2021-02-18 14:17:07 +00:00
|
|
|
===========
|
|
|
|
RGW Service
|
|
|
|
===========
|
|
|
|
|
|
|
|
.. _cephadm-deploy-rgw:
|
|
|
|
|
|
|
|
Deploy RGWs
|
|
|
|
===========
|
|
|
|
|
|
|
|
Cephadm deploys radosgw as a collection of daemons that manage a
|
2021-03-09 19:29:39 +00:00
|
|
|
single-cluster deployment or a particular *realm* and *zone* in a
|
|
|
|
multisite deployment. (For more information about realms and zones,
|
|
|
|
see :ref:`multisite`.)
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
Note that with cephadm, radosgw daemons are configured via the monitor
|
|
|
|
configuration database instead of via a `ceph.conf` or the command line. If
|
|
|
|
that configuration isn't already in place (usually in the
|
2021-03-09 19:29:39 +00:00
|
|
|
``client.rgw.<something>`` section), then the radosgw
|
2021-02-18 14:17:07 +00:00
|
|
|
daemons will start up with default settings (e.g., binding to port
|
|
|
|
80).
|
|
|
|
|
2021-03-09 19:29:39 +00:00
|
|
|
To deploy a set of radosgw daemons, with an arbitrary service name
|
|
|
|
*name*, run the following command:
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
2021-03-26 19:13:18 +00:00
|
|
|
ceph orch apply rgw *<name>* [--realm=*<realm-name>*] [--zone=*<zone-name>*] --placement="*<num-daemons>* [*<host1>* ...]"
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-03-10 21:48:58 +00:00
|
|
|
Trivial setup
|
|
|
|
-------------
|
|
|
|
|
2021-03-09 19:29:39 +00:00
|
|
|
For example, to deploy 2 RGW daemons (the default) for a single-cluster RGW deployment
|
|
|
|
under the arbitrary service id *foo*:
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
2021-03-09 19:29:39 +00:00
|
|
|
ceph orch apply rgw foo
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2022-01-27 09:09:58 +00:00
|
|
|
.. _cephadm-rgw-designated_gateways:
|
|
|
|
|
2021-03-10 21:48:58 +00:00
|
|
|
Designated gateways
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
A common scenario is to have a labeled set of hosts that will act
|
|
|
|
as gateways, with multiple instances of radosgw running on consecutive
|
|
|
|
ports 8000 and 8001:
|
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
|
|
|
ceph orch host label add gwhost1 rgw # the 'rgw' label can be anything
|
|
|
|
ceph orch host label add gwhost2 rgw
|
|
|
|
ceph orch apply rgw foo '--placement=label:rgw count-per-host:2' --port=8000
|
|
|
|
|
2022-01-27 09:09:58 +00:00
|
|
|
See also: :ref:`cephadm_co_location`.
|
|
|
|
|
2021-09-14 14:08:11 +00:00
|
|
|
.. _cephadm-rgw-networks:
|
|
|
|
|
|
|
|
Specifying Networks
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
The RGW service can have the network they bind to configured with a yaml service specification.
|
|
|
|
|
|
|
|
example spec file:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
service_type: rgw
|
|
|
|
service_name: foo
|
|
|
|
placement:
|
|
|
|
label: rgw
|
|
|
|
count-per-host: 2
|
|
|
|
networks:
|
|
|
|
- 192.169.142.0/24
|
|
|
|
spec:
|
|
|
|
port: 8000
|
|
|
|
|
|
|
|
|
2021-03-10 21:48:58 +00:00
|
|
|
Multisite zones
|
|
|
|
---------------
|
|
|
|
|
2021-03-09 19:29:39 +00:00
|
|
|
To deploy RGWs serving the multisite *myorg* realm and the *us-east-1* zone on
|
|
|
|
*myhost1* and *myhost2*:
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-03-09 19:29:39 +00:00
|
|
|
.. prompt:: bash #
|
|
|
|
|
2021-03-26 19:13:18 +00:00
|
|
|
ceph orch apply rgw east --realm=myorg --zone=us-east-1 --placement="2 myhost1 myhost2"
|
2021-03-09 19:29:39 +00:00
|
|
|
|
|
|
|
Note that in a multisite situation, cephadm only deploys the daemons. It does not create
|
|
|
|
or update the realm or zone configurations. To create a new realm and zone, you need to do
|
|
|
|
something like:
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
|
|
|
radosgw-admin realm create --rgw-realm=<realm-name> --default
|
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
|
|
|
radosgw-admin zonegroup create --rgw-zonegroup=<zonegroup-name> --master --default
|
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
|
|
|
radosgw-admin zone create --rgw-zonegroup=<zonegroup-name> --rgw-zone=<zone-name> --master --default
|
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
|
|
|
radosgw-admin period update --rgw-realm=<realm-name> --commit
|
|
|
|
|
|
|
|
See :ref:`orchestrator-cli-placement-spec` for details of the placement
|
2021-03-09 19:29:39 +00:00
|
|
|
specification. See :ref:`multisite` for more information of setting up multisite RGW.
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-09-11 18:02:44 +00:00
|
|
|
See also :ref:`multisite`.
|
|
|
|
|
2021-07-16 10:54:00 +00:00
|
|
|
Setting up HTTPS
|
|
|
|
----------------
|
|
|
|
|
|
|
|
In order to enable HTTPS for RGW services, apply a spec file following this scheme:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
service_type: rgw
|
|
|
|
service_id: myrgw
|
|
|
|
spec:
|
|
|
|
rgw_frontend_ssl_certificate: |
|
|
|
|
-----BEGIN PRIVATE KEY-----
|
|
|
|
V2VyIGRhcyBsaWVzdCBpc3QgZG9vZi4gTG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFt
|
|
|
|
ZXQsIGNvbnNldGV0dXIgc2FkaXBzY2luZyBlbGl0ciwgc2VkIGRpYW0gbm9udW15
|
|
|
|
IGVpcm1vZCB0ZW1wb3IgaW52aWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWdu
|
|
|
|
YSBhbGlxdXlhbSBlcmF0LCBzZWQgZGlhbSB2b2x1cHR1YS4gQXQgdmVybyBlb3Mg
|
|
|
|
ZXQgYWNjdXNhbSBldCBqdXN0byBkdW8=
|
|
|
|
-----END PRIVATE KEY-----
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
V2VyIGRhcyBsaWVzdCBpc3QgZG9vZi4gTG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFt
|
|
|
|
ZXQsIGNvbnNldGV0dXIgc2FkaXBzY2luZyBlbGl0ciwgc2VkIGRpYW0gbm9udW15
|
|
|
|
IGVpcm1vZCB0ZW1wb3IgaW52aWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWdu
|
|
|
|
YSBhbGlxdXlhbSBlcmF0LCBzZWQgZGlhbSB2b2x1cHR1YS4gQXQgdmVybyBlb3Mg
|
|
|
|
ZXQgYWNjdXNhbSBldCBqdXN0byBkdW8=
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
ssl: true
|
|
|
|
|
|
|
|
Then apply this yaml document:
|
|
|
|
|
|
|
|
.. prompt:: bash #
|
|
|
|
|
|
|
|
ceph orch apply -i myrgw.yaml
|
|
|
|
|
|
|
|
Note the value of ``rgw_frontend_ssl_certificate`` is a literal string as
|
2021-09-28 14:57:41 +00:00
|
|
|
indicated by a ``|`` character preserving newline characters.
|
|
|
|
|
|
|
|
Service specification
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
.. py:currentmodule:: ceph.deployment.service_spec
|
|
|
|
|
|
|
|
.. autoclass:: RGWSpec
|
|
|
|
:members:
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
.. _orchestrator-haproxy-service-spec:
|
|
|
|
|
|
|
|
High availability service for RGW
|
|
|
|
=================================
|
|
|
|
|
2021-04-09 19:10:49 +00:00
|
|
|
The *ingress* service allows you to create a high availability endpoint
|
2021-12-08 11:43:27 +00:00
|
|
|
for RGW with a minimum set of configuration options. The orchestrator will
|
2021-04-09 19:10:49 +00:00
|
|
|
deploy and manage a combination of haproxy and keepalived to provide load
|
|
|
|
balancing on a floating virtual IP.
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-04-09 19:10:49 +00:00
|
|
|
If SSL is used, then SSL must be configured and terminated by the ingress service
|
|
|
|
and not RGW itself.
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-09-13 15:15:33 +00:00
|
|
|
.. image:: ../../images/HAProxy_for_RGW.svg
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-04-09 19:10:49 +00:00
|
|
|
There are N hosts where the ingress service is deployed. Each host
|
|
|
|
has a haproxy daemon and a keepalived daemon. A virtual IP is
|
|
|
|
automatically configured on only one of these hosts at a time.
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-04-09 19:10:49 +00:00
|
|
|
Each keepalived daemon checks every few seconds whether the haproxy
|
|
|
|
daemon on the same host is responding. Keepalived will also check
|
|
|
|
that the master keepalived daemon is running without problems. If the
|
|
|
|
"master" keepalived daemon or the active haproxy is not responding,
|
|
|
|
one of the remaining keepalived daemons running in backup mode will be
|
|
|
|
elected as master, and the virtual IP will be moved to that node.
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-04-09 19:10:49 +00:00
|
|
|
The active haproxy acts like a load balancer, distributing all RGW requests
|
2021-02-18 14:17:07 +00:00
|
|
|
between all the RGW daemons available.
|
|
|
|
|
2021-05-06 22:47:38 +00:00
|
|
|
Prerequisites
|
|
|
|
-------------
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-04-12 17:50:12 +00:00
|
|
|
* An existing RGW service, without SSL. (If you want SSL service, the certificate
|
|
|
|
should be configured on the ingress service, not the RGW service.)
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-05-06 22:47:38 +00:00
|
|
|
Deploying
|
|
|
|
---------
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
Use the command::
|
|
|
|
|
2021-04-09 19:10:49 +00:00
|
|
|
ceph orch apply -i <ingress_spec_file>
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-05-06 22:47:38 +00:00
|
|
|
Service specification
|
|
|
|
---------------------
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
It is a yaml format file with the following properties:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
2021-04-09 19:10:49 +00:00
|
|
|
service_type: ingress
|
|
|
|
service_id: rgw.something # adjust to match your existing RGW service
|
2021-02-18 14:17:07 +00:00
|
|
|
placement:
|
|
|
|
hosts:
|
|
|
|
- host1
|
|
|
|
- host2
|
|
|
|
- host3
|
|
|
|
spec:
|
2021-04-12 21:21:22 +00:00
|
|
|
backend_service: rgw.something # adjust to match your existing RGW service
|
|
|
|
virtual_ip: <string>/<string> # ex: 192.168.20.1/24
|
|
|
|
frontend_port: <integer> # ex: 8080
|
|
|
|
monitor_port: <integer> # ex: 1967, used by haproxy for load balancer status
|
2021-04-12 21:21:33 +00:00
|
|
|
virtual_interface_networks: [ ... ] # optional: list of CIDR networks
|
2021-04-12 21:21:22 +00:00
|
|
|
ssl_cert: | # optional: SSL certificate and key
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
...
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
-----BEGIN PRIVATE KEY-----
|
|
|
|
...
|
|
|
|
-----END PRIVATE KEY-----
|
2021-02-18 14:17:07 +00:00
|
|
|
|
|
|
|
where the properties of this service specification are:
|
|
|
|
|
|
|
|
* ``service_type``
|
2021-04-09 19:10:49 +00:00
|
|
|
Mandatory and set to "ingress"
|
2021-02-18 14:17:07 +00:00
|
|
|
* ``service_id``
|
2021-04-09 19:10:49 +00:00
|
|
|
The name of the service. We suggest naming this after the service you are
|
|
|
|
controlling ingress for (e.g., ``rgw.foo``).
|
2021-02-18 14:17:07 +00:00
|
|
|
* ``placement hosts``
|
2021-04-09 19:10:49 +00:00
|
|
|
The hosts where it is desired to run the HA daemons. An haproxy and a
|
|
|
|
keepalived container will be deployed on these hosts. These hosts do not need
|
|
|
|
to match the nodes where RGW is deployed.
|
|
|
|
* ``virtual_ip``
|
|
|
|
The virtual IP (and network) in CIDR format where the ingress service will be available.
|
2021-04-12 21:21:33 +00:00
|
|
|
* ``virtual_interface_networks``
|
|
|
|
A list of networks to identify which ethernet interface to use for the virtual IP.
|
2021-02-18 14:17:07 +00:00
|
|
|
* ``frontend_port``
|
2021-04-09 19:10:49 +00:00
|
|
|
The port used to access the ingress service.
|
|
|
|
* ``ssl_cert``:
|
|
|
|
SSL certificate, if SSL is to be enabled. This must contain the both the certificate and
|
|
|
|
private key blocks in .pem format.
|
|
|
|
|
2021-05-06 22:47:38 +00:00
|
|
|
.. _ingress-virtual-ip:
|
|
|
|
|
|
|
|
Selecting ethernet interfaces for the virtual IP
|
|
|
|
------------------------------------------------
|
2021-04-12 21:21:33 +00:00
|
|
|
|
|
|
|
You cannot simply provide the name of the network interface on which
|
|
|
|
to configure the virtual IP because interface names tend to vary
|
|
|
|
across hosts (and/or reboots). Instead, cephadm will select
|
|
|
|
interfaces based on other existing IP addresses that are already
|
|
|
|
configured.
|
|
|
|
|
|
|
|
Normally, the virtual IP will be configured on the first network
|
|
|
|
interface that has an existing IP in the same subnet. For example, if
|
|
|
|
the virtual IP is 192.168.0.80/24 and eth2 has the static IP
|
|
|
|
192.168.0.40/24, cephadm will use eth2.
|
|
|
|
|
|
|
|
In some cases, the virtual IP may not belong to the same subnet as an existing static
|
|
|
|
IP. In such cases, you can provide a list of subnets to match against existing IPs,
|
|
|
|
and cephadm will put the virtual IP on the first network interface to match. For example,
|
|
|
|
if the virtual IP is 192.168.0.80/24 and we want it on the same interface as the machine's
|
|
|
|
static IP in 10.10.0.0/16, you can use a spec like::
|
|
|
|
|
|
|
|
service_type: ingress
|
|
|
|
service_id: rgw.something
|
|
|
|
spec:
|
|
|
|
virtual_ip: 192.168.0.80/24
|
|
|
|
virtual_interface_networks:
|
|
|
|
- 10.10.0.0/16
|
|
|
|
...
|
|
|
|
|
|
|
|
A consequence of this strategy is that you cannot currently configure the virtual IP
|
|
|
|
on an interface that has no existing IP address. In this situation, we suggest
|
|
|
|
configuring a "dummy" IP address is an unroutable network on the correct interface
|
|
|
|
and reference that dummy network in the networks list (see above).
|
|
|
|
|
|
|
|
|
2021-05-06 22:47:38 +00:00
|
|
|
Useful hints for ingress
|
|
|
|
------------------------
|
2021-02-18 14:17:07 +00:00
|
|
|
|
2021-05-06 22:47:38 +00:00
|
|
|
* It is good to have at least 3 RGW daemons.
|
|
|
|
* We recommend at least 3 hosts for the ingress service.
|
2021-09-11 18:02:44 +00:00
|
|
|
|
|
|
|
Further Reading
|
|
|
|
===============
|
|
|
|
|
|
|
|
* :ref:`object-gateway`
|
2021-11-02 14:13:55 +00:00
|
|
|
* :ref:`mgr-rgw-module`
|