** psachin has quit IRC15:21
thurloatso your 3+2 system (or 3 of 5) pegged a CPU core serving 400mbit worth of traffic, and since CPU cost scales with width, a 10+5/10 of 15 would require 3x more CPU to drive?15:25
*** eandersson has joined #openstack-swift16:10
*** spotz has quit IRC16:18
*** gyee has joined #openstack-swift16:35
notmynamegood morning16:58
notmynamehmm EC conversation16:58
notmynameto be safe, I'd prefer to see EC used when the resulting fragment size is >=10MB16:59
notmyname*especially* when you're using a lot of fragments17:00
notmynameDHE: I love the idea of ryzen CPUs with swift. I'm still hoping for a more low-power, high-thread/core one, though17:02
DHEnotmyname: this was just my little home lab. one of my "storage nodes" was a 100megabit laptop with its internal hard drive and a USB drive as a "second disk". my main PC as the proxy has a ryzen7...17:03
thurloatanyone tried running ARM object servers?17:15
thurloatspeaking of low power17:15
notmynamethurloat: I've got swift running at home on
notmynameso yeah, it can work17:18
notmynamenot exactly what I'd choose for a data center. the only trick is getting some dependencies compiled/installed17:18
thurloatany crazy bottlenecks?17:18
notmynameyeah. don't write logs to a microsd card ;-)17:19
thurloatrip sd card17:19
notmynameit's not something I've stressed tested per se. It's just for home/family use17:19
notmynamebut it's fine for that17:19
thurloati'm going to be experimenting with a bunch of rock64s just to see what happens17:19
notmynameI'd recommend using a 64-bit cpu17:19
notmynameisntead of 3217:20
thurloatthe RK3328 is 64 bit iirc17:20
tdasilvanotmyname: can you expand on your home setup there? how many nodes are you running? why did you choose the HC1, did you consider the MC1. any pointers? what are you running for OS?17:22
thurloathot topic!17:23
tdasilvaheh...i've been eyeing the odroid for a while ;)17:23
notmynametdasilva: I have an MC1 (so 4 nodes) and 4 HC1s with 2.5" spinning drives. one of the MC1 nodes is the proxy. the 4 HC1s are ACO17:23
tdasilvadid you do anything special for power?17:25
tdasilvaI saw some people suggesting using something like:
thurloattdasilva: you can use an ATX psu and put barrel connectors onto the pci-e wires17:27
notmynameyeah, so the disadvantage is that I'm running everything off of one wall plug17:28
notmynamebut that makes for neater cable management ;-)17:28
thurloathave you tested the power draw?17:29
thurloatwith a wall meter/killawatt?17:29
notmynameI have not. but it's 2 5v 20A power supplies. so it can't be that much17:30
notmynamethis is the power supply I have
tdasilvanotmyname: can you merge this?
patchbotpatch 587108 - swift (stable/pike) - Native Zuul v3 tox jobs18:01
notmynameyeah, let me go through the stable/* patches18:02
notmynamethanks for reminding me18:02
*** itlinux has joined #openstack-swift18:04
notmynameok, all the backport proposals with a core +1 have been marked to land. that leaves and as still open18:13
patchbotpatch 585506 - swift (stable/queens) - py36: Fix test_get_logger_sysloghandler_plumbing18:13
patchbotpatch 585355 - swift (stable/pike) - Fix SLO delete for accounts with non-ASCII names.18:13
notmynamewhich seem to have corresponding patches already approved on other stable branches18:14
notmynameok, those are landed too18:14
notmynametimburke will be happy(-er) when he gets back online tomorrow ;-)18:15
tdasilvanotmyname: thanks18:30
*** itlinux has quit IRC21:54
*** rcernin has joined #openstack-swift22:32
DHEnotmyname: come to think of it, ryzen7 has 8 cores, boost speeds above 3 GHz, and does ECC memory (motherboard permitting)... that's not bad. and wow, the mobile version has a quad-core HT model with 2.2 GHz base clock at 15 watts...23:20

Generated by 2.15.3 by Marius Gedminas - find it at!