Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
IBM Spectrum scale object deep dive training
1. IBM Spectrum Scale™
Object Protocol
Smita Raut
Spectrum Scale Cloud and Object
Brian Nelson
Spectrum Scale Cloud and Object
Acknowledgement:
Simon Lorenz
11/7/2017
Nov 2017
2. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
2
3. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
3
4. What is Object Storage on a high level?
Object Storage has been developed to handle unstructured data
• Scales to trillions of objects (virtually unlimited scalability)
• Stores data in a flat namespace
• Design simplifies how users access data (native HTTP / REST support):
• supports new types of applications
• allows users to access data by using various methods, including mobile devices and web
applications
• No single point of failure
• Flexible deployment options: on-premises, dedicated, hybrid, or public cloud
• Runs on cost effective platforms
5. Object addressing via Account/Container/Object
• Account:
- The top-level element in the Object Storage system hierarchy.
- Contains a list of the containers in the account.
- In the OpenStack environment, account is synonymous with project or tenant, as used by Keystone.
• Container:
- The second-level element in the hierarchy under accounts.
- Maintains a list of objects that belong to the container.
- The account and container provide a namespace for objects, analogous to files in a directory path.
- Many features, such as ACLs, versioning, and quotas, are controlled at the container level.
- A container in Swift is equivalent to a bucket when using the S3 protocol to access object data.
• Object:
- The third-level element in the hierarchy under containers.
- Stores actual data content and metadata that describes the object.
- In IBM Spectrum Scale, objects are stored as files, and object metadata is stored as file-extended
attributes.
6. 6
IBM Spectrum Scale™ Object Integration
• Based on OpenStack Swift
• Supports RESTful APIs (Swift and S3)
• Uses Keystone based authentication
• Swift Components
• Proxy Server
• Account Server
• Container Server
• Object Server
• Bundled with spectrum-scale-object
rpm
• Automated Swift & Keystone Install
• Health & Performance Monitoring
Swift
Proxy
Server
Object
Server
Diskfile
Container
Server
Clients
Load Balancer
Auth Service
Keystone
Part of Install Package
Account
Server
Spectrum Scale
Obj
7. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
7
8. Administration for Object Protocol
IBM Spectrum Scale™ Object Protocol can be enabled using two methods:
• Spectrum Scale Installation toolkit
• spectrumscale config object
• During first time object install/enable
• Features and capabilities that can be administered
• S3 enablement
• Multiregion
• Using CLI
• mmobj swift base
• During first time object install/enable
• Features and capabilities that can be administered
• S3 enablement
• Multiregion
• File Access
• Object Authentication
Administration
8
9. spectrumscale config object
• To setup object protocol, run the installer
command-
spectrumscale config object [-h] [-l]
[-f FILESYSTEM] [-m MOUNTPOINT]
[-e ENDPOINT] [-o OBJECTBASE]
[-i INODEALLOCATION] [-t ADMINTOKEN]
[-au ADMINUSER] [-ap [ADMINPASSWORD]]
[-su SWIFTUSER] [-sp [SWIFTPASSWORD]]
[-dp [DATABASEPASSWORD]] [-s3 {on,off}]
[-mr MULTIREGION] [-rn REGIONNUMBER]
• This command must be run before running
“spectrumscale deploy”. After deploy,
object gets configured with these settings.
• This command can only be used during initial
deployment. It cannot be used on a cluster
with object deployed to configure or change
object protocol settings.
Administration
9
Sample clusterdefinition.txt
[object]
enable_s3 = True
filesystem = fs1
object_base = object_fileset
multiregion_file = /root/region
[protocols]
object = True
smb = False
nfs = False
10. mmobj swift base
• To setup object protocol using CLI after the initial cluster is setup, use
the command
mmobj swift base -g GPFSMountPoint --cluster-hostname CESHostname
[-o ObjFileset] [-i MaxNumInodes] [--ces-group CESGroup]
{{--local-keystone [--db-password Password] [--admin-token Token]}|
{--remote-keystone-url URL [--configure-remote-keystone]}}
--admin-password AdminPassword [--admin-user AdminUser]
[--swift-user SwiftUser] [--swift-password SwiftPassword]
[--enable-file-access] [--enable-s3] [--enable-multi-region]
[--region-number RegionNumber]
[--join-region-file RegionFile]
• This command can only be used for object deployment from scratch. It
cannot be used on a cluster with object deployed to configure or change
object protocol settings.
Administration
10
11. Enabling Object Services
• Once “mmobj swift base” is done, object services must be enabled for object
protocol to function using below command
mmces service enable OBJ
• After enabling object, the status of various object services can be seen as
below-
# mmces service list -v
Enabled services: OBJ
OBJ is running
OBJ:openstack-swift-object is running
OBJ:openstack-swift-account is running
OBJ:openstack-swift-container is running
OBJ:memcached is running
OBJ:openstack-swift-proxy is running
OBJ:openstack-swift-object-replicator is running
OBJ:openstack-swift-account-reaper is running
OBJ:openstack-swift-account-auditor is running
OBJ:openstack-swift-container-auditor is running
OBJ:openstack-swift-container-updater is running
OBJ:openstack-swift-account-replicator is running
OBJ:openstack-swift-container-replicator is running
OBJ:openstack-swift-object-sof is not running
OBJ:httpd (keystone) is running
Administration
11
12. Object Function check
• Very basic and fast check if object functions:
# source /root/openrc
# swift stat
# cd /tmp
# date > temp.txt
# swift upload test_container temp.txt
# swift list test_container
# swift stat
• If this works without an error, basic object functionality is available
13. Object Protocol Disable
• Be very cautious with disabling the object protocol!
• Command to use: mmces service disable OBJ
• All object store configuration data is lost if disable command is
executed, such as the rings and the keystone database. The data
stored on the filesystem, if any, can not be addressed any more.
14. 14
Object Administration Commands (mmobj Suite)
Object can be administrated with the following cli commands:
# mmobj
Usage:
mmobj config Manage configuration values
mmobj file-access Manage file for object interface
mmobj multiregion Manage multi-region configuration
mmobj policy Configure Swift storage policies
mmobj swift Install underlying Swift services
mmobj s3 Manage S3 API
Type in mmobj followed by the action and press enter to see the available options. i.e.
# mmobj policy
Usage:
mmobj policy list List Storage Policies
mmobj policy create Create a Storage Policy
mmobj policy change Change a Storage Policy
mmobj policy deprecate Deprecate a Storage Policy
15. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
15
16. Spectrum Scale Object Authentication Flow
• Swift clients make a request
to keystone to get the auth
token
• Auth token is valid for a
configured duration of time,
typically 24 hrs
• Swift clients pass on this
token to Swift service to
perform Object IO
• Swift validates this token with
keystone
16
17. Administration commands for Authentication
IBM Spectrum Scale™ can be configured with the following authentication
servers for object access:
• Active Directory (AD)
• Light Weight Directory Access Protocol (LDAP)
• Local Authentication Server (Postgres)
• User Defined Authentication (External Keystone)
Two methods available for Managing/Administering
• Spectrum Scale Installation toolkit
• Using CLI
o During Object deploy (mmobj swift base)
o After Object deploy (mmuserauth service create)
Administration
17
18. Install Toolkit Method (spectrumscale auth object)
• To setup object authentication, run the installer
command-
spectrumscale auth object [-h] [--
https] [--pki]
{local,external,ldap,ad}
• This will automatically open a template file for
you to fill with the required auth settings. TLS
and SSL related settings can also be done here.
Save the file and close it.
• If this install toolkit auth command has been
run, authentication will automatically be
enabled by the installer.
• This command must be run before running
“spectrumscale deploy”. After deploy,
object gets configured with these
authentication settings.
• This command can only be used during initial
deployment. It cannot be used on a cluster with
object deployed to configure or change object
auth.
• By default object is configured with local auth
Administration
18
Sample AD auth configuration file
[object]
remote_keystone = False
[object_auth]
enable_object_auth = True
backend_server = ad
# mandatory settings for object
authentication:
# Specifies the host name or IP address of
the authentication server.
servers =
# Specifies the base DN of the authentication
server.
base_dn =
# Specifies the DN for user search base.
user_dn =
# Specifies the user which will be assigned
the administrator role
# in Keystone.
admin_user =
# Specifies the AD user which will be used as
the swift service user.
# This user's details will be updated in
proxy-server.conf.
swift_user =
# Specifies the password of the swift_user.
# Leave as [prompt] to be prompted for the
password in
# a secure manner.
swift_password = [prompt]
Sample external keystone
auth configuration file
[object_auth]
# This installer will not
configure your external
keystone server
enable_object_auth = False
backend_server = external
[object]
remote_keystone = True
# Set to True to create swift
service, user and endpoint in
remote keystone
configure_remote_keystone =
False
# Supply the full URL for
your external keystone server
keystone_url =
http://extserver.com
19. CLI During Object Deploy (mmobj swift base)
• Used for initial configuration of object protocol when Spectrum Scale install toolkit is not used for
object deployment.
• Supports configuring local authentication or user defined authentication. It is mandatory to select
either of the authentication option.
• AD or LDAP authentication configuration is not supported through this command.
• Sample command:
mmobj swift base -g /gpfs1 -o swift --cluster-hostname
c6f1c1p1v1 --local-keystone --admin-password Passw0rd --admin-
user keystone
Note:
- admin-password parameter can be skipped on the command line if desired for security
reasons. It will be prompted in that case.
- If AD or LDAP authentication must be used, earlier auth configuration done via mmobj must
be removed and new auth with AD/LDAP to be configured using mmuserauth.
Administration
19
20. After Object Deploy (mmuserauth service Suite)
• This command suite manages the authentication configuration of file and object
access protocols.
• The configuration allows protocol access methods to authenticate users who
need to access data that is stored on the system over these protocols.
• The different commands in the mmuserauth service suite are:
• mmuserauth service create - Configures authentication for file and object access
protocols.
• mmuserauth service list - Displays the details of the authentication method that is
configured for both file and object access protocols.
• mmuserauth service check - Verifies the authentication method configuration details
for file and object access protocols. Validates the connectivity to the configured
authentication servers. It also supports corrections to the configuration details on the
erroneously configured protocol nodes.
• mmuserauth service remove - Removes the authentication method configuration of
file and object access protocols and ID maps if any.
Note : use option --data-access-method object in all mmuserauth service
<operation> command for object authentication
Administration
20
21. Deep Dive On Object Authentication can be found
here:
https://www.slideshare.net/SmitaRaut/ibm-
spectrum-scale-authentication-for-object-deep-dive
21
22. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
22
23. Storage Policies for Object Storage
• Storage policies enable segmenting of the object storage within a single
cluster for various use cases
• Once created, storage policy can be associated with a container during
container creation
• A fileset is associated with every storage policy. This fileset stores the
objects uploaded to a container with this storage policy.
• For every storage policy a new object ring is created that defines where
objects are located
• Following types of storage policies are supported:
• File-access (unified file and object access)
• Compression
• Encryption
• Command suite for storage policy administration – mmobj policy
Administration
23
24. Storage Policy Creation
• To create a storage policy run below command
mmobj policy create PolicyName
[-f FilesetName] [--file-system FilesystemName] [-i
MaxNumInodes]
{[--enable-compression --compression-schedule
"MM:HH:dd:ww"]}
{[--enable-encryption --encryption-keyfile
EncryptionKeyFileName [--force-rule-append]]}
[--enable-file-access]
• If FilesetName is not provided then a fileset with
name “Obj_PolicyName” is created
• Existing fileset can be used in –f option provided
it is not linked to any other storage policy
• If FilesystemName is not provided then the
fileset is created under default object filesystem
• Compression and encryption policies make use
of filesystem level compression and encryption
features
Administration
24
Examples:
File-access policy
mmobj policy create sof-policy --
enable-file-access
Compression policy
mmobj policy create CompressionTest --
enable-compression --compression-
schedule "50:23:15,30:0“
In the above example, the compression job has been
scheduled to run at 23.50 on every 15th and 30th of the
month and on all Sundays
Encryption policy
mmobj policy create encryptionPolicy --
enable-encryption --encryption-keyfile
/var/tmp/keyfile -–force-rule-append
In the above example the new encryption rule is added
to already established encryption policy, if any
25. Viewing and Changing Storage Policy
• To view storage policies run below command
mmobj policy list –verbose
• To make a policy default-
mmobj policy change sof-policy –default
• To deprecate a policy-
mmobj policy deprecate sof-policy
• To change a policy
mmobj policy change sof-policy
Following changes can be done to a storage policy:
• Add local region to the policy
• Remove a region from the policy
• Change the compression schedule
• A storage policy cannot be deleted
Administration
25
Note:
- If you make a policy as default, then by default
containers are created under this policy. It can be
overridden by specifying “X-Storage-Policy” header
during container creation
- When a policy is deprecated, new containers cannot
be created under that policy. Old containers and
objects within it are still accessible.
- A deprecated policy can be made non-deprecated
using the command
mmobj policy change policyname --
deprecate no
26. 26
• Objects in Spectrum Scale can be encrypted using Spectrum Scale encryption and
ILM policies.
• A new encryption enabled storage policy creates a new fileset.
• An encryption rule for the newly created fileset is applied to the policies.
• Any object that is uploaded into a container that is linked to the encryption enabled
policy, will automatically and directly be stored encrypted.
• An object get request will cause a decryption of the data before it is send to the
caller.
Storage Policy – Encryption
Storage
objFilesetPolicy1
objFilesetEncryptedPolicy…
Rule
s
Rule
sRules
Policy Engine
Account Container
Reference: https://www.ibm.com/support/knowledgecenter/STXKQY_4.2.2/com.ibm.spectrum.scale.v4r22.doc/bl1adm_storagepolicyencrypt.htm
27. 27
• Objects in Spectrum Scale can compressed using Spectrum Scale compression
and ILM policies.
• A new compression enabled storage policy creates a new fileset.
• A migration compression rule for the newly created fileset is applied base on a
given schedule.
• Any object that is uploaded into a container that is linked to the compression
enabled policy, will be compressed when the given schedule is hit.
Storage Policy – Compression
Storage
objFilesetPolicy
1objFilesetCompressedPolicy
…
Rule
s
Rule
sRules
Policy
Engine
Account Container
Reference: https://www.ibm.com/support/knowledgecenter/STXKQY_4.2.2/com.ibm.spectrum.scale.v4r22.doc/bl1adm_storagepolicycomp.htm
Scheduler
28. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
28
29. Unified File and Object Access
Accessing object using file interfaces (SMB/NFS/POSIX) and
accessing file using object interfaces (REST)
29
Spectrum Scale
Swift (With Swift on File)
NFS/SMB/POSIXObject(http)
2
1
<Container>
File Exports created
on container level
OR
POSIX access from
container level
Objects accessed
as FilesData ingested
as Objects
3
Data ingested
as Files4
Files accessed as
Objects
How to use it
• Enable the file-access capability
mmobj file-access enable
• Create a file-access storage policy
mmobj policy create sof-policy --
enable-file-access
• Create a container with this policy
swift post container1 -H "X-Storage-
Policy: sof-policy“
• Create shares/NFS exports on the container directory:
mmcesnfscrexport
<obj_fileset_path>/s<policy_id>z1dev
ice1/AUTH_<project_id>/<container_na
me>
e.g.
mmcesnfscrexport
/ibm/fs1/obj_sof2/s69931709220z1devi
ce1/AUTH_da220d815d4345cb933c0b70615
a2951/container2
• Objects under this container can now be accessed as
files and files as objects
30. Configuring Object Authentication for
Unified File and Object
Administration
Local_mode - Separate identity between object and file
(Default mode)
• Object authentication setup is independent of file
authentication setup
Unified_mode - Shared identity between object and file
• Supported only with Active Directory (AD) with UNIX-
mapped domains and LDAP authentication
configurations
• Authentication for both file and object access must be
configured and the authentication schemes must be
the same and configured with the same server
30
Ref: Video of presentation done on this topic at OpenStack summit April 2016
in Austin- https://www.youtube.com/watch?v=6ovLb6aktbM&t=93s
Change the ID management mode using command-
mmobj config change --ccrfile object-
server-sof.conf --section DEFAULT --
property id_mgmt --value unified_mode
31. ibmobjectizer service
• Process to convert files ingested from the file interface to be available from the
object interface via container listing
• Singleton service started when object is enabled and the file-access object
capability is set
• Can be disabled using the command-
mmobj file-access disable –objectizer
• Uses periodic ILM policy scans to determine changes happening from file side
• Frequency of objectization can be controlled with objectization_interval
parameter (default 1800 sec = 30 min) as below-
mmobj config change --ccrfile spectrum-scale-objectizer.conf --
section DEFAULT --property objectization_interval --value 3600
• If some files need to be made available sooner than the objectization interval,
manual objectization command can be used-
mmobj file-access objectize
• Manual objectization command can be used even when ibmobjectizer is disabled
Administration
31
32. Enabling Object Access On Legacy File Data
• Legacy file data can be made accessible via object interface by using the command
mmobj file-access link-fileset
• As a pre-requisite a container must be created under a file-access storage policy.
The legacy file data can then be linked to this container
• Sample command:
mmobj file-access link-fileset
--sourcefset-path /gpfs1/fset1
--account-name admin --container-name cont1
--fileaccess-policy-name sof_policy --update-listing
• The command creates a nested container “gpfs1-fset1” under cont1. All the files
are listed as objects under this nested container
#swift list cont1
gpfs1-fset1/newdir/newobj1
gpfs1-fset1/newobj
gpfs1-fset1/existingfile1
gpfs1-fset1/existingdir/existingfile2
Administration
32
33. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
33
34. 34
Object Multi-Region
• Provide client access to a local replica of the data to reduce unacceptable
high-latency network delays.
• Can be used as active-active disaster recovery configuration.
Region 1
Spectrum Scale cluster
Swift Cluster
Region 2
Spectrum Scale cluster
CES CES CES
Region 1
Client
Region 2
Client
CES CES CES
Reference: https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.2/com.ibm.spectrum.scale.v4r22.doc/bl1ins_multiregionoverview.htm
35. Multiregion administration - creation
• Object multiregion links object storage on independent GPFS
clusters through Swift replication. Each cluster will have a
complete copy of the object data. (This is a built-in Swift
capability, not from AFM or GPFS)
• Enable first cluster for multiregion by either:
• Using --enable-multi-region flag of “mmobj swift base” command or
• Using “mmobj multiregion enable” command
• Subsequent clusters join multiregion environment by using
--join-region-file flag of “mmobj swift base” command.
• All regions must use same keystone server
• Create region file with “mmobj multiregion export”
command.
Administration
35
36. Multiregion administration - sync
• If the CES IPs or storage polices in a cluster changes, multiregion
configuration must be synced to all other regions.
• Multiregion sync file can be created with “mmobj multiregion export”
command
• Sync file can be imported into other cluster with “mmobj multiregion
import” command.
• Import command displays checksum to ensure source and destination
cluster configuration are in sync:
# mmobj multiregion import --region-file /tmp/region1.dat
mmobj multiregion: Importing region checksum 04215-46679.
mmobj multiregion: The region config has been updated.
mmobj multiregion: Region 2 checksum is: 04215-46679
Administration
36
37. Multiregion administration - remove
• A cluster can be removed from the multiregion environment
with the “mmobj multiregion remove” command
• Remaining clusters will need to be synced with “mmobj
multiregion export/import” commands
• Once removed, object data will no longer be sent to or
retrieved from that cluster
• Multiregion remove does not cleanup object protocol on that
region’s cluster. Standard object protocol cleanup will still be
needed on that cluster (e.g. mmces service disable obj)
Administration
37
38. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
38
39. S3 administration
• S3 is an object communication protocol created by AWS and
emulated by the Swift swift3 middleware
• Allows existing S3 clients to connect to Swift without
modification
• EC2 credentials in Keystone also used
• Managed through the “mmobj s3” command:
• mmobj s3 enable Enable the S3 API
• mmobj s3 disable Disable the S3 API
• mmobj s3 list List S3 API configuration
• Can also be enabled at install with the “—enable-s3” flag to
“mmobj swift base”
Administration
39
40. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
40
41. Creating containers/buckets and objects
• Object protocol is built upon http REST calls
• No standard client. Clients are often custom applications.
• But some commands exist to interface to object storage, like
swift, s3curl, and curl
Administration
41
42. Creating containers and objects with swift
command
• /usr/bin/swift installed with python-swiftclient
• Create container:
# swift post mycontainer
• Create object (container will be created if needed):
# swift upload mycontainer myfile
• Login information can be added to command or set as env vars:
export OS_AUTH_URL="http://localhost:35357/v3"
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME="admin"
export OS_PASSWORD="ADMIN_PASS"
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default
Administration
42
43. Creating buckets and objects with s3curl
command
• s3curl script downloaded from https://github.com/rtdp/s3curl
• Create bucket “bucket1”:
# s3curl.pl --id testuser1 --createBucket -- -s http://cesip:8080/bucket1
• Create object “object1” in “bucket1” from “test-data.txt”:
# s3curl.pl --id testuser1 --put test-data.txt -- -s
http://cesip:8080/bucket1/object1
• Login information retrieved from EC2 credentials.
• Full example here: http://ibmurl.hursley.ibm.com/O7JT
Administration
43
44. Agenda and Flow
• Object Protocol in IBM Spectrum Scale™
• Administration – Install Toolkit Method & CLI
• Administration – Object Authentication
• Administration – Storage Policies
• Administration – Unified File and Object
• Administration – Multiregion
• Administration – S3
• Creating Containers/Buckets and Objects
• Problem Determination Guide
44
45. Problem Determination
• Object protocol made up of many services in Swift, Keystone,
and Postgres
• Requires CES framework for monitoring and IP assignment
• Monitoring will check object services to ensure they are
running. Will restart as necessary, or mark the node as failed if
problems persist.
Administration
45
46. Problem Determination
• Check CES to get service state
• List all services:
# mmces service list -a -v
Enabled services: OBJ SMB NFS
ces1.ibm.com: OBJ is running
ces2ibm.com: OBJ is running
ces1ibm.com: OBJ:openstack-swift-object is running
ces1ibm.com: OBJ:openstack-swift-account is not running
...
• List System Health events for Object
# mmsysmonc query events object
Administration
46
47. Openstack Swift and Keystone Configuration
• /etc/swift
• holds swift service and ring configuration
• /etc/keystone
• holds keystone service configuration
• There should not be a need to directly edit such files! All config files are stored in
CCR and must be identical on all protocol nodes. Same is true for the ring files.
• Use the command “mmobj config” to change any config settings. Updates will be
stored in CCR and are automatically spread to all protocol nodes including a restart
of the needed services
# mmobj config
Usage:
mmobj config list List a service configuration
mmobj config change Change a service configuration
mmobj config manage Manage the configuration data
48. Problem Determination – log files
• Relevant log files are located here:
• Swift: /var/log/swift/
use mmobj config change --ccrfile <server>.conf --section DEFAULT --property log_level --value
DEBUG|INFO|AUDIT|WARNING|ERROR|CRITICAL|TRACE to change the loglevel as needed.
• Keystone: /var/log/keystone/
/var/log/httpd/
use mmobj config change --ccrfile keystone.conf --section DEFAULT --property debug --value True
and refere to OpenStack logging.conf documentation for finer grained control of Keystone logging levels.
• Postgres: <cesSharedRoot>/object/keystone/pg_log/
/var/log/postgresql/
• GPFS: /var/adm/ras/mmfs.log.latest
• System Health logs: /var/adm/ras/mmsysmonitor.log
• Object protocol distributes requests to different CES nodes. It may be necessary
to check log files on multiple nodes.
• Use /usr/lpp/mmfs/bin/object.snap.py to collect an object snap
49. Problem Determination – services
• Swift, Keystone, and Postgres services managed with systemctl
command
• Check status of associated service with command:
systemctl status –l service_name
• Service names:
Administration
49
openstack-swift-account-auditor
openstack-swift-account-reaper
openstack-swift-account-replicator
openstack-swift-account
openstack-swift-container-auditor
openstack-swift-container-replicator
openstack-swift-container
openstack-swift-container-updater
openstack-swift-object-auditor
openstack-swift-object-replicator
openstack-swift-object
openstack-swift-object-sof
openstack-swift-object-updater
postgresql-obj
httpd (keystone)
ibmobjectizer
50. System Health for Object
• System Health automatically monitors all the services as soon as the object
protocol is enabled. Monitoring is aware of the singleton attributes and
other settings such as auth type, unified file access and multiregion state.
• If a service is detected to be down, system health automatically tries to
restart it. If the restart fails, the node is set to unhealthy. Use the commands:
# mmhealth cluster show
# mmhealth node show
to detect the cluster / node health state.
• System Health monitors:
• service states
• service ports: 'proxy-server': 8080, 'account-server': 6202, 'container-server': 6201,
'object-server': 6200, 'object-sof-server': 6203
• md5 ring files checksum
- Run “spectrumscale deploy” after “spectrumscale config”. This will deploy and enable the object protocol.
- In addition to “spectrumscale” command, this takes authentication parameters and enable-file-access parameter
Example is using the swiftclient bundled with spectrum scale
Some other examples of swift client are cyberduck, cURL, golang swift client, etc.
Spectrum scale GUI also supports limited object operations
- Disable object only when you want to start afresh
Various swift clients available, e.g. cyberduck, openstack swift client, write your own client using CURL (tool for transferring data to and from server using supported protocols like http, https etc)
Auth token is generated for the user and stored in portgres database
Keystone token has info of user, role, expiry time, endpoint
In case of PKI these params are encrypted. This secures ks to swift communication.
AD auth configuration and LDAP auth configuration file templates are same. Specify appropriate backend_server.
For local auth configuration, no config file template is needed
This command is also used when object is disabled and needs to be re-enabled again
- You can also create policies without any of these features
- Do not manually delete the fileset associated with the policy