[Openstack-operators] Fwd: Re: Request for Load data for Keystone

Adam Young ayoung at redhat.com
Wed Jan 29 21:10:35 UTC 2014

On Wed, Jan 29, 2014 at 02:51:21PM -0500, Adam Young wrote:
:On 01/29/2014 12:03 PM, Jonathan D. Proulx wrote:

:>:active tokens
:>I'd love to know how to find this.

Any thought on how to coax this out of memcache?

I've  stolen a ruby script that dumps all keys from local memcache
server (https://gist.github.com/bkimble/1365005) this puts the count
at 32,053 keys some of these are expired. I only have a 3600s. token
life set, the oldest keys returned expired (according to memcache) 2hr ago

some of these stats that may be relevant:

STAT uptime 179926
STAT time 1391027065
STAT curr_connections 1509
STAT total_connections 21866
STAT cmd_get 30832352
STAT cmd_set 2512044
STAT cmd_flush 0
STAT cmd_touch 0
STAT get_hits 7798159
STAT get_misses 23034193
STAT delete_misses 52
STAT delete_hits 10
STAT cas_hits 497990
STAT cas_badval 1261948
STAT bytes_read 6296430965134
STAT bytes_written 6297906840077
STAT limit_maxbytes 48104472576
STAT expired_unfetched 2018
STAT evicted_unfetched 0
STAT bytes 1242072368
STAT curr_items 403975
STAT total_items 1250095
STAT evictions 0
STAT reclaimed 348075

:>:How many token revocation events are you seeing?  How long is your
:>:token revocation list getting?  Which events dominate (change
:>:password, revoke roles?)
:>How do I get this info?
:Since you are using Memcached, it might be harder.  The memcache
:backend is accessable via the port (for example)
:telnet localhost 11211
:When you revoke a token...it appends it to a key called 'revocation-list'
:Which you should be able to query out of there.

VALUE revocation-list 0 31193
{followed by 10 json data structures, which appear to be only very
recently expired tokens}
:Caveat, I am a developer, and I break things all the time.  Don't do
:nothing stupid.  That being said:
:You probably want to run two Keystone servers with identical
:everything except ports.  Common Database, shared memcached, etc. Run
:one on SSL, the other not on SSL, then update the auth URLS for your
:services one at a time.   Once all of your servers are using SSL,
:drop the insecure Keystone server.

Sounds like a reasonable transition strategy.  I hadn't considered
that I could have both the old and new services sharing the live data,
but of course I can that is rather the normal use case for memcache
and mysql after all.


More information about the OpenStack-operators mailing list