Search
SupportConsoleDevelopersStart a trialContact

Chapter 9. Federated Object Gateway

download PDF

A federated Ceph Object Gateway configuration means that you run a Ceph Object Storage service in a geographically distributed manner for fault tolerance and failover.

In Red Hat Ceph Storage 1.3, you can configure each Ceph Object Gateway on a Red Hat Enterprise Linux 7 node to participate in a federated architecture, with multiple regions, and with multiple zones for a region.

  • Region: A region represents a logical geographic area and contains one or more zones. A cluster with multiple regions must specify a master region.
  • Zone: A zone is a logical grouping of one or more Ceph Object Gateway instance(s). A region has a master zone that processes client requests.

When you deploy a Ceph Object Store service that spans geographical locales, configuring Ceph Object Gateway regions and metadata synchronization agents enables the service to maintain a global namespace, even though Ceph Object Gateway instances run in different geographic locales and potentially on different Ceph Storage Clusters. When you separate one or more Ceph Object Gateway instances within a region into separate logical containers to maintain an extra copy or copies of the data, configuring Ceph Object Gateway zones and data synchronization agents enables the service to maintain one or more copies of the master zone’s data. Extra copies of the data are important for failover, backup and disaster recovery.

Possible deployments of the federated Ceph Object Gateway:

  • A single Ceph Storage Cluster with a federated architecture. You can use this deployment if you have low latency network, but Red Hat does not recommend this.
  • One Ceph Storage Cluster per region with a separate set of pools of each zone.
  • A separate Ceph Storage Cluster for each zone.
Important

Only write objects to the master zone in a region. You can read objects from secondary zones. Currently, the Ceph Object Gateway does not prevent you from writing to a secondary zone, but Red Hat strongly recommends to not do this.

9.1. Configuration

In the following sections, we will demonstrate how to configure a federated cluster in two logical steps:

  • Configure a Master Region: This section of the guide describes how to set up a region with multiple zones, and how to synchronize data between the master zone and the secondary zone(s) within the master region.
  • Configure a Secondary Region: This section of the guide describes how to repeat the section on setting up a master region and multiple zones so that you have two regions with intra-zone synchronization in each region. Finally, you will learn how to set up a metadata synchronization agent so that you can maintain a global namespace for the regions in your cluster.

9.1.1. Configure a Master Region

This section provides an exemplary procedure for setting up a region, and two zones within the region. The cluster will comprise two gateway daemon instances, one per zone. This region will serve as the master region.

9.1.1.1. Naming for the Master Region

Before configuring the cluster, defining region, zone and instance names will help you manage your cluster. Let’s assume the region represents the United States, and we refer to it by its standard abbreviation.

  • United States: us

Let’s assume the zones represent the Eastern and Western United States. For continuity, our naming convention will use {region name}-{zone name} format, but you can use any naming convention you prefer.

  • United States, East Region: us-east
  • United States, West Region: us-west

Finally, let’s assume that zones may have more than one Ceph Object Gateway instance per zone. For continuity, our naming convention will use {region name}-{zone name}-{instance} format, but you can use any naming convention you prefer.

  • United States Region, Master Zone, Instance 1: us-east-1
  • United States Region, Secondary Zone, Instance 1: us-west-1

9.1.1.2. Installation

For Red Hat Ceph Storage v1.3, Red Hat supports the Ceph Object Gateway running on Civetweb (embedded into the ceph-radosgw daemon) instead of Apache and FastCGI. Using Civetweb simplifies the installation and configuration.

Note

To run the Ceph Object Gateway service, you should have a running Ceph storage cluster, and Ceph Object Gateway nodes should have access to the public network.

Note

In version 1.3, the Ceph Object Gateway does not support SSL. You may setup a reverse proxy server with SSL to dispatch HTTPS requests as HTTP requests to CivetWeb.

We will configure one Ceph Object Gateway instance per node and for ease of understanding, we will use the Ceph Object Gateway instance names us-east-1, us-west-1 mentioned in Naming for the Master Region as the short hostnames (hostname -s) for Ceph Object Gateway nodes of master region and the Ceph Object Gateway instance names eu-east-1 and eu-west-1 mentioned in Naming for the Secondary Region as the short hostnames (hostname -s) for Ceph Object Gateway nodes of secondary region.

Note

You will have a total of four gateway instances after you create the master region and the secondary region.

9.1.1.3. Execute the Pre-Installation Procedure

Refer to the Red Hat Ceph Storage Installation Guide for RHEL, and execute the pre-installation procedures on your Ceph Object Gateway nodes of master region i.e, us-east-1 and us-west-1. Specifically, you should enable password-less ssh to these nodes from admin node, disable requiretty, set SELinux to Permissive and set up a Ceph Deploy user with password-less sudo access on these nodes. For Ceph Object Gateways, you will need to open the port that Civetweb will use in production.

Note

Civetweb runs on port 7480 by default.

Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.4. Enable Ceph Client Repository

Red Hat packages the Ceph Object Gateway in the rhel-7-server-rhceph-1.3-tools-rpms repository. To ensure you are using the same version of Ceph as your storage cluster, execute the following to enable the repository on your Ceph Object Gateway nodes of master region i.e, us-east-1 and us-west-1: 

sudo subscription-manager repos --enable=rhel-7-server-rhceph-1.3-tools-rpms
Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.5. Install Object Gateway

From the working directory of your admin node, install the Ceph Object Gateway package on your Ceph Object Gateway nodes of master region i.e, us-east-1 and us-west-1: 

ceph-deploy install --rgw us-east-1 us-west-1

The ceph-common package is a dependency, so ceph-deploy will install this too along with ceph-radosgw package. The ceph CLI tools are intended for administrators. To make your Ceph Object Gateway nodes administrator nodes, execute the following from the working directory of your admin node (e.g. ceph-config): 

ceph-deploy admin us-east-1 us-west-1
Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.6. Install Object Gateway Synchronization Agent

The Ceph Object Gateway synchronization agent radosgw-agent is required for data synchronization between zones within a region and metadata synchronization between two regions.

To install the Ceph Object Gateway synchronization agent, execute the following on your Ceph Object Gateway nodes of master region i.e, us-east-1 and us-west-1: 

sudo yum install radosgw-agent
Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.7. Create Gateway Instances

From the working directory of your admin node, create instances of Ceph Object Gateway on your Ceph Object Gateway nodes of master region i.e, us-east-1 and us-west-1: 

ceph-deploy rgw create us-east-1 us-west-1

The above command creates gateway username, keyring, data directory for each Ceph Object Gateway node and places the keyring in the newly created data directory /var/lib/ceph/radosgw/{rgw-intance}. The command also provides write capability to the keyring so that each instance can create pools automatically.

Once a gateway instance is running, you should be able to access it on port 7480 with an unauthenticated request like this: 

http://us-east-1:7480

If the gateway instance is working properly, you should receive a response like this: 

<?xml version="1.0" encoding="UTF-8"?>
<ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
	<Owner>
		<ID>anonymous</ID>
		<DisplayName></DisplayName>
	</Owner>
	<Buckets>
	</Buckets>
</ListAllMyBucketsResult>

If at any point you run into trouble and you want to start over, execute the following to purge the configuration: 

ceph-deploy purge <gateway-node1> [<gateway-node2>]
ceph-deploy purgedata <gateway-node1> [<gateway-node2>]

If you execute purge, you must re-install Ceph.

Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.8. Copy Gateway Keyring to Configuration Directory

As mentioned in the previous section, ceph-deploy places the generated gateway keyring in /var/lib/ceph/radosgw/{rgw-instance} directory for each Ceph Object Gateway node. radosgw-admin utility expects the keyring to be in Ceph configuration directory i.e, /etc/ceph of the Ceph Object Gateway node and will throw error when executed if the keyring isn’t there. So, to ensure radosgw-admin utility runs properly, ssh to each Ceph Object Gateway node and copy the gateway keyring to /etc/ceph/ directory.

For example: 

ssh us-east-1
sudo cp /var/lib/ceph/radosgw/ceph-rgw.us-east-1/keyring /etc/ceph
exit

ssh us-west-1
sudo cp /var/lib/ceph/radosgw/ceph-rgw.us-west-1/keyring /etc/ceph
exit
Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.9. Add Gateway Configuration

Modify the Ceph configuration file in the /etc/ceph/ directory on the administration node to add an entry for each Ceph Object Gateway node. Add sections entitled [client.rgw.<gateway-node>], replacing <gateway-node> with the short host names of the Ceph Object Gateway nodes of the master region that is, us-east-1 and us-west-1.

Also, Civetweb runs on port 7480 by default. You can change the default port, for example to port 80 by using the rgw_frontends option.

The modified configuration Ceph file will include the following options: 

[global]
rgw region root pool = .us.rgw.root

[client.rgw.us-east-1]
rgw region = us
rgw zone = us-east
rgw zone root pool = .us-east.rgw.root
rgw dns name = <hostname>
rgw_frontends = "civetweb port=80"
host = <hostname>

[client.rgw.us-west-1]
rgw region = us
rgw zone = us-west
rgw zone root pool = .us-west.rgw.root
rgw dns name = <hostname>
rgw_frontends = "civetweb port=80"
host = <hostname>

Where, <hostname> is the host name of the Ceph Object Gateway nodes of the master region that is, us-east-1 and us-west-1. To get the host name, run the `hostname -s' command.

The [client.rgw.us-east-1] and [client.rgw.us-west-1] headings identify these portions of the Ceph configuration file as configuring Ceph Storage Cluster clients where each client is a Ceph Object Gateway (that is rgw), and the names of the instances are us-east-1 and us-west-1.

Note

Ensure to leave no whitespace between port=<port-number> in the rgw_frontends key/value pair.

Note

In version 1.3, the Ceph Object Gateway does not support SSL. You can setup a reverse proxy web server with SSL to dispatch HTTPS requests as HTTP requests to CivetWeb.

Note

When adding the secondary region with other instances, for example eu-east-1 and eu-west-1, repeat the entire procedure.

9.1.1.10. Distribute Updated Configuration File

Pull the updated configuration file from /etc/ceph directory to the local directory of your cluster (e.g. ceph-config directory) and push it to your Ceph Object Gateway nodes and other Ceph nodes. 

ceph-deploy --overwrite-conf config pull <admin-node>
ceph-deploy --overwrite-conf config push [<gateway-node> ...] [<other-nodes>]

To make the new setting take effect, restart the Ceph Object Gateway on each Ceph Object Gateway node: 

sudo systemctl restart ceph-radosgw
sudo chkconfig ceph-radosgw on
Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.11. Adjust Firewall Settings

Finally, check to ensure that the port you selected is open on the nodes' firewall (e.g., port 80). If it is not open, add the port and reload the firewall configuration on each Ceph Object Gateway node. For example: 

sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --add-port 80/tcp --permanent
sudo firewall-cmd --reload
Note

You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1.

9.1.1.12. Migrating from Apache to Civetweb

If you’re running the Ceph Object Gateway on Apache and FastCGI with Red Hat Ceph Storage v1.2.x or above, you’re already running Civetweb—​it starts with the ceph-radosgw daemon and it’s running on port 7480 by default so that it doesn’t conflict with your Apache and FastCGI installation and other commonly used web service ports. Migrating to use Civetweb basically involves removing your Apache installation. Then, you must remove Apache and FastCGI settings from your Ceph configuration file and reset rgw_frontends to Civetweb.

Referring back to the description for installing a Ceph Object Gateway with ceph-deploy, notice that the configuration file has one setting rgw_frontends (and that’s assuming you elected to change the default port). The ceph-deploy utility generates the data directory and the keyring for you—​placing the keyring in /var/lib/ceph/radosgw/{rgw-intance}. The daemon looks in default locations, whereas you may have specified different settings in your Ceph configuration file. Since you already have keys and a data directory, you will want to maintain those paths in your Ceph configuration file if you used something other than default paths.

A typical Ceph Object Gateway configuration file for an Apache-based deployment looks something like this: 

[client.radosgw.gateway]
host = {hostname}
keyring = /etc/ceph/ceph.client.radosgw.keyring
rgw socket path = ""
log file = /var/log/radosgw/client.radosgw.gateway.log
rgw frontends = fastcgi socket_port=9000 socket_host=0.0.0.0
rgw print continue = false

To modify it for use with Civetweb, simply remove the Apache-specific settings such as rgw_socket_path and rgw_print_continue. Then, change the rgw_frontends setting to reflect Civetweb rather than the Apache FastCGI front end and specify the port number you intend to use. For example: 

[client.radosgw.gateway]
host = {hostname}
keyring = /etc/ceph/ceph.client.radosgw.keyring
log file = /var/log/radosgw/client.radosgw.gateway.log
rgw_frontends = civetweb port=80

Finally, restart the Ceph Object Gateway. 

sudo systemctl restart ceph-radosgw.service

If you used a port number that is not open, you will also have to open that port on your firewall.

Note

You have to repeat the same procedure for Ceph Object Gateway nodes of secondary region, i.e, eu-east-1 and eu-west-1 if they Apache/FastCGI configured in them.

9.1.1.13. Add Debugging

Once you finish the setup procedure, if you encounter issues with your configuration, you can add debugging to the [global] section of your Ceph configuration file in /etc/ceph directory of admin node, pull it to the local cluster directory, push it to the gateway nodes and restart the gateway(s) to help troubleshoot any configuration issues. For example: 

[global]
#append the following in the global section.
debug ms = 1
debug rgw = 20

9.1.1.14. Add Wildcard to DNS

To use Ceph with S3-style subdomains (e.g., bucket-name.domain-name.com), you need to add a wildcard to the DNS record of the DNS server you use with the ceph-radosgw daemon.

The address of the DNS must also be specified in the Ceph configuration file with the rgw dns name = {hostname} setting. This setting has been mentioned in Add Gateway Configuration to Ceph

This step is important and you will find it’s use in Multi Site Data Replication and Inter-Region Metadata Replication.

For dnsmasq, add the following address setting with a dot (.) prepended to the host name: 

address=/.{hostname-or-fqdn}/{host-ip-address}

For example: 

address=/.us-west-1/192.168.122.75

For bind, add a wildcard to the DNS record. For example: 

$TTL    604800
@       IN      SOA     us-west-1. root.us-west-1. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      us-west-1.
@       IN      A       192.168.122.113
*       IN      CNAME   @

Restart your DNS server and ping your server with a subdomain to ensure that your ceph-radosgw daemon can process the subdomain requests: 

ping mybucket.{hostname}

For example: 

ping mybucket.us-west-1

9.1.1.15. Create a Region

A region is designated using a .json file which is used to configure a master region or a secondary region in a Ceph Object Gateway node with specifications for master zone and secondary zone in the region. The region infile is created on a single Ceph Object Gateway node and that Ceph Object Gateway node is also configured as a master zone within that region using an endpoint address. Another Ceph Object Gateway node is added as a secondary zone in the infile using it’s endpoint address. In this section we will create a region infile for master region. Same steps will be repeated for creating a region infile for secondary region in Configuring a Secondary Region, only the name for the .json region file will be different.

To maintain consistency, we will create the region infile in admin node of the cluster and copy it to the desired Ceph Object Gateway nodes.

Execute the following steps for creating and setting up a region:

  1. Configure a region infile called us.json for the us master region in the working directory of admin node (e.g. ceph-config directory): 

    cd ceph-config
vi us.json

    Copy the contents of the following example to the new file us.json. Set is_master to true. Replace {fqdn} with the fully-qualified domain name of the endpoint. It will specify a master zone as us-east and list it in the zones list along with the us-west zone: 

    { "name": "us",
  "api_name": "us",
  "is_master": "true",
  "endpoints": [
        "http:\/\/{fqdn}:80\/"],
  "master_zone": "us-east",
  "zones": [
        { "name": "us-east",
          "endpoints": [
                "http:\/\/{fqdn}:80\/"],
          "log_meta": "true",
          "log_data": "true"},
        { "name": "us-west",
          "endpoints": [
                "http:\/\/{fqdn}:80\/"],
          "log_meta": "true",
          "log_data": "true"}],
  "placement_targets": [
   {
     "name": "default-placement",
     "tags": []
   }
  ],
  "default_placement": "default-placement"}

  2. Copy the us.json file to the /etc/ceph directory of Ceph Object Gateway node us-east-1: 

    scp us.json ceph@us-east-1:~
ssh us-east-1
sudo mv us.json /etc/ceph/
exit

  3. Copy the us.json file to the /etc/ceph directory of Ceph Object Gateway node eu-east-1 of secondary region as well for creating the master region in secondary region too. You will find it’s use in Configuring a Secondary Region.

    Execute the following: 

    scp us.json ceph@eu-east-1:~
ssh eu-east-1
sudo mv us.json /etc/ceph/
exit

  4. Create the us region in us-east-1 Ceph Object Gateway node using the us.json infile: 

    ssh us-east-1
sudo radosgw-admin region set --infile /etc/ceph/us.json --name client.rgw.us-east-1

  5. Delete the default region (if it exists): 

    sudo rados -p .us.rgw.root rm region_info.default

  6. Set the us region as the default region: 

    sudo radosgw-admin region default --rgw-region=us --name client.rgw.us-east-1

    Only one region can be the default region for a cluster.

  7. Update the region map: 

    sudo radosgw-admin regionmap update --name client.rgw.us-east-1

If you use different Ceph Storage Cluster instances for regions, you should repeat steps 4, 6 and 7 in by executing them with --name client.rgw-us-west-1. You may also export the region map from the initial gateway instance and import it followed by updating the region map.

Note

When you use this procedure to configure the secondary region, replace us with eu. You will have a total of two regions after you create the master region and the secondary region.

9.1.1.16. Create Zones

Like a region, a zone is also divided into two categories, master and secondary. A master zone is basically where you write data, and a secondary zone is where you failover if things go wrong. In this section we will create a zone infile for master zone in us-east-1 Ceph Object Gateway node and a zone infile for secondary zone in us-west-1 Ceph Object Gateway node.

Again, to maintain consistency create the files in admin node of the cluster and copy them to the desired Ceph Object Gateway nodes for master and secondary zones.

Execute the following steps to create and setup zones:

  1. Configure a zone infile called us-east.json for the us-east zone in the working directory of admin node (e.g. ceph-config directory): 

    cd ceph-config
vi us-east.json

    This configuration uses default pool names prepended with the region name and zone name. You can use any arbitrary pool name that you choose, but it’s recommended to prepend the pool name with a region and a zone. See the configuration reference for some pool name examples. Copy the contents of the following example to the new file us-east.json. 

    { "domain_root": ".us-east.domain.rgw",
  "control_pool": ".us-east.rgw.control",
  "gc_pool": ".us-east.rgw.gc",
  "log_pool": ".us-east.log",
  "intent_log_pool": ".us-east.intent-log",
  "usage_log_pool": ".us-east.usage",
  "user_keys_pool": ".us-east.users",
  "user_email_pool": ".us-east.users.email",
  "user_swift_pool": ".us-east.users.swift",
  "user_uid_pool": ".us-east.users.uid",
  "system_key": { "access_key": "", "secret_key": ""},
  "placement_pools": [
    { "key": "default-placement",
      "val": { "index_pool": ".us-east.rgw.buckets.index",
               "data_pool": ".us-east.rgw.buckets"}
    }
  ]
}

  2. Copy the us-east.json zone file to the /etc/ceph directory of us-east-1 Ceph Object Gateway node: 

    scp us-east.json ceph@us-east-1:~
ssh us-east-1
sudo mv us-east.json /etc/ceph/
exit

  3. Copy the us-east.json zone file to the /etc/ceph directory of eu-east-1 Ceph Object Gateway node that you will configure as a master zone for secondary region as this file will be required for creating this master zone of master region in secondary region as well. You will find it’s use in Configuring a Secondary Region.

    Execute the following: 

    scp us-east.json ceph@eu-east-1:~
ssh eu-east-1
sudo mv us-east.json /etc/ceph/
exit

  4. Add the us-east zone using the us-east.json infile in east zone pool: 

    ssh us-east-1
sudo radosgw-admin zone set --rgw-zone=us-east --infile /etc/ceph/us-east.json --name client.rgw.us-east-1

    Repeat step 1 to create a zone infile us-west.json for us-west. Copy the file to /etc/ceph directory of both us-west-1 and eu-west-1 Ceph Object Gateway nodes. Then add the zone using the us-west.json infile in west zone pool: 

    ssh us-west-1
sudo radosgw-admin zone set --rgw-zone=us-west --infile /etc/ceph/us-west.json --name client.rgw.us-west-1

    The east and west zone pools mentioned here are the data pools that are automatically created by client.rgw.us-east-1 and client.rgw.us-west-1 gateway instances respectively. The gateway instances would write to the respective zone data pools. Do not confuse them for us-east and us-west zone.

  5. Delete the default zone (if it exists): 

    ssh us-east-1
sudo rados -p .rgw.root rm zone_info.default
exit

ssh us-west-1
sudo rados -p .rgw.root rm zone_info.default
exit

  6. Update the region map: 

    ssh us-east-1
sudo radosgw-admin regionmap update --name client.rgw.us-east-1
exit

ssh us-east-1
sudo radosgw-admin regionmap update --name client.rgw.us-west-1
exit
Note

When you use this procedure to configure the secondary region, replace us- with eu-. You will have a total of four zones after you create the master zone and the secondary zone in each region.

9.1.1.17. Create Zone Users

Ceph Object Gateway stores zone users in the zone pools. So you must create zone users after configuring the zones. Copy the access_key and secret_key fields for each zone user so you can update your zone configuration once you complete this step: 

ssh us-east-1
sudo radosgw-admin user create --uid="us-east" --display-name="Region-US Zone-East" --name client.rgw.us-east-1 --system
exit

ssh us-west-1
sudo radosgw-admin user create --uid="us-west" --display-name="Region-US Zone-West" --name client.rgw.us-west-1 --system
exit
Note

When you use this procedure to configure the secondary region, replace us- with eu-. You will have a total of four zone users after you create the master region and the secondary region and their zones.

Important

Check the key output. Sometimes radosgw-admin generates a JSON escape character \ in access_key or secret_key and some clients do not know how to handle JSON escape characters. Remedies include removing the JSON escape character \, encapsulating the string in quotes, regenerating the key and ensuring that it does not have a JSON escape character or specify the key and secret manually. Also, if radosgw-admin generates a JSON escape character \ and a forward slash / together in a key, like \/, only remove the JSON escape character \. Do not remove the forward slash / as it is a valid character in the key.

9.1.1.18. Update Zone Configurations

You must update the zone configuration with zone users so that the synchronization agents can authenticate with the zones.

  1. Open your us-east.json zone configuration file in the admin node and paste the contents of the access_key and secret_key fields of us-east zone user, that you got in the output while creating the user in Create Zone Users section, into the system_key field of your zone configuration infile: 

    { "domain_root": ".us-east.domain.rgw",
  "control_pool": ".us-east.rgw.control",
  "gc_pool": ".us-east.rgw.gc",
  "log_pool": ".us-east.log",
  "intent_log_pool": ".us-east.intent-log",
  "usage_log_pool": ".us-east.usage",
  "user_keys_pool": ".us-east.users",
  "user_email_pool": ".us-east.users.email",
  "user_swift_pool": ".us-east.users.swift",
  "user_uid_pool": ".us-east.users.uid",
  "system_key": {
    "access_key": "{paste-access_key-here}",
    "secret_key": "{paste-secret_key-here}"
     },
  "placement_pools": [
    { "key": "default-placement",
      "val": { "index_pool": ".us-east.rgw.buckets.index",
               "data_pool": ".us-east.rgw.buckets"}
    }
  ]
}

  2. Save the us-east.json file. Copy it again to /etc/ceph directory of us-east-1 and eu-east-1 Ceph Object Gateway nodes: 

    scp us-east.json ceph@us-east-1
ssh us-east-1
sudo mv us-east.json /etc/ceph/
exit

scp us-east.json ceph@eu-east-1
ssh eu-east-1
sudo mv us-east.json /etc/ceph/
exit

  3. Then, update your zone configuration: 

    ssh us-east-1
sudo radosgw-admin zone set --rgw-zone=us-east --infile /etc/ceph/us-east.json --name client.rgw.us-east-1

  4. Repeat step 1 to update the zone infile for us-west. Copy it again to us-west-1 and eu-west-1 Ceph Object Gateway nodes. Then, update your zone configuration: 

    ssh us-west-1
sudo radosgw-admin zone set --rgw-zone=us-west --infile /etc/ceph/us-west.json --name client.rgw.us-west-1
Note

When you use this procedure to configure the secondary region, replace us- with eu-. You will have a total of four zones after you create the master zone and the secondary zone in each region.

9.1.1.19. Configure Bucket Sharding

A Ceph Object Gateway stores bucket index data in the index_pool, which defaults to .rgw.buckets.index. Sometimes users like to put many objects (hundreds of thousands to millions of objects) in a single bucket. If you do not use the gateway administration interface to set quotas for the maximum number of objects per bucket, the bucket index can suffer significant performance degradation when users place large numbers of objects into a bucket.

In Red Hat Ceph Storage v1.3, you may shard bucket indices to help prevent performance bottlenecks when you allow a high number of objects per bucket. The rgw_override_bucket_index_max_shards setting allows you to set a maximum number of shards per bucket. The default value is 0, which means bucket index sharding is off by default.

To turn bucket index sharding on, set rgw_override_bucket_index_max_shards to a value greater than 0.

For federated configurations, each zone may have a different index_pool setting for failover. To make the value consistent for a region’s zones, you may set rgw_override_bucket_index_max_shards in a gateway’s region configuration. For example: 

ssh us-east-1
sudo radosgw-admin region get > /etc/ceph/us.json

Here, us.json is the region infile for master region.

Open the us.json file and edit the bucket_index_max_shards setting for each named zone. Save the us.json file and reset the region. For example: 

sudo radosgw-admin region set < /etc/ceph/us.json

Once you’ve updated your region, update the region map. For example: 

sudo radosgw-admin regionmap update --name client.rgw.us-east-1
exit

Where client.rgw.us-east-1 is the name of the gateway user.

Note

Mapping the index pool (for each zone, if applicable) to a CRUSH ruleset of SSD-based OSDs may also help with bucket index performance.

9.1.1.20. Restart Services

Once you have redeployed your Ceph configuration files, we recommend restarting your Ceph Storage Cluster(s).

Execute from admin node of the cluster: 

sudo /etc/init.d/ceph restart

9.1.1.21. Restart Gateway Instances

Restart the Ceph Object Gateway daemon on each Ceph Object Gateway node: 

# systemctl ceph-radosgw restart

9.1.2. Configure a Secondary Region

This section provides an exemplary procedure for setting up a cluster with multiple regions. Configuring a cluster that spans regions requires maintaining a global namespace, so that there are no namespace clashes among object names stored across in different regions.

This section extends the procedure in Configure a Master Region but changes the region name and modifies a few procedures. See the following sections for details.

9.1.2.1. Naming for the Secondary Region

Before configuring the cluster, defining region, zone and instance names will help you manage your cluster. Let’s assume the region represents the European Union, and we refer to it by its standard abbreviation.

  • European Union: eu

Let’s assume the zones represent the Eastern and Western European Union. For continuity, our naming convention will use {region name}-{zone name} format, but you can use any naming convention you prefer.

  • European Union, East Region: eu-east
  • European Union, West Region: eu-west

Finally, let’s assume that zones may have more than one Ceph Object Gateway instance per zone. For continuity, our naming convention will use {region name}-{zone name}-{instance} format, but you can use any naming convention you prefer.

  • European Union Region, Master Zone, Instance 1: eu-east-1
  • European Union Region, Secondary Zone, Instance 1: eu-west-1

9.1.2.2. Configuring a Secondary Region

Repeat the exemplary procedure of Configure a Master Region with the following differences:

  1. Use Naming for the Secondary Region in lieu of Naming for the Master Region.
  2. Installation in eu-east-1 and eu-west-1.
  3. Execute the Pre-Installation requirements for eu-east-1 and eu-west-1.
  4. Enable Ceph Client Repository for eu-east-1 and eu-west-1.
  5. Install Ceph Object Gateway in eu-east-1 and eu-west-1
  6. Install Ceph Object Gateway Synchronization Agent in eu-east-1 and eu-west-1
  7. Create Gateway Instances in eu-east-1 and eu-west-1
  8. Copy Gateway Keyring to Ceph Configuration Directory in eu-east-1 and eu-west-1.
  9. Add Gateway Configuration to Ceph for eu-east-1 and eu-west-1.
  10. Distribute Updated Ceph Configuration File to eu-east-1 and eu-west-1.
  11. Adjust Firewall Settings for eu-east-1 and eu-west-1.
  12. Migrating from Apache to Civetweb (if required) for eu-east-1 and eu-west-1.

  13. Create a Region using eu instead of us. Set is_master to false. For consistency, create the master region in the secondary region too with the us.json file that you had earlier copied to the secondary region from master region in Create a Region: 

    ssh eu-east-1
sudo radosgw-admin region set --infile /etc/ceph/us.json --name client.rgw.eu-east-1
  14. Create Zones using eu instead of us. Ensure that you update the user name (i.e., --name) so that you create the zones in the correct cluster.
  15. Create Zone Users for eu-east and eu-west zone.

  16. Update Zone Configurations using eu instead of us.

    Copy the eu-east.json and eu-west.json zone files to /etc/ceph directory of us-east-1 and us-west-1 Ceph Object Gateway nodes as well after you copy them to eu-east-1 and eu-west-1 Ceph Object Gateway nodes. They will be required for creating zones from secondary region in master region.

  17. Create zones from master region in the secondary region: 

    ssh eu-east-1
sudo radosgw-admin zone set --rgw-zone=us-east --infile /etc/ceph/us-east.json --name client.rgw.eu-east-1
exit

ssh eu-west-1
sudo radosgw-admin zone set --rgw-zone=us-west --infile /etc/ceph/us-west.json --name client.rgw.eu-west-1
exit

  18. Create zones from secondary region in the master region: 

    ssh us-east-1
sudo radosgw-admin zone set --rgw-zone=eu-east --infile /etc/ceph/eu-east.json --name client.rgw.us-east-1
exit

ssh us-west-1
sudo radosgw-admin zone set --rgw-zone=eu-west --infile /etc/ceph/eu-west.json --name client.rgw.us-west-1
exit
  19. Configure Bucket Sharding for eu region.
  20. Restart Services.
  21. Restart Gateway Instances.

9.1.3. Access Verification

You need to verify if the zone users are able to access the gateway. The zone users that you created in Create Zone Users are S3 zone users. You can the verify the gateway access as a S3 user or as a Swift user.

9.1.3.1. Test S3 Access

You need to write and run a Python test script for verifying S3 access. The S3 access test script will connect to the radosgw, create a new bucket and list all buckets. The values for aws_access_key_id and aws_secret_access_key in the Python script are taken from the values of access_key and secret_key returned by the radosgw_admin command while creating the S3 zone users in Create Zone Users.

Execute the following steps on a master or secondary zone Ceph Object Gateway node:

  1. Login to the Ceph Object Gateway node.

    For example: 

    ssh us-east-1

  2. Install python-boto package. 

    sudo yum install python-boto

  3. Create the Python script: 

    vi s3test.py

  4. Add the following contents to the file: 

    import boto
import boto.s3.connection

access_key = 'I0PJDPCIYZ665MW88W9R'
secret_key = 'dxaXZ8U90SXydYzyS5ivamEP20hkLSUViiaR+ZDA'

conn = boto.connect_s3(
	aws_access_key_id = access_key,
	aws_secret_access_key = secret_key,
	host = 'us-east-1',
	port = {port},
	is_secure=False,
	calling_format = boto.s3.connection.OrdinaryCallingFormat(),
	)

bucket = conn.create_bucket('my-new-bucket')
for bucket in conn.get_all_buckets():
	print "{name}\t{created}".format(
		name = bucket.name,
		created = bucket.creation_date,
)

    Here, the value for access_key and secret_key are taken from the output of sudo radosgw-admin user create --uid="us-east" …​ command that was executed to create us-east zone user in Create Zone Users. The host is also taken as us-east-1. When you test for other zone users replace these values with relevant ones for a specific zone. Replace {port} with the port number you are using with Civetweb (e.g, 7480 is the default). If you already changed the port to 80, remove the port = {port}, line from the script.

  5. Run the script: 

    python s3test.py

    The output will be something like the following: 

    my-new-bucket 2015-02-16T17:09:10.000Z

9.1.3.2. Test Swift Access

Swift access can be verified via the swift command line client. The command man swift will provide more information on available command line options.

To install swift client, execute the following: 

sudo yum install python-setuptools
sudo easy_install pip
sudo pip install --upgrade setuptools
sudo pip install --upgrade python-swiftclient

To test swift access, you will need the swift_secret_key of a swift zone user.

To create a swift zone user for a particular zone like us-east execute the following: 

ssh us-east-1
sudo radosgw-admin subuser create --uid=us-east --subuser=us-east:swift --name client.rgw.us-east-1 --system --access=full

It will create a swift zone user us-east:swift with an access_key. You will need the secret_key for this user as well.

To generate a secret key for the swift user, execute: 

sudo radosgw-admin key create --subuser=us-east:swift --name client.rgw.us-east-1 --system --key-type=swift --gen-secret

To test swift access, execute the following: 

swift -A http://{IP ADDRESS}:{port}/auth/1.0 -U testuser:swift -K '{swift_secret_key}' list

Replace {IP ADDRESS} with the public IP address of the gateway server and {swift_secret_key} with its value from the output of radosgw-admin key create command executed for the swift user. Replace {port} with the port number you are using with Civetweb (e.g., 7480 is the default). If you are using port 80 for Civetweb, there is no need to provide {port}.

For example: 

swift -A http://10.19.143.116:7480/auth/1.0 -U testuser:swift -K '244+fz2gSqoHwR3lYtSbIyomyPHf3i7rgSJrF/IA' list

The output should be: 

my-new-bucket

9.1.4. Multi-Site Data Replication

The data synchronization agent replicates the data of a master zone to a secondary zone. The master zone of a region is the source for the secondary zone of the region and it gets selected automatically.

To configure the synchronization agent, retrieve the access key and secret for the source and destination, and the destination URL and port.

You may use radosgw-admin zone list to get a list of zone names. You may use radosgw-admin zone get to identify the key and secret for the zone. You may refer to the gateway configuration file you created under Create a Gateway Configuration_ to identify the port number.

You only need the hostname and port for a single instance (assuming all gateway instances in a region/zone access the same Ceph Storage Cluster). Specify these values in a configuration file (e.g., region-data-sync.conf), and include a log_file name.

For example: 

ssh us-east-1
sudo vi /etc/ceph/region-data-sync.conf

Paste the following content in the file: 

src_access_key: {source-access-key}
src_secret_key: {source-secret-key}
destination: https://zone-name.fqdn.com:port
dest_access_key: {destination-access-key}
dest_secret_key: {destination-secret-key}
log_file: {log.filename}

A concrete example may look like this: 

src_access_key: DG8RE354EFPZBICHIAF0
src_secret_key: i3U0HiRP8CXaBWrcF8bbh6CbsxGYuPPwRkixfFSb
destination: https://us-west.storage.net:80
dest_access_key: U60RFI6B08F32T2PD30G
dest_secret_key: W3HuUor7Gl1Ee93pA2pq2wFk1JMQ7hTrSDecYExl
log_file: /var/log/radosgw/radosgw-sync-us-east-west.log

To activate the data synchronization agent, open a terminal and execute the following: 

sudo radosgw-agent -c /etc/ceph/region-data-sync.conf

When the synchronization agent is running, you should see output indicating that the agent is synchronizing shards of data: 

INFO:radosgw_agent.sync:Starting incremental sync
INFO:radosgw_agent.worker:17910 is processing shard number 0
INFO:radosgw_agent.worker:shard 0 has 0 entries after ''
INFO:radosgw_agent.worker:finished processing shard 0
INFO:radosgw_agent.worker:17910 is processing shard number 1
INFO:radosgw_agent.sync:1/64 shards processed
INFO:radosgw_agent.worker:shard 1 has 0 entries after ''
INFO:radosgw_agent.worker:finished processing shard 1
INFO:radosgw_agent.sync:2/64 shards processed
...
Note

You must have an agent for each source-destination pair.

9.1.5. Inter-Region Metadata Replication

The data synchronization agent replicates the metadata of master zone in the master region to a master zone in a secondary region. Metadata consists of gateway users and buckets, but not the objects within the buckets—​ensuring a unified namespace across the cluster. The master zone of the master region is the source for the master zone of the secondary region and it gets selected automatically.

Follow the same steps in Multi-Site Data Replication by specifying the master zone of the master region as the source zone and the master zone of the secondary region as the secondary zone. When activating the radosgw-agent, specify --metadata-only so that it only copies metadata. For example: 

sudo radosgw-agent -c /etc/ceph/inter-region-data-sync.conf --metadata-only

Once you have completed the foregoing procedure, you should have a cluster consisting of a master region (us) and a secondary region (eu) where there is a unified namespace between the two regions.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.