f60d05686f
Summary of the new configuration option: The cluster operators add the container_sync middleware to their proxy pipeline and create a container-sync-realms.conf for their cluster and copy this out to all their proxy and container servers. This file specifies the available container sync "realms". A container sync realm is a group of clusters with a shared key that have agreed to provide container syncing to one another. The end user can then set the X-Container-Sync-To value on a container to //realm/cluster/account/container instead of the previously required URL. The allowed hosts list is not used with this configuration and instead every container sync request sent is signed using the realm key and user key. This offers better security as source hosts can be faked much more easily than faking per request signatures. Replaying signed requests, assuming it could easily be done, shouldn't be an issue as the X-Timestamp is part of the signature and so would just short-circuit as already current or as superceded. This also makes configuration easier for the end user, especially with difficult networking situations where a different host might need to be used for the container sync daemon since it's connecting from within a cluster. With this new configuration option, the end user just specifies the realm and cluster names and that is resolved to the proper endpoint configured by the operator. If the operator changes their configuration (key or endpoint), the end user does not need to change theirs. DocImpact Change-Id: Ie1704990b66d0434e4991e26ed1da8b08cb05a37
163 lines
4.6 KiB
Plaintext
163 lines
4.6 KiB
Plaintext
[DEFAULT]
|
|
# bind_ip = 0.0.0.0
|
|
# bind_port = 6001
|
|
# bind_timeout = 30
|
|
# backlog = 4096
|
|
# user = swift
|
|
# swift_dir = /etc/swift
|
|
# devices = /srv/node
|
|
# mount_check = true
|
|
# disable_fallocate = false
|
|
#
|
|
# Use an integer to override the number of pre-forked processes that will
|
|
# accept connections.
|
|
# workers = auto
|
|
#
|
|
# Maximum concurrent requests per worker
|
|
# max_clients = 1024
|
|
#
|
|
# This is a comma separated list of hosts allowed in the X-Container-Sync-To
|
|
# field for containers. This is the old-style of using container sync. It is
|
|
# strongly recommended to use the new style of a separate
|
|
# container-sync-realms.conf -- see container-sync-realms.conf-sample
|
|
# allowed_sync_hosts = 127.0.0.1
|
|
#
|
|
# You can specify default log routing here if you want:
|
|
# log_name = swift
|
|
# log_facility = LOG_LOCAL0
|
|
# log_level = INFO
|
|
# log_address = /dev/log
|
|
#
|
|
# comma separated list of functions to call to setup custom log handlers.
|
|
# functions get passed: conf, name, log_to_console, log_route, fmt, logger,
|
|
# adapted_logger
|
|
# log_custom_handlers =
|
|
#
|
|
# If set, log_udp_host will override log_address
|
|
# log_udp_host =
|
|
# log_udp_port = 514
|
|
#
|
|
# You can enable StatsD logging here:
|
|
# log_statsd_host = localhost
|
|
# log_statsd_port = 8125
|
|
# log_statsd_default_sample_rate = 1.0
|
|
# log_statsd_sample_rate_factor = 1.0
|
|
# log_statsd_metric_prefix =
|
|
#
|
|
# If you don't mind the extra disk space usage in overhead, you can turn this
|
|
# on to preallocate disk space with SQLite databases to decrease fragmentation.
|
|
# db_preallocation = off
|
|
#
|
|
# eventlet_debug = false
|
|
#
|
|
# You can set fallocate_reserve to the number of bytes you'd like fallocate to
|
|
# reserve, whether there is space for the given file size or not.
|
|
# fallocate_reserve = 0
|
|
|
|
[pipeline:main]
|
|
pipeline = healthcheck recon container-server
|
|
|
|
[app:container-server]
|
|
use = egg:swift#container
|
|
# You can override the default log routing for this app here:
|
|
# set log_name = container-server
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_requests = true
|
|
# set log_address = /dev/log
|
|
#
|
|
# node_timeout = 3
|
|
# conn_timeout = 0.5
|
|
# allow_versions = false
|
|
# auto_create_account_prefix = .
|
|
#
|
|
# Configure parameter for creating specific server
|
|
# To handle all verbs, including replication verbs, do not specify
|
|
# "replication_server" (this is the default). To only handle replication,
|
|
# set to a True value (e.g. "True" or "1"). To handle only non-replication
|
|
# verbs, set to "False". Unless you have a separate replication network, you
|
|
# should not specify any value for "replication_server".
|
|
# replication_server = false
|
|
|
|
[filter:healthcheck]
|
|
use = egg:swift#healthcheck
|
|
# An optional filesystem path, which if present, will cause the healthcheck
|
|
# URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE"
|
|
# disable_path =
|
|
|
|
[filter:recon]
|
|
use = egg:swift#recon
|
|
#recon_cache_path = /var/cache/swift
|
|
|
|
[container-replicator]
|
|
# You can override the default log routing for this app here (don't use set!):
|
|
# log_name = container-replicator
|
|
# log_facility = LOG_LOCAL0
|
|
# log_level = INFO
|
|
# log_address = /dev/log
|
|
#
|
|
# vm_test_mode = no
|
|
# per_diff = 1000
|
|
# max_diffs = 100
|
|
# concurrency = 8
|
|
# interval = 30
|
|
# node_timeout = 10
|
|
# conn_timeout = 0.5
|
|
#
|
|
# The replicator also performs reclamation
|
|
# reclaim_age = 604800
|
|
#
|
|
# Time in seconds to wait between replication passes
|
|
# run_pause = 30
|
|
#
|
|
# recon_cache_path = /var/cache/swift
|
|
|
|
[container-updater]
|
|
# You can override the default log routing for this app here (don't use set!):
|
|
# log_name = container-updater
|
|
# log_facility = LOG_LOCAL0
|
|
# log_level = INFO
|
|
# log_address = /dev/log
|
|
#
|
|
# interval = 300
|
|
# concurrency = 4
|
|
# node_timeout = 3
|
|
# conn_timeout = 0.5
|
|
#
|
|
# slowdown will sleep that amount between containers
|
|
# slowdown = 0.01
|
|
#
|
|
# Seconds to suppress updating an account that has generated an error
|
|
# account_suppression_time = 60
|
|
#
|
|
# recon_cache_path = /var/cache/swift
|
|
|
|
[container-auditor]
|
|
# You can override the default log routing for this app here (don't use set!):
|
|
# log_name = container-auditor
|
|
# log_facility = LOG_LOCAL0
|
|
# log_level = INFO
|
|
# log_address = /dev/log
|
|
#
|
|
# Will audit each container at most once per interval
|
|
# interval = 1800
|
|
#
|
|
# containers_per_second = 200
|
|
# recon_cache_path = /var/cache/swift
|
|
|
|
[container-sync]
|
|
# You can override the default log routing for this app here (don't use set!):
|
|
# log_name = container-sync
|
|
# log_facility = LOG_LOCAL0
|
|
# log_level = INFO
|
|
# log_address = /dev/log
|
|
#
|
|
# If you need to use an HTTP Proxy, set it here; defaults to no proxy.
|
|
# sync_proxy = http://127.0.0.1:8888
|
|
#
|
|
# Will sync each container at most once per interval
|
|
# interval = 300
|
|
#
|
|
# Maximum amount of time to spend syncing each container per pass
|
|
# container_time = 60
|