On Fri, Dec 11, 2015 at 6:06 AM, Bajin, Joseph <[email protected]> wrote: > At this point, we use Keystone and UUID’s for our setup, but we don’t store > the UUID tokens in the Database. We use Memcache to do that. Actually we > use McRouter and Memcache to make sure any node in our control plane can > validate that token.
That's cool. I was experimenting with mcrouter to do that. That's the first time I've heard anyone mention it with regards to trying to make memcache HA-ish for openstack. It'd be great to hear more on that. :) Thanks, Curtis. > > —Joe > > From: Ajaya Agrawal <[email protected]> > Date: Friday, December 11, 2015 at 2:25 AM > To: Matt Fischer <[email protected]> > Cc: "[email protected]" > <[email protected]> > Subject: Re: [Openstack-operators] Galera setup testing > > Thanks Matt. That surely is helpful. If you could share some numbers or > problems you faced when you were storing UUID tokens in database, it would > be awesome. In my test setup with Keystone Kilo, Fernet token creation and > validation were way slower than UUID tokens. But UUID tokens come with a > huge cost to database which is the pain point. I have never run Keystone > with UUID tokens in Prod setup. So I am looking for perspective on Keystone > with UUID in prod setup. > > Thanks to other people who also chimed in with advice. > > Cheers, > Ajaya > > On Mon, Dec 7, 2015 at 8:34 PM, Matt Fischer <[email protected]> wrote: >> >> On Mon, Dec 7, 2015 at 3:54 AM, Ajaya Agrawal <[email protected]> wrote: >>> >>> Hi everyone, >>> >>> We are deploying Openstack and planning to run multi-master Galera setup >>> in production. My team is responsible for running a highly available >>> Keystone. I have two questions when it comes to Galera with Keystone. >>> >>> 1. How do you test if a Galera cluster is setup properly? >>> 2. Is there any Galera test specific to Keystone which you have found >>> useful? >>> >> >> For 1 you could say that the clustercheck script which ships with >> puppet-galera and is forked from >> https://github.com/olafz/percona-clustercheck is a really simple check that >> galera is up and the cluster is sync'd. It's main goal however is to provide >> status to haproxy. >> >> One thing you want to check is the turnaround time on operations, for >> example, creating a user on a node and then immediately using them on >> another node. We found that this is likely to sometimes (but rarely) fail. >> The solution is two-fold, first, don't store tokens in mysql. Second, >> designate one node as the primary in haproxy. >> >> Other than that we've gotten good at reading the wsrep_ cluster status >> info, but to be honest, once we removed tokens from the db, we've been in >> way better shape. >> > > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -- Blog: serverascode.com _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
