Wednesday, 2022-06-01

« Tuesday, 2022-05-31 Index Thursday, 2022-06-02 »
opendevreviewMerged openstack/swift master: tempurl: Deprecate sha1 signatures  https://review.opendev.org/c/openstack/swift/+/52577115:54
opendevreviewPete Zaitcev proposed openstack/swift master: Make the dark data watcher work with sharded containers  https://review.opendev.org/c/openstack/swift/+/78765617:31
opendevreviewClay Gerrard proposed openstack/swift master: object-replicator: Remove some dead code  https://review.opendev.org/c/openstack/swift/+/84412817:44
ade_leetimburke_, mattoliver cschwede- hey -- looks like the bottom of the tempurl patches merged -- https://review.opendev.org/c/openstack/swift/+/52577118:39
ade_leecan we get some +2/W on the rest? :)18:39
timburke_yup! i've got some questions for mattoliver on https://review.opendev.org/c/openstack/swift/+/838434 though -- in particular, the unused vars in tests and whether we want to support base64-encoded sigs similar to what we do for tempurl18:43
timburke_once that guy lands, we'll unblock the other tempest follow-up 18:44
opendevreviewPete Zaitcev proposed openstack/swift master: Make the dark data watcher work with sharded containers  https://review.opendev.org/c/openstack/swift/+/78765619:08
opendevreviewMerged openstack/swift master: object-replicator: Remove some dead code  https://review.opendev.org/c/openstack/swift/+/84412819:40
opendevreviewTim Burke proposed openstack/swift master: Add ring_ip option to object services  https://review.opendev.org/c/openstack/swift/+/84037220:40
opendevreviewTim Burke proposed openstack/swift master: Rename bind_ip to ring_ip in a bunch of places  https://review.opendev.org/c/openstack/swift/+/84433820:53
kotagood morning20:57
timburke_kota, o/20:59
*** timburke_ is now known as timburke20:59
kotatimburke: o/20:59
timburke#startmeeting swift21:00
opendevmeetMeeting started Wed Jun  1 21:00:08 2022 UTC and is due to finish in 60 minutes.  The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot.21:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.21:00
opendevmeetThe meeting name has been set to 'swift'21:00
timburkewho's here for the swift meeting?21:00
kotao/21:00
claygo/21:01
timburkeas usual, the agenda's at https://wiki.openstack.org/wiki/Meetings/Swift21:02
timburkefirst up21:02
timburke#topic deprecating sha1 in formpost21:03
timburkewe merged the deprecation for tempurl!21:03
kotacool21:03
timburkenow to get the same for formpost :-)21:03
timburkebut of course, before we can do *that*, we need to support some other signature21:03
timburke#link https://review.opendev.org/c/openstack/swift/+/83843421:04
timburkeadds support for sha256 and sha51221:04
timburkeonce we have that, we can get a patch against tempest to use one of those instead of sha121:05
timburke#link https://review.opendev.org/c/openstack/swift/+/83371321:05
timburkemeanwhile, does the actual deprecation for sha121:05
timburkei was hoping mattoliver would be around to talk about the new-digests patch a little, but i think it might be a holiday in australia21:06
mattoliverOh hi o/21:06
timburke\o/21:07
mattoliverNo just running late21:07
timburkeso i had two main questions21:07
timburkeone was that the sig always seems to be hex-encoded -- which seems like an inconsistency from what i did for tempurl in https://review.opendev.org/c/openstack/swift/+/52577021:08
timburkethere, you could have <hex-encoded-sig> or <digest>:<base64-encoded-sig>21:09
timburkei was wondering whether that was an intentional difference, and how much we care21:09
timburkethe other question was around some unused info we're tracking in test_prefixed_and_not_prefixed_sigs_unsupported -- i'm not sure whether we want to make some assertions on it, or just drop it21:11
mattoliverNo real intentional difference. I guess I should keep them the same as tempurl so we're consistant. 21:11
claygwell, it WAS always *just* `<hex-encoded-sig>` until we added support for other signatures?  And then it was always `<digest>:<base64-encoded-sig>`?21:11
clayger... *if* you specify a digest then it better be base64 - you can't do `<digest>:<hex-encoded-sig>` for tempurl?21:12
timburke^^^ that's the one21:13
timburkeyou can still do <hex-encoded-sig> for sha1, sha256, and sha512 with tempurl -- it'll detect which digest based on the length21:14
timburkea hex-encoded sha512 sig seems pretty long to me, so i added base64 support -- but required the prefix21:14
timburkeanyway, sounds like we've got a plan to move forward -- and i figure we can just drop the extra info that's being tracked in that test21:16
timburke#topic backend rate limiting21:16
timburkei don't *think* we've tried this out in prod yet, but wanted to check in to make sure21:17
mattoliverdoesn't adding base64 increase a string by like a 3rd, so makes things longer.. maybe it's too early for my brain to work. either case I'll match tempurl.21:17
mattoliverOh we've got stuff setup in staging21:18
timburkewoo!21:18
mattoliverAnd I've been waiting on SRE to start testing backend ratelimit with the load generator21:18
mattoliverNow sure where that's at atm though. Long weekend for US and all that.21:19
mattoliverBut will try and find out. I'm lined up to use the load balancers next for the noop pipemutex testing.21:19
mattoliver*load generators21:19
timburke👍21:19
timburkei know there were some concerns about interactions with the proxy's error limiting -- and it made me wonder if we should rethink how we do that21:20
mattoliverAl and I had a talk about that.. and we are more conviced it could do the right thing at when used at scale..21:20
mattolivernot sure staging is the right scale though (there isn't many nodes to loose in staging).21:21
mattoliverbut we'll see.21:21
timburkei was thinking, what if instead of a threshold that would trigger some cool-down period, we started trying to estimate the probability of a request to a backend giving an error21:21
timburkeand "error-limit" roughly that proportion of requests to the backend21:22
mattoliveroh, interesting thought21:22
timburkesomething like https://paste.opendev.org/show/bj5m3lXImDLiX5tp4Bvu/21:23
claygmattoliver: i'm sure that SRE could use some help with load generation; we could also try turning the replication facing rate limit way down and try and make sure the consistency engine still works as expected21:23
mattoliver@clay 👍️ good thinking! Confirming that and no proxy to get in the way.. unless internal clients, but not sure how effective any error_limitting would be there. 21:26
timburkepretty sure i've seen error limiting kick in for internal clients before (though i don't remember the context now)21:27
timburkei think it'd be super-interesting to try different generated loads against both error-limiting implementations, ideally with a few different configs21:27
timburkewhich probably means i ought to try to get tests passing with my idea :-)21:28
mattoliverWhen we have enough proxies, error limitting + backend ratelimiting kinda does what we expect. Take out a proxy would actually cut off some load, giving others "more" to those the nodes.. so at scale it might actaully be great. But on a SAIO with 4 nodes and 1 proxy.. well it just takes down your cluster pretty quickly with alot of load :P 21:28
mattoliverYeah, depends on the life of the internal client I guess. If it sticks around or alot is done then the in memory error_limiting structure will be used.21:30
mattoliverBut yeah testing both approaches would be interesting. 21:30
timburkeall right, i think we know what we're doing next to get that merged21:31
timburke#topic s3api test suite21:31
timburkei remember one of the action items coming out of the last PTG was to actually run the handful of tests we've got under test/s3api in the gate21:31
timburke#link https://review.opendev.org/c/openstack/swift/+/84356721:31
timburkewill do that21:32
kotanice21:32
timburkeacoles also poked at simplifying the process of running those tests against actual AWS21:33
timburke#link https://review.opendev.org/c/openstack/swift/+/83856321:33
timburkei think my only concern on that was that it'd be nice if we could piggy-back a little more on boto3's config parsing21:33
timburkemaybe that'd be better as future work, though21:34
timburkeif anyone had some review cycles to spare, those would be handy additions, i think21:37
timburkeone last-minute topic (since both clayg and kota are here :-)21:37
timburke#topic expiring MPUs21:37
timburkea while back, clayg wrote a patch to delete MPU segments when the manifest expires21:38
timburke#link https://review.opendev.org/c/openstack/swift/+/80070121:38
timburkewe've been running it in prod for a while -- i want to know: do we have any reservations about merging this to master?21:39
zaitcevHmm21:40
zaitcevMakes sense, if only S3 orphan segments are gathered.21:40
timburkeclayg, maybe it'd be worth going over the goals of the patch, how it decides when to delete segments, and which segments to delete?21:42
claygthere was some stuff in the response of the DELETE request to the manifest that indicated it was an s3 manifest - and because s3 MPU doesn't let you reference/access your segments; we know it's safe to DELETE them21:44
mattoliverI think it's good. Solves a big issue. Is there way we can leverage something similar for the known related-bug (on overwrite)? or do we need an auditor watcher to run periodically? 21:46
timburkei think we still need the auditor -- even with just this, if the expirer falls over between deleting the manifest and finishing deleting the segments, there's still going to be orphans21:47
mattolivertrue21:48
zaitcevIt seems like a duplication of effort. If you have a semantic S3 watcher, it can delete.21:49
timburkei think it becomes a matter of how quickly it can get deleted -- an audit watcher would clean things up over the course of days, but our users often want to be able to get themselves under quota again sooner rather than later21:52
timburkeso maybe there *is* an argument that we should try to do something similar for the overwrite case21:53
mattoliverinstead of inline delete, queueing them for delete I guess is the other option. But for overwrite, we'd need to check to see if a object exists is a MPU, and trigger a delete when we finalise (before we loose the old manifest). 21:53
mattoliverbut overwrite would be in inline, so maybe queuing up with the expirer does make sense? 21:54
mattolivermoving the maifest and pulling an expiry on it, so only it needs to get queued up (overwrite case)21:55
mattoliversorry, now just thinking out loud.21:55
mattoliver*putting an expiry on it.21:56
timburkeall right, i'll try to review the patch soon with an eye towards merging it as-is, and think some more about what else we can do21:56
timburkelast couple minutes21:56
timburke#topic open discussion21:56
timburkeanything else we ought to bring up this week?21:56
timburkeall right, i'll call it then21:58
timburkethank you all for coming, and thank you for working on swift!21:58
timburke#endmeeting21:58
opendevmeetMeeting ended Wed Jun  1 21:58:25 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)21:58
opendevmeetMinutes:        https://meetings.opendev.org/meetings/swift/2022/swift.2022-06-01-21.00.html21:58
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/swift/2022/swift.2022-06-01-21.00.txt21:58
opendevmeetLog:            https://meetings.opendev.org/meetings/swift/2022/swift.2022-06-01-21.00.log.html21:58
« Tuesday, 2022-05-31 Index Thursday, 2022-06-02 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!