openstack/cookbook-openstack-object-storage
Code Issues Proposed changes
3d5bb7f7a4
cookbook-openstack-object-s.../README.md
Mark Vanderwiel cd4233aa55 Use keystone as default authenication 
* Change default from swauth to keystone
* Add missing authtoken section to swift-proxy.conf
* Readme cleanups
* metadata version cleanups
* another patch will fix up roles in cookbook-chef-repo
* remove old bug patches
* cleanup platform packages
* remove unneeded service files
* cleanup mode syntax
* add user and group attributes

Change-Id: Iee5e3d523b584d761848689c6ed55686bbdac313
2015-02-10 13:34:38 -06:00

288 lines
11 KiB
Markdown
Raw Blame History

Description
===========
Installs the OpenStack Object Storage service **Swift** as part of the OpenStack reference deployment Chef for OpenStack. The http://github.com/stackforge/chef-openstack-repo contains documentation for using this cookbook in the context of a full OpenStack deployment. Swift is currently installed from packages.
https://wiki.openstack.org/wiki/Swift
Requirements
============
Clients
--------
* CentOS >= 7
* Ubuntu >= 14.04
Chef
---------
* 12
Dependent Cookbooks
-------------------
* openstack-common
* openstack-identity
* memcached
* statsd
Roles
=====
* swift-account-server - storage node for account data
* swift-container-server - storage node for container data
* swift-management-server - responsible for ring generation
* swift-object-server - storage node for object server
* swift-proxy-server - proxy for swift storage nodes
* swift-setup - server responsible for generating initial settings
The swift-management-server role performs the following functions:
* proxy node that knows super admin password
* ring repository and ring building workstation
* generally always has the swift-setup role too
* there can only be _one_ swift-management-server
There *must* be a node with the the swift-management-server role to act
as the ring repository.
In small environments, it is likely that all storage machines will
have all-in-one roles, with a load balancer ahead of it
In larger environments, where it is cost effective to split the proxy
and storage layer, storage nodes will carry
swift-{account,container,object}-server roles, and there will be
dedicated hosts with the swift-proxy-server role.
In really really huge environments, it's possible that the storage
node will be split into swift-{container,account}-server nodes and
swift-object-server nodes.
Recipes
=======
client
----
- Install the swift client packages
Attributes
==========
* ```default[:swift][:authmode]``` - "swauth" or "keystone" (default "keystone").
* ```default[:swift][:swauth_source]``` - "git" or "package"(default). Selects between installing python-swauth from git or system package
* ```default[:swift][:swauth_repository]``` - Specifies git repo. Default "https://github.com/gholt/swauth.git"
* ```default[:swift][:swauth_version]``` - Specifies git repo tagged branch. Default "1.0.8"
* ```default[:swift][:swift_hash]``` - swift_hash_path_suffix in /etc/swift/swift.conf (defaults to 107c0568ea84)
* ```default[:swift][:audit_hour]``` - Hour to run swift_auditor on storage nodes (defaults to 5)
* ```default[:swift][:disk_enum_expr]``` - Eval-able expression that lists
candidate disk nodes for disk probing. The result should be a hash
with keys being the device name (without the leading "/dev/") and a
hash block of any extra info associated with the device. For
example: { "sdc" => { "model": "Hitachi 7K3000" }}. Largely,
though, if you are going to make a list of valid devices, you
probably know all the valid devices, and don't need to pass any
metadata about them, so { "sdc" => {}} is probably enough. Example
expression: Hash[('a'..'f').to_a.collect{|x| [ "sd{x}", {} ]}]
* ```default[:swift][:ring][:part_power]``` - controls the size of the ring (defaults to 18)
* ```default[:swift][:ring][:min_part_hours]``` - the minimum number of hours before swift is allowed to migrate a partition (defaults to 1)
* ```default[:swift][:ring][:replicas]``` - how many replicas swift should retain (defaults to 3)
* ```default[:swift][:disk_test_filter]``` - an array of expressions that must
all be true in order a block device to be considered for
formatting and inclusion in the cluster. Each rule gets evaluated
with "candidate" set to the device name (without the leading
"/dev/") and info set to the node hash value. Default rules:
* "candidate =~ /sd[^a]/ or candidate =~ /hd[^a]/ or candidate =~
/vd[^a]/"
* "File.exists?('/dev/ + candidate)"
* "not system('/sbin/sfdisk -V /dev/' + candidate + '>/dev/null 2>&2')"
* "info['removable'] = 0" ])
* ```default[:swift][:expected_disks]``` - an array of device names that the
operator expecs to be identified by the previous two values. This
acts as a second-check on discovered disks. If this array doesn't
match the found disks, then chef processing will be stopped.
Example: ("b".."f").collect{|x| "sd#{x}"}. Default: none.
There are other attributes that must be set depending on authmode.
For "swauth", the following attributes are used:
* ```default[:swift][:authkey]``` - swauth super admin key if using swauth (defaults to test)
The following secrets can be defined in the databag defined in Common ['openstack']['secret']['secrets_data_bag']
```
{
"swift_hash": "1a7c0568fa84"
"swift_authkey": "keY4all"
"dispersion_auth_user": "ops:dispersion",
"dispersion_auth_key": "dispersionpass"
}
```
In addition, because swift is typically deployed as a cluster
there are some attributes used to find interfaces and ip addresses
on storage nodes:
* ```default[:swift][:git_builder_ip]``` - the IP address of the management server which other cluster members will use as their git pull target for ring updates (defaults to 127.0.0.1)
* ```default[:swift][:network][:proxy-bind-ip]``` - the IP address to bind to
on the proxy servers (defaults to 0.0.0.0 for all addresses)
* ```default[:swift][:network][:proxy-bind-port]``` - the port to bind to
on the proxy servers (defaults to 8080)
* ```default[:swift][:network][:account-bind-ip]``` - the IP address to bind to
on the account servers (defaults to 0.0.0.0 for all addresses)
* ```default[:swift][:network][:account-bind-port]``` - the port to bind to
on the account servers (defaults to 6002)
* ```default[:swift][:network][:container-bind-ip]``` - the IP address to bind to
on the container servers (defaults to 0.0.0.0 for all addresses)
* ```default[:swift][:network][:container-bind-port]``` - the port to bind to
on the container servers (defaults to 6002)
* ```default[:swift][:network][:object-bind-ip]``` - the IP address to bind to
on the object servers (defaults to 0.0.0.0 for all addresses)
* ```default[:swift][:network][:object-bind-port]``` - the port to bind to
on the container servers (defaults to 6002)
* ```default[:swift][:network][:object-cidr]``` - the CIDR network for your object
servers in order to build the ring (defaults to 10.0.0.0/24)
Proxy Plugins
=============
Formpost
-------
* ```default[:swift][:formpost][:enabled]``` - optionally enable the formpost proxy plugin (defaults to false)
TempURL
-------
* ```default[:swift][:tempurl][:enabled]``` - optionally enable the tempurl proxy plugin (defaults to false)
* ```default[:swift][:tempurl][:incoming_remove_headers]``` - The headers to remove from incoming requests (defaults to x-timestamp)
* ```default[:swift][:tempurl][:incoming_allow_headers]``` - The headers allowed as exceptions to incoming_remove_headers (defaults to empty string)
* ```default[:swift][:tempurl][:incoming_allow_headers]``` - The headers allowed as exceptions to incoming_remove_headers (defaults to empty string)
* ```default[:swift][:tempurl][:outgoing_remove_headers]``` - The headers to remove from outgoing responses (defaults to x-object-meta-*)
* ```default[:swift][:tempurl][:outgoing_allow_headers]``` - The headers allowed as exceptions to outgoing_remove_headers (defaults x-object-meta-public-*)
Domain Remap
------------
* ```default[:swift][:domain_remap][:enabled]``` - optionally enable the domain remap proxy plugin (defaults to false)
* ```default[:swift][:domain_remap][:storage_domain]``` - The domain remap reseller domain (defaults to example.com)
* ```default[:swift][:domain_remap][:root_path]``` - The domain remap root path (defaults to v1)
* ```default[:swift][:domain_remap][:reseller_prefixes]``` - The domain remap reseller prefixes (defaults to AUTH)
Staticweb
----------
* ```default[:swift][:staticweb][:enabled]``` - optionally enable the staticweb proxy plugin (defaults to false)
* ```default[:swift][:staticweb][:cache_timeout]``` - Seconds to cache container x-container-meta-web-* header values (defaults to 300)
Examples
========
Example environment
-------------------
```json
{
"default_attributes": {
"swift": {
"swift_hash": "107c0568ea84",
"authmode": "swauth",
"authkey": "test",
"auto_rebuild_rings": false,
"git_builder_ip": "10.0.0.10",
"swauth": {
"url": "http://10.0.0.10:8080/v1/"
}
}
},
"name": "swift",
"chef_type": "environment",
"json_class": "Chef::Environment"
}
```
This sets up defaults for a swauth-based cluster with the storage
network on 10.0.0.0/24.
Standalone Storage Server
-------------------------
```json
{
"name": "swift-object-server",
"json_class": "Chef::Role",
"run_list": [
"recipe[swift::object-server]"
],
"description": "A storage server role.",
"chef_type": "role"
}
```
Standalone Proxy Server
-----------------------
```json
"run_list": [
"role[swift-proxy-server]"
]
```
Testing
=======
Please refer to the [TESTING.md](TESTING.md) for instructions for testing the cookbook.
Berkshelf
=========
Berks will resolve version requirements and dependencies on first run and
store these in Berksfile.lock. If new cookbooks become available you can run
`berks update` to update the references in Berksfile.lock. Berksfile.lock will
be included in stable branches to provide a known good set of dependencies.
Berksfile.lock will not be included in development branches to encourage
development against the latest cookbooks.
License and Author
==================
| | |
|:---------------------|:---------------------------------------------------|
| **Author** | Alan Meadows (<alan.meadows@gmail.com>) |
| **Author** | Oisin Feeley (<of3434@att.com>) |
| **Author** | Ron Pedde (<ron.pedde@rackspace.com>) |
| **Author** | Will Kelly (<will.kelly@rackspace.com>) |
| **Author** | Chen Zhiwei (<zhiwchen@cn.ibm.com>) |
| **Author** | Mark Vanderwiel (<vanderwl@us.ibm.com>) |
| | |
| **Copyright** | Copyright (c) 2013, AT&T, Inc. |
| **Copyright** | Copyright (c) 2012, Rackspace US, Inc. |
| **Copyright** | Copyright (c) 2013-2015 IBM, Corp. |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
View Git Blame Copy Permalink