Chapter 9. Federated Object Gateway
A federated
Ceph Object Gateway configuration means that you run a Ceph Object Storage service in a geographically distributed manner for fault tolerance and failover.
In Red Hat Ceph Storage 1.3, you can configure each Ceph Object Gateway on a Red Hat Enterprise Linux 7 node to participate in a federated architecture, with multiple regions, and with multiple zones for a region.
-
Region: A region represents a
logical
geographic area and contains one or more zones. A cluster with multiple regions must specify a master region. -
Zone: A zone is a
logical
grouping of one or more Ceph Object Gateway instance(s). A region has a master zone that processes client requests.
When you deploy a Ceph Object Store service that spans geographical locales, configuring Ceph Object Gateway regions and metadata synchronization agents enables the service to maintain a global namespace, even though Ceph Object Gateway instances run in different geographic locales and potentially on different Ceph Storage Clusters. When you separate one or more Ceph Object Gateway instances within a region into separate logical containers to maintain an extra copy or copies of the data, configuring Ceph Object Gateway zones and data synchronization agents enables the service to maintain one or more copies of the master zone’s data. Extra copies of the data are important for failover, backup and disaster recovery.
Possible deployments of the federated Ceph Object Gateway:
- A single Ceph Storage Cluster with a federated architecture. You can use this deployment if you have low latency network, but Red Hat does not recommend this.
- One Ceph Storage Cluster per region with a separate set of pools of each zone.
- A separate Ceph Storage Cluster for each zone.
Only write objects to the master zone in a region. You can read objects from secondary zones. Currently, the Ceph Object Gateway does not prevent you from writing to a secondary zone, but Red Hat strongly recommends to not do this.
9.1. Configuration
In the following sections, we will demonstrate how to configure a federated cluster in two logical steps:
- Configure a Master Region: This section of the guide describes how to set up a region with multiple zones, and how to synchronize data between the master zone and the secondary zone(s) within the master region.
- Configure a Secondary Region: This section of the guide describes how to repeat the section on setting up a master region and multiple zones so that you have two regions with intra-zone synchronization in each region. Finally, you will learn how to set up a metadata synchronization agent so that you can maintain a global namespace for the regions in your cluster.
9.1.1. Configure a Master Region
This section provides an exemplary procedure for setting up a region, and two zones within the region. The cluster will comprise two gateway daemon instances, one per zone. This region will serve as the master region.
9.1.1.1. Naming for the Master Region
Before configuring the cluster, defining region, zone and instance names will help you manage your cluster. Let’s assume the region represents the United States, and we refer to it by its standard abbreviation.
-
United States:
us
Let’s assume the zones represent the Eastern and Western United States. For continuity, our naming convention will use {region name}-{zone name}
format, but you can use any naming convention you prefer.
-
United States, East Region:
us-east
-
United States, West Region:
us-west
Finally, let’s assume that zones may have more than one Ceph Object Gateway instance per zone. For continuity, our naming convention will use {region name}-{zone name}-{instance}
format, but you can use any naming convention you prefer.
-
United States Region, Master Zone, Instance 1:
us-east-1
-
United States Region, Secondary Zone, Instance 1:
us-west-1
9.1.1.2. Installation
For Red Hat Ceph Storage v1.3, Red Hat supports the Ceph Object Gateway running on Civetweb (embedded into the ceph-radosgw
daemon) instead of Apache and FastCGI. Using Civetweb simplifies the installation and configuration.
To run the Ceph Object Gateway service, you should have a running Ceph storage cluster, and Ceph Object Gateway nodes should have access to the public network.
In version 1.3, the Ceph Object Gateway does not support SSL. You may setup a reverse proxy server with SSL to dispatch HTTPS requests as HTTP requests to CivetWeb.
We will configure one Ceph Object Gateway instance per node and for ease of understanding, we will use the Ceph Object Gateway instance names us-east-1
, us-west-1
mentioned in Naming for the Master Region as the short hostnames (hostname -s) for Ceph Object Gateway nodes of master
region and the Ceph Object Gateway instance names eu-east-1
and eu-west-1
mentioned in Naming for the Secondary Region as the short hostnames (hostname -s) for Ceph Object Gateway nodes of secondary
region.
You will have a total of four gateway instances after you create the master region and the secondary region.
9.1.1.3. Execute the Pre-Installation Procedure
Refer to the Red Hat Ceph Storage Installation Guide for RHEL, and execute the pre-installation procedures on your Ceph Object Gateway nodes of master
region i.e, us-east-1
and us-west-1
. Specifically, you should enable password-less ssh
to these nodes from admin node
, disable requiretty
, set SELinux to Permissive
and set up a Ceph Deploy user with password-less sudo
access on these nodes. For Ceph Object Gateways, you will need to open the port that Civetweb will use in production.
Civetweb runs on port 7480
by default.
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.4. Enable Ceph Client Repository
Red Hat packages the Ceph Object Gateway in the rhel-7-server-rhceph-1.3-tools-rpms
repository. To ensure you are using the same version of Ceph as your storage cluster, execute the following to enable the repository on your Ceph Object Gateway nodes of master
region i.e, us-east-1
and us-west-1
:
sudo subscription-manager repos --enable=rhel-7-server-rhceph-1.3-tools-rpms
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.5. Install Object Gateway
From the working directory of your admin node
, install the Ceph Object Gateway package on your Ceph Object Gateway nodes of master
region i.e, us-east-1
and us-west-1
:
ceph-deploy install --rgw us-east-1 us-west-1
The ceph-common
package is a dependency, so ceph-deploy
will install this too along with ceph-radosgw
package. The ceph
CLI tools are intended for administrators. To make your Ceph Object Gateway nodes administrator nodes, execute the following from the working directory of your admin node
(e.g. ceph-config
):
ceph-deploy admin us-east-1 us-west-1
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.6. Install Object Gateway Synchronization Agent
The Ceph Object Gateway synchronization agent radosgw-agent
is required for data synchronization between zones within a region and metadata synchronization between two regions.
To install the Ceph Object Gateway synchronization agent, execute the following on your Ceph Object Gateway nodes of master
region i.e, us-east-1
and us-west-1
:
sudo yum install radosgw-agent
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.7. Create Gateway Instances
From the working directory of your admin node
, create instances of Ceph Object Gateway on your Ceph Object Gateway nodes of master
region i.e, us-east-1
and us-west-1
:
ceph-deploy rgw create us-east-1 us-west-1
The above command creates gateway username, keyring, data directory for each Ceph Object Gateway node and places the keyring in the newly created data directory /var/lib/ceph/radosgw/{rgw-intance}
. The command also provides write capability to the keyring so that each instance can create pools automatically.
Once a gateway instance is running, you should be able to access it on port 7480
with an unauthenticated request like this:
http://us-east-1:7480
If the gateway instance is working properly, you should receive a response like this:
<?xml version="1.0" encoding="UTF-8"?> <ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Owner> <ID>anonymous</ID> <DisplayName></DisplayName> </Owner> <Buckets> </Buckets> </ListAllMyBucketsResult>
If at any point you run into trouble and you want to start over, execute the following to purge the configuration:
ceph-deploy purge <gateway-node1> [<gateway-node2>] ceph-deploy purgedata <gateway-node1> [<gateway-node2>]
If you execute purge
, you must re-install Ceph.
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.8. Copy Gateway Keyring to Configuration Directory
As mentioned in the previous section, ceph-deploy
places the generated gateway keyring in /var/lib/ceph/radosgw/{rgw-instance}
directory for each Ceph Object Gateway node. radosgw-admin
utility expects the keyring to be in Ceph configuration directory i.e, /etc/ceph
of the Ceph Object Gateway node and will throw error when executed if the keyring isn’t there. So, to ensure radosgw-admin
utility runs properly, ssh to each Ceph Object Gateway node and copy the gateway keyring to /etc/ceph/
directory.
For example:
ssh us-east-1 sudo cp /var/lib/ceph/radosgw/ceph-rgw.us-east-1/keyring /etc/ceph exit ssh us-west-1 sudo cp /var/lib/ceph/radosgw/ceph-rgw.us-west-1/keyring /etc/ceph exit
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.9. Add Gateway Configuration
Modify the Ceph configuration file in the /etc/ceph/
directory on the administration node to add an entry for each Ceph Object Gateway node. Add sections entitled [client.rgw.<gateway-node>]
, replacing <gateway-node>
with the short host names of the Ceph Object Gateway nodes of the master
region that is, us-east-1
and us-west-1
.
Also, Civetweb runs on port 7480
by default. You can change the default port, for example to port 80
by using the rgw_frontends
option.
The modified configuration Ceph file will include the following options:
[global] rgw region root pool = .us.rgw.root [client.rgw.us-east-1] rgw region = us rgw zone = us-east rgw zone root pool = .us-east.rgw.root rgw dns name = <hostname> rgw_frontends = "civetweb port=80" host = <hostname> [client.rgw.us-west-1] rgw region = us rgw zone = us-west rgw zone root pool = .us-west.rgw.root rgw dns name = <hostname> rgw_frontends = "civetweb port=80" host = <hostname>
Where, <hostname>
is the host name of the Ceph Object Gateway nodes of the master
region that is, us-east-1
and us-west-1
. To get the host name, run the `hostname -s' command.
The [client.rgw.us-east-1]
and [client.rgw.us-west-1]
headings identify these portions of the Ceph configuration file as configuring Ceph Storage Cluster clients where each client is a Ceph Object Gateway (that is rgw
), and the names of the instances are us-east-1
and us-west-1
.
Ensure to leave no whitespace between port=<port-number>
in the rgw_frontends
key/value pair.
In version 1.3, the Ceph Object Gateway does not support SSL. You can setup a reverse proxy web server with SSL to dispatch HTTPS requests as HTTP requests to CivetWeb.
When adding the secondary
region with other instances, for example eu-east-1
and eu-west-1
, repeat the entire procedure.
9.1.1.10. Distribute Updated Configuration File
Pull the updated configuration file from /etc/ceph
directory to the local directory of your cluster (e.g. ceph-config directory) and push it to your Ceph Object Gateway nodes and other Ceph nodes.
ceph-deploy --overwrite-conf config pull <admin-node> ceph-deploy --overwrite-conf config push [<gateway-node> ...] [<other-nodes>]
To make the new setting take effect, restart the Ceph Object Gateway on each Ceph Object Gateway node:
sudo systemctl restart ceph-radosgw sudo chkconfig ceph-radosgw on
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.11. Adjust Firewall Settings
Finally, check to ensure that the port you selected is open on the nodes' firewall (e.g., port 80
). If it is not open, add the port and reload the firewall configuration on each Ceph Object Gateway node. For example:
sudo firewall-cmd --list-all sudo firewall-cmd --zone=public --add-port 80/tcp --permanent sudo firewall-cmd --reload
You will have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
.
9.1.1.12. Migrating from Apache to Civetweb
If you’re running the Ceph Object Gateway on Apache and FastCGI with Red Hat Ceph Storage v1.2.x or above, you’re already running Civetweb—it starts with the ceph-radosgw
daemon and it’s running on port 7480 by default so that it doesn’t conflict with your Apache and FastCGI installation and other commonly used web service ports. Migrating to use Civetweb basically involves removing your Apache installation. Then, you must remove Apache and FastCGI settings from your Ceph configuration file and reset rgw_frontends
to Civetweb.
Referring back to the description for installing a Ceph Object Gateway with ceph-deploy
, notice that the configuration file has one setting rgw_frontends
(and that’s assuming you elected to change the default port). The ceph-deploy
utility generates the data directory and the keyring for you—placing the keyring in /var/lib/ceph/radosgw/{rgw-intance}
. The daemon looks in default locations, whereas you may have specified different settings in your Ceph configuration file. Since you already have keys and a data directory, you will want to maintain those paths in your Ceph configuration file if you used something other than default paths.
A typical Ceph Object Gateway configuration file for an Apache-based deployment looks something like this:
[client.radosgw.gateway] host = {hostname} keyring = /etc/ceph/ceph.client.radosgw.keyring rgw socket path = "" log file = /var/log/radosgw/client.radosgw.gateway.log rgw frontends = fastcgi socket_port=9000 socket_host=0.0.0.0 rgw print continue = false
To modify it for use with Civetweb, simply remove the Apache-specific settings such as rgw_socket_path
and rgw_print_continue
. Then, change the rgw_frontends
setting to reflect Civetweb rather than the Apache FastCGI front end and specify the port number you intend to use. For example:
[client.radosgw.gateway] host = {hostname} keyring = /etc/ceph/ceph.client.radosgw.keyring log file = /var/log/radosgw/client.radosgw.gateway.log rgw_frontends = civetweb port=80
Finally, restart the Ceph Object Gateway.
sudo systemctl restart ceph-radosgw.service
If you used a port number that is not open, you will also have to open that port on your firewall.
You have to repeat the same procedure for Ceph Object Gateway nodes of secondary
region, i.e, eu-east-1
and eu-west-1
if they Apache/FastCGI
configured in them.
9.1.1.13. Add Debugging
Once you finish the setup procedure, if you encounter issues with your configuration, you can add debugging to the [global]
section of your Ceph configuration file in /etc/ceph
directory of admin node
, pull it to the local cluster directory, push it to the gateway nodes and restart the gateway(s) to help troubleshoot any configuration issues. For example:
[global] #append the following in the global section. debug ms = 1 debug rgw = 20
9.1.1.14. Add Wildcard to DNS
To use Ceph with S3-style subdomains (e.g., bucket-name.domain-name.com), you need to add a wildcard to the DNS record of the DNS server you use with the ceph-radosgw
daemon.
The address of the DNS must also be specified in the Ceph configuration file with the rgw dns name = {hostname}
setting. This setting has been mentioned in Add Gateway Configuration to Ceph
This step is important and you will find it’s use in Multi Site Data Replication and Inter-Region Metadata Replication.
For dnsmasq
, add the following address setting with a dot (.) prepended to the host name:
address=/.{hostname-or-fqdn}/{host-ip-address}
For example:
address=/.us-west-1/192.168.122.75
For bind
, add a wildcard to the DNS record. For example:
$TTL 604800 @ IN SOA us-west-1. root.us-west-1. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS us-west-1. @ IN A 192.168.122.113 * IN CNAME @
Restart your DNS server and ping your server with a subdomain to ensure that your ceph-radosgw
daemon can process the subdomain requests:
ping mybucket.{hostname}
For example:
ping mybucket.us-west-1
9.1.1.15. Create a Region
A region is designated using a .json
file which is used to configure a master
region or a secondary
region in a Ceph Object Gateway node
with specifications for master
zone and secondary
zone in the region. The region infile is created on a single Ceph Object Gateway node
and that Ceph Object Gateway node
is also configured as a master
zone within that region using an endpoint
address. Another Ceph Object Gateway node
is added as a secondary
zone in the infile using it’s endpoint
address. In this section we will create a region infile for master
region. Same steps will be repeated for creating a region infile for secondary
region in Configuring a Secondary Region, only the name for the .json
region file will be different.
To maintain consistency, we will create the region infile
in admin node
of the cluster and copy it to the desired Ceph Object Gateway nodes
.
Execute the following steps for creating and setting up a region
:
Configure a region infile called
us.json
for theus
master region in the working directory ofadmin node
(e.g.ceph-config
directory):cd ceph-config vi us.json
Copy the contents of the following example to the new file
us.json
. Setis_master
totrue
. Replace{fqdn}
with the fully-qualified domain name of the endpoint. It will specify a master zone asus-east
and list it in thezones
list along with theus-west
zone:{ "name": "us", "api_name": "us", "is_master": "true", "endpoints": [ "http:\/\/{fqdn}:80\/"], "master_zone": "us-east", "zones": [ { "name": "us-east", "endpoints": [ "http:\/\/{fqdn}:80\/"], "log_meta": "true", "log_data": "true"}, { "name": "us-west", "endpoints": [ "http:\/\/{fqdn}:80\/"], "log_meta": "true", "log_data": "true"}], "placement_targets": [ { "name": "default-placement", "tags": [] } ], "default_placement": "default-placement"}
Copy the
us.json
file to the/etc/ceph
directory of Ceph Object Gateway nodeus-east-1
:scp us.json ceph@us-east-1:~ ssh us-east-1 sudo mv us.json /etc/ceph/ exit
Copy the
us.json
file to the/etc/ceph
directory of Ceph Object Gateway nodeeu-east-1
ofsecondary
region as well for creating themaster
region insecondary region
too. You will find it’s use in Configuring a Secondary Region.Execute the following:
scp us.json ceph@eu-east-1:~ ssh eu-east-1 sudo mv us.json /etc/ceph/ exit
Create the
us
region inus-east-1
Ceph Object Gateway node using theus.json
infile:ssh us-east-1 sudo radosgw-admin region set --infile /etc/ceph/us.json --name client.rgw.us-east-1
Delete the default region (if it exists):
sudo rados -p .us.rgw.root rm region_info.default
Set the
us
region as the default region:sudo radosgw-admin region default --rgw-region=us --name client.rgw.us-east-1
Only one region can be the default region for a cluster.
Update the region map:
sudo radosgw-admin regionmap update --name client.rgw.us-east-1
If you use different Ceph Storage Cluster instances for regions, you should repeat steps 4, 6 and 7 in by executing them with --name client.rgw-us-west-1
. You may also export the region map from the initial gateway instance and import it followed by updating the region map.
When you use this procedure to configure the secondary region, replace us
with eu
. You will have a total of two regions after you create the master region and the secondary region.
9.1.1.16. Create Zones
Like a region, a zone is also divided into two categories, master
and secondary
. A master zone is basically where you write data, and a secondary zone is where you failover if things go wrong. In this section we will create a zone infile for master
zone in us-east-1
Ceph Object Gateway node and a zone infile for secondary
zone in us-west-1
Ceph Object Gateway node.
Again, to maintain consistency create the files in admin node
of the cluster and copy them to the desired Ceph Object Gateway nodes
for master
and secondary
zones.
Execute the following steps to create and setup zones:
Configure a zone infile called
us-east.json
for theus-east
zone in the working directory ofadmin node
(e.g.ceph-config
directory):cd ceph-config vi us-east.json
This configuration uses default pool names prepended with the region name and zone name. You can use any arbitrary pool name that you choose, but it’s recommended to prepend the pool name with a region and a zone. See the configuration reference for some pool name examples. Copy the contents of the following example to the new file
us-east.json
.{ "domain_root": ".us-east.domain.rgw", "control_pool": ".us-east.rgw.control", "gc_pool": ".us-east.rgw.gc", "log_pool": ".us-east.log", "intent_log_pool": ".us-east.intent-log", "usage_log_pool": ".us-east.usage", "user_keys_pool": ".us-east.users", "user_email_pool": ".us-east.users.email", "user_swift_pool": ".us-east.users.swift", "user_uid_pool": ".us-east.users.uid", "system_key": { "access_key": "", "secret_key": ""}, "placement_pools": [ { "key": "default-placement", "val": { "index_pool": ".us-east.rgw.buckets.index", "data_pool": ".us-east.rgw.buckets"} } ] }
Copy the
us-east.json
zone file to the/etc/ceph
directory ofus-east-1
Ceph Object Gateway node:scp us-east.json ceph@us-east-1:~ ssh us-east-1 sudo mv us-east.json /etc/ceph/ exit
Copy the
us-east.json
zone file to the/etc/ceph
directory ofeu-east-1
Ceph Object Gateway node that you will configure as amaster
zone for secondary region as this file will be required for creating thismaster
zone ofmaster
region insecondary
region as well. You will find it’s use in Configuring a Secondary Region.Execute the following:
scp us-east.json ceph@eu-east-1:~ ssh eu-east-1 sudo mv us-east.json /etc/ceph/ exit
Add the
us-east
zone using theus-east.json
infile in east zone pool:ssh us-east-1 sudo radosgw-admin zone set --rgw-zone=us-east --infile /etc/ceph/us-east.json --name client.rgw.us-east-1
Repeat step 1 to create a zone infile
us-west.json
forus-west
. Copy the file to/etc/ceph
directory of bothus-west-1
andeu-west-1
Ceph Object Gateway nodes. Then add the zone using theus-west.json
infile in west zone pool:ssh us-west-1 sudo radosgw-admin zone set --rgw-zone=us-west --infile /etc/ceph/us-west.json --name client.rgw.us-west-1
The
east
andwest
zone pools mentioned here are the data pools that are automatically created byclient.rgw.us-east-1
andclient.rgw.us-west-1
gateway instances respectively. The gateway instances would write to the respective zone data pools. Do not confuse them forus-east
andus-west
zone.Delete the default zone (if it exists):
ssh us-east-1 sudo rados -p .rgw.root rm zone_info.default exit ssh us-west-1 sudo rados -p .rgw.root rm zone_info.default exit
Update the region map:
ssh us-east-1 sudo radosgw-admin regionmap update --name client.rgw.us-east-1 exit ssh us-east-1 sudo radosgw-admin regionmap update --name client.rgw.us-west-1 exit
When you use this procedure to configure the secondary region, replace us-
with eu-
. You will have a total of four zones after you create the master zone and the secondary zone in each region.
9.1.1.17. Create Zone Users
Ceph Object Gateway stores zone users in the zone pools. So you must create zone users after configuring the zones. Copy the access_key
and secret_key
fields for each zone user so you can update your zone configuration once you complete this step:
ssh us-east-1 sudo radosgw-admin user create --uid="us-east" --display-name="Region-US Zone-East" --name client.rgw.us-east-1 --system exit ssh us-west-1 sudo radosgw-admin user create --uid="us-west" --display-name="Region-US Zone-West" --name client.rgw.us-west-1 --system exit
When you use this procedure to configure the secondary region, replace us-
with eu-
. You will have a total of four zone users after you create the master region and the secondary region and their zones.
Check the key output. Sometimes radosgw-admin
generates a JSON escape character \
in access_key
or secret_key
and some clients do not know how to handle JSON escape characters. Remedies include removing the JSON escape character \
, encapsulating the string in quotes, regenerating the key and ensuring that it does not have a JSON escape character or specify the key and secret manually. Also, if radosgw-admin
generates a JSON escape character \
and a forward slash /
together in a key, like \/
, only remove the JSON escape character \
. Do not remove the forward slash /
as it is a valid character in the key.
9.1.1.18. Update Zone Configurations
You must update the zone configuration with zone users so that the synchronization agents can authenticate with the zones.
Open your
us-east.json
zone configuration file in theadmin node
and paste the contents of theaccess_key
andsecret_key
fields ofus-east
zone user, that you got in the output while creating the user in Create Zone Users section, into thesystem_key
field of your zone configuration infile:{ "domain_root": ".us-east.domain.rgw", "control_pool": ".us-east.rgw.control", "gc_pool": ".us-east.rgw.gc", "log_pool": ".us-east.log", "intent_log_pool": ".us-east.intent-log", "usage_log_pool": ".us-east.usage", "user_keys_pool": ".us-east.users", "user_email_pool": ".us-east.users.email", "user_swift_pool": ".us-east.users.swift", "user_uid_pool": ".us-east.users.uid", "system_key": { "access_key": "{paste-access_key-here}", "secret_key": "{paste-secret_key-here}" }, "placement_pools": [ { "key": "default-placement", "val": { "index_pool": ".us-east.rgw.buckets.index", "data_pool": ".us-east.rgw.buckets"} } ] }
Save the
us-east.json
file. Copy it again to/etc/ceph
directory ofus-east-1
andeu-east-1
Ceph Object Gateway nodes:scp us-east.json ceph@us-east-1 ssh us-east-1 sudo mv us-east.json /etc/ceph/ exit scp us-east.json ceph@eu-east-1 ssh eu-east-1 sudo mv us-east.json /etc/ceph/ exit
Then, update your zone configuration:
ssh us-east-1 sudo radosgw-admin zone set --rgw-zone=us-east --infile /etc/ceph/us-east.json --name client.rgw.us-east-1
Repeat step 1 to update the zone infile for
us-west
. Copy it again tous-west-1
andeu-west-1
Ceph Object Gateway nodes. Then, update your zone configuration:ssh us-west-1 sudo radosgw-admin zone set --rgw-zone=us-west --infile /etc/ceph/us-west.json --name client.rgw.us-west-1
When you use this procedure to configure the secondary region, replace us-
with eu-
. You will have a total of four zones after you create the master zone and the secondary zone in each region.
9.1.1.19. Configure Bucket Sharding
A Ceph Object Gateway stores bucket index data in the index_pool
, which defaults to .rgw.buckets.index
. Sometimes users like to put many objects (hundreds of thousands to millions of objects) in a single bucket. If you do not use the gateway administration interface to set quotas for the maximum number of objects per bucket, the bucket index can suffer significant performance degradation when users place large numbers of objects into a bucket.
In Red Hat Ceph Storage v1.3, you may shard bucket indices to help prevent performance bottlenecks when you allow a high number of objects per bucket. The rgw_override_bucket_index_max_shards
setting allows you to set a maximum number of shards per bucket. The default value is 0
, which means bucket index sharding is off by default.
To turn bucket index sharding on, set rgw_override_bucket_index_max_shards
to a value greater than 0
.
For federated configurations, each zone may have a different index_pool
setting for failover. To make the value consistent for a region’s zones, you may set rgw_override_bucket_index_max_shards
in a gateway’s region configuration. For example:
ssh us-east-1 sudo radosgw-admin region get > /etc/ceph/us.json
Here, us.json
is the region infile for master
region.
Open the us.json
file and edit the bucket_index_max_shards
setting for each named zone. Save the us.json
file and reset the region. For example:
sudo radosgw-admin region set < /etc/ceph/us.json
Once you’ve updated your region, update the region map. For example:
sudo radosgw-admin regionmap update --name client.rgw.us-east-1 exit
Where client.rgw.us-east-1
is the name of the gateway user.
Mapping the index pool (for each zone, if applicable) to a CRUSH ruleset of SSD-based OSDs may also help with bucket index performance.
9.1.1.20. Restart Services
Once you have redeployed your Ceph configuration files, we recommend restarting your Ceph Storage Cluster(s).
Execute from admin node
of the cluster:
sudo /etc/init.d/ceph restart
9.1.1.21. Restart Gateway Instances
Restart the Ceph Object Gateway daemon on each Ceph Object Gateway node:
# systemctl ceph-radosgw restart
9.1.2. Configure a Secondary Region
This section provides an exemplary procedure for setting up a cluster with multiple regions. Configuring a cluster that spans regions requires maintaining a global namespace, so that there are no namespace clashes among object names stored across in different regions.
This section extends the procedure in Configure a Master Region but changes the region name and modifies a few procedures. See the following sections for details.
9.1.2.1. Naming for the Secondary Region
Before configuring the cluster, defining region, zone and instance names will help you manage your cluster. Let’s assume the region represents the European Union, and we refer to it by its standard abbreviation.
-
European Union:
eu
Let’s assume the zones represent the Eastern and Western European Union. For continuity, our naming convention will use {region name}-{zone name}
format, but you can use any naming convention you prefer.
-
European Union, East Region:
eu-east
-
European Union, West Region:
eu-west
Finally, let’s assume that zones may have more than one Ceph Object Gateway instance per zone. For continuity, our naming convention will use {region name}-{zone name}-{instance}
format, but you can use any naming convention you prefer.
-
European Union Region, Master Zone, Instance 1:
eu-east-1
-
European Union Region, Secondary Zone, Instance 1:
eu-west-1
9.1.2.2. Configuring a Secondary Region
Repeat the exemplary procedure of Configure a Master Region with the following differences:
- Use Naming for the Secondary Region in lieu of Naming for the Master Region.
-
Installation in
eu-east-1
andeu-west-1
. -
Execute the Pre-Installation requirements for
eu-east-1
andeu-west-1
. -
Enable Ceph Client Repository for
eu-east-1
andeu-west-1
. -
Install Ceph Object Gateway in
eu-east-1
andeu-west-1
-
Install Ceph Object Gateway Synchronization Agent in
eu-east-1
andeu-west-1
-
Create Gateway Instances in
eu-east-1
andeu-west-1
-
Copy Gateway Keyring to Ceph Configuration Directory in
eu-east-1
andeu-west-1
. -
Add Gateway Configuration to Ceph for
eu-east-1
andeu-west-1
. -
Distribute Updated Ceph Configuration File to
eu-east-1
andeu-west-1
. -
Adjust Firewall Settings for
eu-east-1
andeu-west-1
. -
Migrating from Apache to Civetweb (if required) for
eu-east-1
andeu-west-1
. Create a Region using
eu
instead ofus
. Setis_master
tofalse
. For consistency, create the master region in the secondary region too with theus.json
file that you had earlier copied to thesecondary
region frommaster
region in Create a Region:ssh eu-east-1 sudo radosgw-admin region set --infile /etc/ceph/us.json --name client.rgw.eu-east-1
-
Create Zones using
eu
instead ofus
. Ensure that you update the user name (i.e.,--name
) so that you create the zones in the correct cluster. -
Create Zone Users for
eu-east
andeu-west
zone. Update Zone Configurations using
eu
instead ofus
.Copy the
eu-east.json
andeu-west.json
zone files to/etc/ceph
directory ofus-east-1
andus-west-1
Ceph Object Gateway nodes as well after you copy them toeu-east-1
andeu-west-1
Ceph Object Gateway nodes. They will be required for creating zones fromsecondary
region inmaster
region.Create zones from master region in the secondary region:
ssh eu-east-1 sudo radosgw-admin zone set --rgw-zone=us-east --infile /etc/ceph/us-east.json --name client.rgw.eu-east-1 exit ssh eu-west-1 sudo radosgw-admin zone set --rgw-zone=us-west --infile /etc/ceph/us-west.json --name client.rgw.eu-west-1 exit
Create zones from secondary region in the master region:
ssh us-east-1 sudo radosgw-admin zone set --rgw-zone=eu-east --infile /etc/ceph/eu-east.json --name client.rgw.us-east-1 exit ssh us-west-1 sudo radosgw-admin zone set --rgw-zone=eu-west --infile /etc/ceph/eu-west.json --name client.rgw.us-west-1 exit
-
Configure Bucket Sharding for
eu
region. - Restart Services.
- Restart Gateway Instances.
9.1.3. Access Verification
You need to verify if the zone users are able to access the gateway. The zone users that you created in Create Zone Users are S3 zone users. You can the verify the gateway access as a S3 user or as a Swift user.
9.1.3.1. Test S3 Access
You need to write and run a Python test script for verifying S3 access. The S3 access test script will connect to the radosgw
, create a new bucket and list all buckets. The values for aws_access_key_id
and aws_secret_access_key
in the Python script are taken from the values of access_key
and secret_key
returned by the radosgw_admin
command while creating the S3 zone users in Create Zone Users.
Execute the following steps on a master
or secondary
zone Ceph Object Gateway node:
Login to the
Ceph Object Gateway node
.For example:
ssh us-east-1
Install
python-boto
package.sudo yum install python-boto
Create the Python script:
vi s3test.py
Add the following contents to the file:
import boto import boto.s3.connection access_key = 'I0PJDPCIYZ665MW88W9R' secret_key = 'dxaXZ8U90SXydYzyS5ivamEP20hkLSUViiaR+ZDA' conn = boto.connect_s3( aws_access_key_id = access_key, aws_secret_access_key = secret_key, host = 'us-east-1', port = {port}, is_secure=False, calling_format = boto.s3.connection.OrdinaryCallingFormat(), ) bucket = conn.create_bucket('my-new-bucket') for bucket in conn.get_all_buckets(): print "{name}\t{created}".format( name = bucket.name, created = bucket.creation_date, )
Here, the value for
access_key
andsecret_key
are taken from the output ofsudo radosgw-admin user create --uid="us-east" …
command that was executed to createus-east
zone user in Create Zone Users. Thehost
is also taken asus-east-1
. When you test for other zone users replace these values with relevant ones for a specific zone. Replace {port} with the port number you are using with Civetweb (e.g, 7480 is thedefault
). If you already changed the port to80
, remove theport = {port},
line from the script.Run the script:
python s3test.py
The output will be something like the following:
my-new-bucket 2015-02-16T17:09:10.000Z
9.1.3.2. Test Swift Access
Swift access can be verified via the swift
command line client. The command man swift
will provide more information on available command line options.
To install swift
client, execute the following:
sudo yum install python-setuptools sudo easy_install pip sudo pip install --upgrade setuptools sudo pip install --upgrade python-swiftclient
To test swift access, you will need the swift_secret_key
of a swift zone user.
To create a swift zone user for a particular zone like us-east
execute the following:
ssh us-east-1 sudo radosgw-admin subuser create --uid=us-east --subuser=us-east:swift --name client.rgw.us-east-1 --system --access=full
It will create a swift zone user us-east:swift
with an access_key
. You will need the secret_key
for this user as well.
To generate a secret key
for the swift user, execute:
sudo radosgw-admin key create --subuser=us-east:swift --name client.rgw.us-east-1 --system --key-type=swift --gen-secret
To test swift access, execute the following:
swift -A http://{IP ADDRESS}:{port}/auth/1.0 -U testuser:swift -K '{swift_secret_key}' list
Replace {IP ADDRESS}
with the public IP address of the gateway server and {swift_secret_key}
with its value from the output of radosgw-admin key create
command executed for the swift
user. Replace {port} with the port number you are using with Civetweb (e.g., 7480
is the default). If you are using port 80
for Civetweb, there is no need to provide {port}
.
For example:
swift -A http://10.19.143.116:7480/auth/1.0 -U testuser:swift -K '244+fz2gSqoHwR3lYtSbIyomyPHf3i7rgSJrF/IA' list
The output should be:
my-new-bucket
9.1.4. Multi-Site Data Replication
The data synchronization agent replicates the data of a master zone to a secondary zone. The master zone of a region is the source for the secondary zone of the region and it gets selected automatically.
To configure the synchronization agent, retrieve the access key and secret for the source and destination, and the destination URL and port.
You may use radosgw-admin zone list
to get a list of zone names. You may use radosgw-admin zone get
to identify the key and secret for the zone. You may refer to the gateway configuration file you created under Create a Gateway Configuration_ to identify the port number.
You only need the hostname and port for a single instance (assuming all gateway instances in a region/zone access the same Ceph Storage Cluster). Specify these values in a configuration file (e.g., region-data-sync.conf
), and include a log_file
name.
For example:
ssh us-east-1 sudo vi /etc/ceph/region-data-sync.conf
Paste the following content in the file:
src_access_key: {source-access-key} src_secret_key: {source-secret-key} destination: https://zone-name.fqdn.com:port dest_access_key: {destination-access-key} dest_secret_key: {destination-secret-key} log_file: {log.filename}
A concrete example may look like this:
src_access_key: DG8RE354EFPZBICHIAF0 src_secret_key: i3U0HiRP8CXaBWrcF8bbh6CbsxGYuPPwRkixfFSb destination: https://us-west.storage.net:80 dest_access_key: U60RFI6B08F32T2PD30G dest_secret_key: W3HuUor7Gl1Ee93pA2pq2wFk1JMQ7hTrSDecYExl log_file: /var/log/radosgw/radosgw-sync-us-east-west.log
To activate the data synchronization agent, open a terminal and execute the following:
sudo radosgw-agent -c /etc/ceph/region-data-sync.conf
When the synchronization agent is running, you should see output indicating that the agent is synchronizing shards of data:
INFO:radosgw_agent.sync:Starting incremental sync INFO:radosgw_agent.worker:17910 is processing shard number 0 INFO:radosgw_agent.worker:shard 0 has 0 entries after '' INFO:radosgw_agent.worker:finished processing shard 0 INFO:radosgw_agent.worker:17910 is processing shard number 1 INFO:radosgw_agent.sync:1/64 shards processed INFO:radosgw_agent.worker:shard 1 has 0 entries after '' INFO:radosgw_agent.worker:finished processing shard 1 INFO:radosgw_agent.sync:2/64 shards processed ...
You must have an agent for each source-destination pair.
9.1.5. Inter-Region Metadata Replication
The data synchronization agent replicates the metadata of master zone in the master region to a master zone in a secondary region. Metadata consists of gateway users and buckets, but not the objects within the buckets—ensuring a unified namespace across the cluster. The master zone of the master region is the source for the master zone of the secondary region and it gets selected automatically.
Follow the same steps in Multi-Site Data Replication by specifying the master zone of the master region as the source zone and the master zone of the secondary region as the secondary zone. When activating the radosgw-agent
, specify --metadata-only
so that it only copies metadata. For example:
sudo radosgw-agent -c /etc/ceph/inter-region-data-sync.conf --metadata-only
Once you have completed the foregoing procedure, you should have a cluster consisting of a master region (us
) and a secondary region (eu
) where there is a unified namespace between the two regions.