This document provides an overview of cloud object storage, including its key features like multipart uploads, tagging, versioning, lifecycles, prefixes, static websites, security measures, and geo-replication for disaster recovery. It discusses when object storage is suitable compared to block and file storage, how to properly use features like multipart uploads, encryption, and access control, and cautions about ensuring data security when using public cloud storage services.

1. 1
Orit Wasserman
Reversim 2018
Storing your data in the
cloud: doing it right

2. About me
● 20+ years of development
● 10+ in open source:
○ Nested virtualization for KVM
○ Maintainer of live migration in Qemu/kvm
● 4 years as Ceph core developer at Red Hat
● Architect at lightbits labs
2

3. Storing your data in the cloud: doing it right
● Introduction to cloud object storage
● Features:
○ Multipart upload
○ Tags
○ Versioning
○ Life cycle
○ Prefix
○ Static website
● Security
● Summary
3

4. Introduction to cloud object storage
4

5. 5
● Simple
● No metadata
● Fast
● Protocols:
○ FC/SCSI/SAS/SATA
○ ISCSI/FCoE
○ NVME
● Used by large DB like Oracle and for VM images
Block storage

6. 6
● Hierarchy: Directories and files
● Metadata:
○ Ownership
○ Permissions/ACL
○ Creation/Modification time
● Authentication
● Sharing semantics
● Inplace writes
● Protocols:
○ Local: ext4,xfs, btrfs, zfs, NTFS, …
○ Network: NFS, SMB, AFP
File system

7. 7

8. 8
Scale problems: hierarchy

9. 9
Solution: flat namespace
● Flat namespace:
○ Bucket/container
○ Objects
● Virtual hierarchy
● Buckets and objects are
referenced by name
Scale problems: hierarchy

10. 10
Scale problems: file allocation
● Complex
● Fragmentation

11. 11
Solution: Objects are immutable
● Object are overwritten
● Read range of an object
Scale problems: file allocation

12. 12
● Flat namespace
● Objects are immutable
● Range Read
● Rich Metadata:
○ Ownership (Users and tenants)
○ ACL
○ User metadata
Object storage

13. 13
Cloud object storage
● Restful API
● Common clouds:
○ AWS S3
○ Swift (openstack)
○ Google cloud storage
○ Azure blob storage
○ Ceph
○ Digital Ocean

14. 14
● Cloud or large scale environment
● Lots of large objects that are rarely updated.
● Small objects that are updated infrequently and are
not performance sensitive.
● Hard drives
When to use cloud object storage

15. 15
● If the application does lots of inplace writes inside
big files.
● Legacy application
When not to use cloud object storage

16. 16
Cloud object storage
features

17. 17
Example: Media

18. 18
● Upload a single object as a set of parts
● Transaction:
○ Initiate
○ Upload parts
○ Complete
Multipart upload

19. 19
Multipart upload
● Improved throughput
● Quick recovery from any network issues
● Pause and resume object uploads
● Begin an upload before you know the final object size
● Instead of FS rename

20. 20
Multipart upload pitfalls
● Due to the performance impact not recommend for small objects
● Regular upload is up to 5 GB
● Check your framework/SDK defaults!
● Orphans ...

21. 21
Multipart upload
● Improved throughput
● Quick recovery from any network issues
● Pause and resume object uploads
● Begin an upload before you know the final object size
● Instead of FS rename
● Due to the performance impact not recommend for small objects

22. 22
● Better object classification
● Tag is key/value pair : color=red,
name=orit
● Filter objects
● Can be used by:
○ Access control
○ Life cycle
● Metrics and analytics
Object tagging

23. 23
Example: Documents

24. 24
● Keeps the previous copy of the object in case of overwrite or
deletion
Versioning
● Problem: space usage

25. 25
Example: Documents

26. 26
● Configure automatic object transition:
○ Expiration: used to clean old objects, older versions and failed
multipart uploads
○ Tiering: move object to colder storage
Life cycle

27. 27
● Add a prefix to an object
● Listing a sub folder by listing objs with a specific prefix
virtual hierarchy

28. 28
Host a static website directly from the cloud object storage
Static website

29. 29
Security

30. 30
● More secure:
○ Key is not part of the request
○ All requests are signed
○ Streaming support
● Not all SDK use it by default or even support it
AWS4

31. 31
● Encrypt the traffic
● High performance penalty
● Options:
○ Tunneling
○ Terminate at the load balancers like HAProxy and use http for
your internal network
Protocol and transport

32. 32
● Server side encryption is not enough
● Use client side encryption:
○ SSE-C: Customer provided keys
○ SSE-KMS: Key management service
Encryption

33. 33
● Owner
● System/Admin user
● Other users: Read/Write/Read ACP/Write ACP/Full control
● Canned ACL (predefined): private,public-read, public-read-write, ..
Bucket and Object ACL

34. 34
Be careful of public buckets

35. 35
● Access policies for users and buckets
● Examples:
○ Grant access from multiple accounts
○ Cross account permission
○ Read only for anonymous users
○ Restricting access to a IP specific
Bucket and Users policy

36. 36
● Provides a temporary token to access the cloud
storage
● Assume rule
● Used by storage class and glacier
Secure Token Service

37. 37
● Object storage was designed for large scale and
for the cloud
● It has features designed for cloud application, in
order to use all those features you will need to
adopt your application
● Make sure your data is safe!
● Use Ceph for private cloud object storage!
github.com/oritwas
@oritwas
Summary

38. 38
Backup

39. 39
Disaster Recovery

40. 40
Solution: geo replication
● Global object storage clusters with a single
namespace
● Enables deployment of clusters across multiple
geographic locations
● Clusters synchronize, allowing users to read from
or write to the closest one
● Disaster recovery in case of a zone failure

41. 41
One cloud is not enough
Disaster recovery to a different public cloud
Replicate your private cloud data to public cloud