b400dfcb90
I tripped over this during recent afs fileserver reboots. Note it in the docs so that we are aware of this in the future when doing maintenance. Change-Id: Iac20fa6b9ec17f1eb69c50bc8f5736b34967fd83
708 lines
26 KiB
ReStructuredText
708 lines
26 KiB
ReStructuredText
:title: OpenAFS
|
|
|
|
.. _openafs:
|
|
|
|
OpenAFS
|
|
#######
|
|
|
|
The Andrew Filesystem (or AFS) is a global distributed filesystem.
|
|
With a single mountpoint, clients can access any site on the Internet
|
|
which is running AFS as if it were a local filesystem.
|
|
|
|
OpenAFS is an open source implementation of the AFS services and
|
|
utilities.
|
|
|
|
A collection of AFS servers and volumes that are collectively
|
|
administered within a site is called a ``cell``. The OpenStack
|
|
project runs the ``openstack.org`` AFS cell, accessible at
|
|
``/afs/openstack.org/``.
|
|
|
|
At a Glance
|
|
===========
|
|
|
|
:Hosts:
|
|
* afsdb01.openstack.org (a vldb and pts server in DFW)
|
|
* afsdb02.openstack.org (a vldb and pts server in ORD)
|
|
* afsdb03.openstack.org (a second vldb and pts server in DFW)
|
|
* afs01.dfw.openstack.org (a fileserver in DFW)
|
|
* afs02.dfw.openstack.org (a second fileserver in DFW)
|
|
* afs01.ord.openstack.org (a fileserver in ORD)
|
|
* mirror-update.opendev.org (host running mirror update jobs)
|
|
:Ansible:
|
|
* :git_file:`playbooks/service-afs.yaml`
|
|
* :git_file:`playbooks/service-mirror.yaml`
|
|
* :git_file:`playbooks/service-mirror-update.yaml`
|
|
:Projects:
|
|
* http://openafs.org/
|
|
:Bugs:
|
|
* http://bugs.launchpad.net/openstack-ci
|
|
* http://rt.central.org/rt/Search/Results.html?Order=ASC&DefaultQueue=10&Query=Queue%20%3D%20%27openafs-bugs%27%20AND%20%28Status%20%3D%20%27open%27%20OR%20Status%20%3D%20%27new%27%29&Rows=50&OrderBy=id&Page=1&Format=&user=guest&pass=guest
|
|
:Resources:
|
|
* `OpenAFS Documentation <http://docs.openafs.org/index.html>`_
|
|
|
|
OpenStack Cell
|
|
--------------
|
|
|
|
AFS may be one of the most thoroughly documented systems in the world.
|
|
There is plenty of very good information about how AFS works and the
|
|
commands to use it. This document will only cover the minimum needed
|
|
to understand our deployment of it.
|
|
|
|
OpenStack runs an AFS cell called ``openstack.org``. There are three
|
|
important services provided by a cell: the volume location database
|
|
(VLDB), the protection database (PTS), and the file server (FS). The
|
|
volume location service answers queries from clients about which
|
|
fileservers should be contacted to access particular volumes, while
|
|
the protection service provides information about users and groups.
|
|
|
|
Our implementation follows the common recommendation to colocate the
|
|
VLDB and PTS servers, and so they both run on our afsdb* servers.
|
|
These servers all have the same information and communicate with each
|
|
other to keep in sync and automatically provide high-availability
|
|
service. As described in
|
|
`<https://docs.openafs.org/AdminGuide/HDRWQ101.html>`__ the Ubik
|
|
protocol requires three servers to maintain availability; for that
|
|
reason, two of our DB servers are in the DFW region, and the other in
|
|
ORD.
|
|
|
|
Fileservers contain volumes, each of which is a portion of the file
|
|
space provided by that cell. A volume appears as at least one
|
|
directory, but may contain directories within the volume. Volumes are
|
|
mounted within other volumes to construct the filesystem hierarchy of
|
|
the cell.
|
|
|
|
OpenStack has two fileservers in DFW and one in ORD. They do not
|
|
automatically contain copies of the same data. A read-write volume in
|
|
AFS can only exist on exactly one fileserver, and if that fileserver
|
|
is out of service, the volumes it serves are not available. However,
|
|
volumes may have read-write copies which are stored on other
|
|
fileservers. If a client requests a read-only volume, as long as one
|
|
site with a read-only volume is online, it will be available.
|
|
|
|
Client Configuration
|
|
--------------------
|
|
.. _afs_client:
|
|
|
|
To use OpenAFS on a Debian or Ubuntu machine::
|
|
|
|
sudo apt-get install openafs-client openafs-krb5 krb5-user
|
|
|
|
Debconf will ask you for a default realm, cell and cache size.
|
|
Answer::
|
|
|
|
Default Kerberos version 5 realm: OPENSTACK.ORG
|
|
AFS cell this workstation belongs to: openstack.org
|
|
Size of AFS cache in kB: 500000
|
|
|
|
The default cache size in debconf is 50000 (50MB) which is not very
|
|
large. We recommend setting it to 500000 (500MB -- add a zero to the
|
|
default debconf value), or whatever is appropriate for your system.
|
|
|
|
The OpenAFS client is not started by default, so you will need to
|
|
run::
|
|
|
|
sudo service openafs-client start
|
|
|
|
When it's done, you should be able to ``cd /afs/openstack.org``.
|
|
|
|
Most of what is in our AFS cell does not require authentication.
|
|
However, if you have a principal in kerberos, you can get an
|
|
authentication token for use with AFS with::
|
|
|
|
kinit
|
|
aklog
|
|
|
|
If not running on Debian or Ubuntu you can install openafs client
|
|
packages as well as Kerberos5 packages on your distro of choice.
|
|
|
|
Then to kinit, use your fully qualified user id::
|
|
|
|
kinit $USERNAME@OPENSTACK.ORG
|
|
|
|
Or for admin access::
|
|
|
|
kinit $USERNAME/admin@OPENSTACK.ORG
|
|
|
|
Then aklog, specifying the openstack.org cell::
|
|
|
|
aklog -cell openstack.org
|
|
|
|
Administration
|
|
--------------
|
|
|
|
The following information is relevant to AFS administrators.
|
|
|
|
All of these commands have excellent manpages which can be accessed
|
|
with commands like ``man vos`` or ``man vos create``. They also
|
|
provide short help messages when run like ``vos -help`` or ``vos
|
|
create -help``.
|
|
|
|
For all administrative commands, you may either run them from any AFS
|
|
client machine while authenticated as an AFS admin, or locally without
|
|
authentication on an AFS server machine by appending the `-localauth`
|
|
flag to the end of the command.
|
|
|
|
Adding a User
|
|
~~~~~~~~~~~~~
|
|
First, add a kerberos principal as described in :ref:`addprinc`. Have the
|
|
username and UID from puppet ready.
|
|
|
|
Then add the user to the protection database with::
|
|
|
|
pts createuser $USERNAME -id UID
|
|
|
|
Admin UIDs start at 1 and increment. If you are adding a new admin
|
|
user, you must run ``pts listentries``, find the highest UID for an
|
|
admin user, increment it by one and use that as the UID. The username
|
|
for an admin user should be in the form ``username.admin``.
|
|
|
|
.. note::
|
|
Any '/' characters in a kerberos principal become '.' characters in
|
|
AFS.
|
|
|
|
Adding a Superuser
|
|
~~~~~~~~~~~~~~~~~~
|
|
Run the following commands to add an existing principal to AFS as a
|
|
superuser::
|
|
|
|
pts adduser -user $USERNAME.admin -group system:administrators
|
|
|
|
After this, you should update the
|
|
:git_file:`playbooks/roles/openafs-server-config/files/UserList` file
|
|
to ensure the new username is authorized to issue privileged commands.
|
|
|
|
Deleting Files
|
|
~~~~~~~~~~~~~~
|
|
|
|
.. note::
|
|
This is a basic example of write operations for AFS-hosted
|
|
content, so applies more generally to manually adding or changing
|
|
files as well. As we semi-regularly get requests to delete
|
|
subtrees of documentation, this serves as a good demonstration.
|
|
|
|
First, as a prerequisite, make sure you've followed the `Client
|
|
Configuration`_ and `Adding a Superuser`_ steps for yourself and
|
|
that you know the password for your ``$USERNAME/admin`` kerberos
|
|
principal. Safely authenticate your superuser's principal in a new
|
|
PAG as follows::
|
|
|
|
pagsh -c /bin/bash
|
|
export KRB5CCNAME=FILE:`mktemp`
|
|
kinit $USERNAME/admin
|
|
aklog
|
|
|
|
If this is a potentially destructive change (perhaps you're worried
|
|
you might mistype a deletion and remove more content than you
|
|
intended) you can first create a copy-on-write backup snapshot like
|
|
so::
|
|
|
|
vos backup docs
|
|
|
|
When deleting files, note that you should use the read-write
|
|
``/afs/.openstack.org`` path rather than the read-only
|
|
``/afs/openstack.org`` path, but normal Unix file manipulation
|
|
commands work as expected (do _not_ use ``sudo`` for this)::
|
|
|
|
rm -rf /afs/.openstack.org/docs/project-install-guide/baremetal/draft
|
|
|
|
If you don't want to have to wait for a volume release to happen (so
|
|
that your changes to the read-write filesystem are reflected
|
|
immediately in the read-only filesystem), you can release it now
|
|
too::
|
|
|
|
vos release docs -verbose
|
|
|
|
Now you can clean up your session, destroy your ticket and exit the
|
|
temporary PAG thusly::
|
|
|
|
unlog
|
|
kdestroy
|
|
exit
|
|
|
|
Creating a Volume
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
..
|
|
See following for background on the issues
|
|
http://meetings.opendev.org//irclogs/%23opendev/%23opendev.2020-06-10.log.html#t2020-06-10T22:13:43
|
|
https://review.opendev.org/#/c/735061/
|
|
|
|
.. warning::
|
|
|
|
You should *not* run these operations on the fileservers where the
|
|
volumes or replicas are to be created (``afs01`` or ``afs02``).
|
|
openafs ```vos`` will resolve the ipv4 address of the fileserver
|
|
host from the command-line. If you are using the tool on the
|
|
fileserver, Debuntu's use of ``127.0.1.1`` for localhost and having
|
|
the hostname in ``/etc/hosts`` can thus result in the ``vos`` tool
|
|
not correctly filtering the loopback address and setting the server
|
|
address for the volume as ``127.0.1.1`` -- making it effectively
|
|
inaccessible. A similar problem can occur for NAT servers, if we
|
|
were to use them. Running on an external host means the lookups
|
|
shouldn't return local addresses and avoids this issue. The other
|
|
option is to specify the fileservers as the IP address, rather than
|
|
the hostname, to avoid any lookup issues.
|
|
|
|
Select a fileserver for the read-write copy of the volume according to
|
|
which region you wish to locate it after ensuring it has sufficient
|
|
free space. Then run::
|
|
|
|
vos create $FILESERVER a $VOLUMENAME
|
|
|
|
The `a` in the preceding command tells it to place the volume on
|
|
partition `vicepa`. Our fileservers only have one partition and therefore
|
|
this is a constant.
|
|
|
|
Be sure to mount the read-write volume in AFS with::
|
|
|
|
fs mkmount /afs/.openstack.org/path/to/mountpoint $VOLUMENAME
|
|
|
|
You may want to create read-only sites for the volume with ``vos
|
|
addsite`` and then ``vos release``.
|
|
|
|
If the volume's mountpoint lies within another volume, you may also
|
|
need to ``vos release`` that parent volume before it will show up in
|
|
the read-only path.
|
|
|
|
You should set the volume quota with ``fs setquota``.
|
|
|
|
Deleting a Volume
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
Remove the mountpoint(s) of the volume::
|
|
|
|
fs rmmount /afs/.openstack.org/path/to/mountpoint
|
|
|
|
Be sure to release the parent volume (with ``vos release``) if
|
|
necessary after removing the mountpoint.
|
|
|
|
Run ``vos examine`` to see a list of volume sites. Identify the
|
|
read-write and read-only sites.
|
|
|
|
Remove the read-only sites first; repeat this command for each one::
|
|
|
|
vos remove -server $FILESERVER -partition $PARTITION -id $VOLUME.readonly
|
|
|
|
Remove the read-write volume::
|
|
|
|
vos remove -id $VOLUME
|
|
|
|
Adding a Fileserver
|
|
~~~~~~~~~~~~~~~~~~~
|
|
Put the machine's public IP on a single line in
|
|
/var/lib/openafs/local/NetInfo (TODO: puppet this).
|
|
|
|
Copy ``/etc/openafs/server/*`` from an existing fileserver.
|
|
|
|
Create an LVM volume named ``vicepa`` from cinder volumes. See
|
|
:ref:`cinder` for details on volume management. Then run::
|
|
|
|
mkdir /vicepa
|
|
echo "/dev/main/vicepa /vicepa ext4 errors=remount-ro,barrier=0 0 2" >>/etc/fstab
|
|
mount -a
|
|
|
|
Finally, create the fileserver with::
|
|
|
|
bos create -server NEWSERVER -instance dafs -type dafs \
|
|
-cmd "/usr/lib/openafs/dafileserver -L -p 242 -busyat 600 -rxpck 700 \
|
|
-s 1200 -l 1200 -cb 2000000 -b 240 -vc 1200 \
|
|
-udpsize 131071 -sendsize 131071" \
|
|
-cmd /usr/lib/openafs/davolserver \
|
|
-cmd /usr/lib/openafs/salvageserver \
|
|
-cmd /usr/lib/openafs/dasalvager
|
|
|
|
It is worth evaluating these settings periodically
|
|
|
|
* ``-L`` selects the large size, which ups a number of defaults
|
|
* ``-p`` defines the worker threads for processing incoming calls.
|
|
Since they block until there is work to do, we should leave this at
|
|
around the maximum (which may increase across versions; see
|
|
documentation)
|
|
* ``-udpsize`` and ``-sendsize`` should be increased above their default
|
|
* ``-cb`` defines the callbacks. For our use case, with a single
|
|
mirror writer, this should be around the number of files the client
|
|
is configured to cache (``-dcache``) multiplied by the number of
|
|
clients.
|
|
|
|
Updating Settings
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
The helper script :git_file:`tools/afs-server-restart.sh` is a helper
|
|
script to restart AFS servers, and optionally enable audit logging on
|
|
the servers which is sometimes useful for debugging afs clients. You
|
|
can edit settings in the script and run ``afs-server-restart.sh
|
|
restart`` (or ``restart-auditing``).
|
|
|
|
If you wish to update the settings for an existing server manually,
|
|
you can stop and remove the existing ``bnode`` (the collection of
|
|
processes the overseer is monitoring, created via ``bos create``
|
|
above) and recreate it.
|
|
|
|
For example ::
|
|
|
|
bos stop -server afs01.dfw.openstack.org \
|
|
-instance dafs \
|
|
-wait
|
|
|
|
Then remove the server with ::
|
|
|
|
bos delete -server afs01.dfw.openstack.org \
|
|
-instance dafs
|
|
|
|
Finally run the ``bos create`` command above with any modified
|
|
parameters to restart the server.
|
|
|
|
Recovering a Failed Fileserver
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
If a fileserver crashes, take the following steps to ensure it's
|
|
usable after recovery:
|
|
|
|
* Pause mirror updates and volume release cron jobs
|
|
|
|
* Reboot the server; fix any filesystem errors and check the salvager
|
|
logs
|
|
|
|
* Check for any stuck volume transactions; remedy as appropriate
|
|
|
|
* Perform a manual release of every volume from a terminal on a server
|
|
using "-localauth" in case OpenAFS decides it can't do an
|
|
incremental update.
|
|
|
|
* Re-enable cron jobs
|
|
|
|
Mirrors
|
|
~~~~~~~
|
|
|
|
We host mirrors in AFS so that we store only one copy of the data, but
|
|
mirror servers local to each cloud region in which we operate serve
|
|
that data to nearby hosts from their local cache.
|
|
|
|
All of our mirrors are housed under ``/afs/openstack.org/mirror``.
|
|
Each mirror is on its own volume, and each with a read-only replica.
|
|
This allows mirrors to be updated and then the read-only replicas
|
|
atomically updated. Because mirrors are typically very large and
|
|
replication across regions is slow, we place both copies of mirror
|
|
data on two fileservers in the same region. This allows us to perform
|
|
maintenance on fileservers hosting mirror data as well deal with
|
|
outages related to a single server, but does not protect the mirror
|
|
system from a region-wide outage.
|
|
|
|
In order to establish a new mirror, do the following:
|
|
|
|
* The following commands need to be run authenticated on a host with
|
|
kerberos and AFS setup (see `afs_client`_; admins can run the
|
|
commands on ``mirror-update.opendev.org``). See the note above
|
|
about *not* doing this on the actual fileservers. Firstly ``kinit``
|
|
and ``aklog`` to get tokens.
|
|
|
|
* Create the mirror volume. See `Creating a Volume`_ for details.
|
|
The volume should be named ``mirror.foo``, where `foo` is
|
|
descriptive of the contents of the mirror. Example::
|
|
|
|
vos create afs01.dfw.openstack.org a mirror.foo
|
|
|
|
* Create read-only replicas of the volume. One replica should be
|
|
located on the same fileserver (it will take little to no additional
|
|
space), and at least one other replica on a different fileserver.
|
|
Example::
|
|
|
|
vos addsite afs01.dfw.openstack.org a mirror.foo
|
|
vos addsite afs02.dfw.openstack.org a mirror.foo
|
|
|
|
* Release the read-only replicas::
|
|
|
|
vos release mirror.foo
|
|
|
|
See the status of all volumes with::
|
|
|
|
vos listvldb
|
|
|
|
When traversing from a read-only volume to another volume across a
|
|
mountpoint, AFS will first attempt to use a read-only replica of the
|
|
destination volume if one exists. In order to naturally cause clients
|
|
to prefer our read-only paths for mirrors, the entire path up to that
|
|
point is composed of read-only volumes::
|
|
|
|
/afs [root.afs]
|
|
/openstack.org [root.cell]
|
|
/mirror [mirror]
|
|
/bar [mirror.bar]
|
|
|
|
In order to mount the ``mirror.foo`` volume under ``mirror`` we need
|
|
to modify the read-write version of the ``mirror`` volume. To make
|
|
this easy, the read-write version of the cell root is mounted at
|
|
``/afs/.openstack.org``. Following the same logic from earlier,
|
|
traversing to paths below that mount point will generally prefer
|
|
read-write volumes.
|
|
|
|
* Mount the volume into afs using the read-write path::
|
|
|
|
fs mkmount /afs/.openstack.org/mirror/foo mirror.foo
|
|
|
|
* Release the ``mirror`` volume so that the (currently empty) foo
|
|
mirror itself appears in directory listings under
|
|
``/afs/openstack.org/mirror``::
|
|
|
|
vos release mirror
|
|
|
|
* Create a principal for the mirror update process. See
|
|
:ref:`addprinc` for details. The principal should be called
|
|
``service/foo-mirror``. Example::
|
|
|
|
kadmin: addprinc -randkey service/foo-mirror@OPENSTACK.ORG
|
|
kadmin: ktadd -k /path/to/foo.keytab service/foo-mirror@OPENSTACK.ORG
|
|
|
|
.. warning:: Each time ``ktadd`` is run, the key is rotated and
|
|
previous keytabs are invalidated.
|
|
|
|
* Add the service principal's keytab to Ansible secrets. Copy the
|
|
binary key to ``bridge.openstack.org`` and then use ``hieraedit`` to
|
|
update the files
|
|
|
|
.. code-block:: console
|
|
|
|
root@bridge:~# /home/zuul/src/opendev.org/opendev/system-config/tools/hieraedit.py \
|
|
--yaml /etc/ansible/hosts/host_vars/mirror-update01.opendev.org.yaml \
|
|
-f /path/to/foo.keytab KEYNAME
|
|
|
|
(don't forget to ``git commit`` and save the change; you can remove
|
|
the copies of the binary key too). The key will be base64 encoded
|
|
in the heira database. If you need to examine it for some reason
|
|
you can use ``base64``::
|
|
|
|
cat /path/to/foo.keytab | base64
|
|
|
|
* Ensure the values in this new variable are written to disk as the
|
|
keytab on ``mirror-update.opendev.org`` by adding it to the
|
|
``mirror-update`` role for the mirror scripts to use during update.
|
|
You should check this with ``testinfra`` in
|
|
``testinfra/test_mirror-update.py`` (note this involves defining a
|
|
"dummy" keytab for testing; see the other examples).
|
|
|
|
* Create an AFS user for the service principal::
|
|
|
|
pts createuser service.foo-mirror
|
|
|
|
Because mirrors usually have a large number of directories, it is best
|
|
to avoid frequent ACL changes. To this end, we grant access to the
|
|
mirror directories to a group where we can easily modify group
|
|
membership if our needs change.
|
|
|
|
* Create a group to contain the service principal, and add the
|
|
principal::
|
|
|
|
pts creategroup foo-mirror
|
|
pts adduser service.foo-mirror foo-mirror
|
|
|
|
View users, groups, and their membership with::
|
|
|
|
pts listentries
|
|
pts listentries -group
|
|
pts membership foo-mirror
|
|
|
|
* Grant the group access to the mirror volume::
|
|
|
|
fs setacl /afs/.openstack.org/mirror/foo foo-mirror write
|
|
|
|
* Grant anonymous users read access::
|
|
|
|
fs setacl /afs/.openstack.org/mirror/foo system:anyuser read
|
|
|
|
* Set the quota on the volume (e.g., 100GB)::
|
|
|
|
fs setquota /afs/.openstack.org/mirror/foo 100000000
|
|
|
|
Because the initial replication may take more time than we allocate in
|
|
our mirror update cron jobs, manually perform the first mirror update:
|
|
|
|
* In screen, obtain the lock on ``mirror-update01.opendev.org``::
|
|
|
|
flock -n /var/run/foo-mirror/mirror.lock bash
|
|
|
|
Leave that running while you perform the rest of the steps.
|
|
|
|
* Also in screen on ``mirror-update``, run the initial mirror sync.
|
|
If using one of the mirror update scripts (from ``/usr/local/bin``)
|
|
be aware that they generally run the update process under
|
|
``timeout`` with shorter periods than may be required for the
|
|
initial full sync. e.g. for ``reprepro`` mirrors
|
|
|
|
NO_TIMEOUT=1 /usr/local/bin/reprepro-mirror-update /etc/reprepro/ubuntu mirror.ubuntu
|
|
|
|
* Log into ``afs01.dfw.openstack.org`` and run ``screen``. Within
|
|
that session, periodically during the sync, and once again after it
|
|
is complete, run::
|
|
|
|
vos release mirror.foo -localauth
|
|
|
|
It is important to do this from an AFS server using ``-localauth``
|
|
rather than your own credentials and inside of screen because if
|
|
``vos release`` is interrupted, it will require some manual cleanup
|
|
(data will not be corrupted, but clients will not see the new volume
|
|
until it is successfully released). Additionally, ``vos release`` has
|
|
a bug where it will not use renewed tokens and so token expiration
|
|
during a vos release may cause a similar problem.
|
|
|
|
* Once the initial sync and ``vos release`` are complete, release
|
|
the lock file on mirror-update.
|
|
|
|
Removing a mirror
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
If you need to remove a mirror, you can do the following:
|
|
|
|
* Unmount the volume from the R/W location::
|
|
|
|
fs rmmount /afs/.openstack.org/mirror/foo
|
|
|
|
* Release the R/O mirror volume to reflect the changes::
|
|
|
|
vos release mirror
|
|
|
|
* Check what servers the volumes are on with ``vos listvldb``::
|
|
|
|
VLDB entries for all servers
|
|
...
|
|
|
|
mirror.foo
|
|
RWrite: 536870934 ROnly: 536870935
|
|
number of sites -> 3
|
|
server afs01.dfw.openstack.org partition /vicepa RW Site
|
|
server afs01.dfw.openstack.org partition /vicepa RO Site
|
|
server afs01.ord.openstack.org partition /vicepa RO Site
|
|
...
|
|
|
|
* Remove the R/O replicas (you can also see these with ``vos
|
|
listvol -server afs0[1|2].dfw.openstack.org``)::
|
|
|
|
vos remove -server afs01.dfw.openstack.org -partition a -id mirror.foo.readonly
|
|
vos remove -server afs02.dfw.openstack.org -partition a -id mirror.foo.readonly
|
|
|
|
* Remove the R/W volume::
|
|
|
|
vos remove -server afs02.dfw.openstack.org -partition a -id mirror.foo
|
|
|
|
Reverse Proxy Cache
|
|
^^^^^^^^^^^^^^^^^^^
|
|
|
|
* `modules/openstack_project/templates/mirror.vhost.erb
|
|
<https://opendev.org/opendev/system-config/src/branch/master/modules/openstack_project/templates/mirror.vhost.erb>`__
|
|
|
|
Each of the region-local mirror hosts exposes a limited reverse HTTP
|
|
proxy on port 8080. These proxies run within the same Apache setup as
|
|
used to expose AFS mirror contents. `mod_cache
|
|
<https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>`__ is used to
|
|
expose a white-listed set of resources (currently just RDO).
|
|
|
|
Currently they will cache data for up to 24 hours (Apache default)
|
|
with pruning performed by ``htcacheclean`` once an hour to keep the
|
|
cache size at or under 2GB of disk space.
|
|
|
|
The reverse proxy is provided because there are some hosted resources
|
|
that are not currently able to be practically mirrored. Examples of
|
|
this include RDO (rsync from RDO is slow and they update frequently)
|
|
and docker images (which require specialized software to run a docker
|
|
registry and then sorting out how to run that on a shared filesystem).
|
|
|
|
Apache was chosen because we already had configuration management in
|
|
place for Apache on these hosts. This avoids management overheads of
|
|
a completely new service deployment such as Squid or a caching docker
|
|
registry daemon.
|
|
|
|
No Outage Server Maintenance
|
|
----------------------------
|
|
|
|
afsdb0X.openstack.org
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
We have redundant AFS DB servers. You can take one down without causing
|
|
a service outage as long as the others remain up. To do this safely::
|
|
|
|
root@afsdb01:~# bos shutdown afsdb01.openstack.org -wait -localauth
|
|
root@afsdb01:~# bos status afsdb01.openstack.org -localauth
|
|
Instance ptserver, temporarily disabled, currently shutdown.
|
|
Instance vlserver, temporarily disabled, currently shutdown.
|
|
|
|
Then perform your maintenance on afsdb01. When done a reboot will
|
|
automatically restart the bos service or you can manually restart
|
|
the openafs-fileserver service::
|
|
|
|
root@afsdb01:~# service openafs-fileserver start
|
|
|
|
Finally check that the service is back up and running::
|
|
|
|
root@afsdb01:~# bos status afsdb01.openstack.org -localauth
|
|
Instance ptserver, currently running normally.
|
|
Instance vlserver, currently running normally.
|
|
|
|
Now you can repeat the process against afsdb02 or afsdb03.
|
|
|
|
afs0X.openstack.org
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
Taking down the actual fileservers is slightly more complicated
|
|
but works similarly. Basically what we need to do is make sure that
|
|
either no one needs the RW volumes hosted by a fileserver before
|
|
taking it down or move the RW volume to another fileserver. When
|
|
taking down afs01.dfw.openstack.org we must also ensure that the
|
|
vos releases that are performed on it by mirror-update are stopped.
|
|
|
|
To ensure nothing needs the RW volumes you can hold the various
|
|
file locks on hosts that publish to AFS and/or remove cron entries
|
|
that perform vos releases or volume writes.
|
|
|
|
If instead you need to move the RW volume first step is checking
|
|
where the volumes live::
|
|
|
|
root@afsdb01:~# vos listvldb -localauth
|
|
VLDB entries for all servers
|
|
|
|
mirror
|
|
RWrite: 536870934 ROnly: 536870935
|
|
number of sites -> 3
|
|
server afs01.dfw.openstack.org partition /vicepa RW Site
|
|
server afs01.dfw.openstack.org partition /vicepa RO Site
|
|
server afs01.ord.openstack.org partition /vicepa RO Site
|
|
|
|
We see that if we want to allow write to the mirror volume and take
|
|
down afs01.dfw.openstack.org we will have to move the volume to one
|
|
of the other servers::
|
|
|
|
root@afsdb01:~# screen # use screen as this may take quite some time.
|
|
root@afsdb01:~# vos move -id mirror -toserver afs01.ord.openstack.org -topartition vicepa -fromserver afs01.dfw.openstack.org -frompartition vicepa -localauth
|
|
|
|
When that is done (use listvldb command above to check) it is now safe
|
|
to take down afs0X.dfw.openstack.org while having writers to the mirror
|
|
volume. If operating on afs01.dfw.openstack.org you should also hold
|
|
all mirror update locks and the release-volumes lock. This ensures
|
|
we do not interrupt any vos releases on afs01.dfw.openstack.org that are
|
|
run by mirror-update remotely. We use the same process as for the db server::
|
|
|
|
root@afsdb01:~# bos shutdown afs01.dfw.openstack.org -localauth
|
|
root@afsdb01:~# bos status afs01.dfw.openstack.org -localauth
|
|
Auxiliary status is: file server shut down.
|
|
|
|
Perform maintenance, then restart as above and check the status again::
|
|
|
|
root@afsdb01:~# bos status afs01.dfw.openstack.org -localauth
|
|
Auxiliary status is: file server running.
|
|
|
|
DNS Entries
|
|
-----------
|
|
|
|
AFS uses the following DNS entries which indicate an even balance::
|
|
|
|
_afs3-prserver._udp.openstack.org. 300 IN SRV 10 10 7002 afsdb01.openstack.org.
|
|
_afs3-prserver._udp.openstack.org. 300 IN SRV 10 10 7002 afsdb02.openstack.org.
|
|
_afs3-prserver._udp.openstack.org. 300 IN SRV 10 10 7002 afsdb03.openstack.org.
|
|
_afs3-vlserver._udp.openstack.org. 300 IN SRV 10 10 7003 afsdb01.openstack.org.
|
|
_afs3-vlserver._udp.openstack.org. 300 IN SRV 10 10 7003 afsdb02.openstack.org.
|
|
_afs3-vlserver._udp.openstack.org. 300 IN SRV 10 10 7003 afsdb03.openstack.org.
|
|
|
|
Be sure to update them if volume location and PTS servers change. Also note
|
|
that only A (IPv4 address) records are used in the SRV data. Since OpenAFS
|
|
lacks support for IPv6, avoid entering corresponding AAAA (IPv6 address)
|
|
records for these so that it won't cause fallback delays for other
|
|
v6-supporting AFS client implementations.
|