[Openstack-operators] Fwd: Re: Request for Load data for Keystone

Adam Young ayoung at redhat.com
Wed Jan 29 21:10:05 UTC 2014

Hi Adam,

A few questions in line about how to get some of the metrics you're
looking for, would be happy to provide them.

On Tue, Jan 28, 2014 at 04:33:37PM -0500, Adam Young wrote:
:I'm a Keystone core dev.  I often find myself in the position of
:thinking about Keystone Performance  without real numbers to back it
:Can people with "real live clouds" provide some insight?  Here's what
:I'd like to know?
:How big is your Keystone data set?  How many





1 (only using v2)

:active tokens

I'd love to know how to find this.

:1.  UUID vs PKI tokens?
:2.  Apache HTTPD vs Eventlet:
:Which do you run?  Do you see performance issues with either?

Tried PKI tokens with Grizzly upgrade (which we did in August), had
performance issues and switched back to UUID stayed with that for
Havana upgrade earlier this month.

For Grizlzy had been running eventlet with multi-worker patches,  For
Havana moved to Apache HTTPD.

Neither eventlet nor Apache would perform well enough to even keep
automated chatter running wihtout the patch under review here
https://review.openstack.org/#/c/66149/ I can't prove it but I blame
Neutron for over authenticating ...

I've not been able to describe this well enough to my self to call it
a bug but I've seen some spookie issues where one
service will consistently fail to validate tokens against keystone
behind Apache while allothers will work.  Switching back to eventlet
gets everything working but soon gets gummed up wiht the single
process.  It seems like letting eventlet run for sometime, maybe an
hour with is our token lifetime, clears this up then swithcing back to
Apache works again.  I've not been able to reproduce and flushing all
tokens in memcached does not sole the issue.  I've seen this on three
occations twice Neutron services wer failing and once Glance

:How many token revocation events are you seeing?  How long is your
:token revocation list getting?  Which events dominate (change
:password, revoke roles?)

How do I get this info?

:Do you run the SQL token backend?  If so, how often do you clean out
:the expired tokens?

no, memcache

:Non performance related questions:
:Are you using the V3 API?  If not, what is keeping you on V2?

Still on V2,  it works and I don't really know what V3 gets me, so
inertia rather than a reason at this point.

:Do you use trusts?  Do you even understand what they provide?

I don't even think I've heard trusts is this context.

:Do you use SSL or Kerberos?  Do you want to, but find something is
:keeping you from doing so?

I didn't know Kerberos was an option is htis just taking in passwords
and authenticating against a KDC or does it actally use proper krb5
tickets, and do clients support this?

Putting keystone behind SSL has been on my list for 18months, mostly
just nervous about breaking clients.  But mostly just embarased I've
not done so yet...


:If you have answers to these questions, but feel uncomfortable
:posting them publically, please send them to me directly and I will
:anonymize the answers.  Don't feel like you need to answer everything
:if you have something to contribute in just one topic.
:P.S. We know about the shortcomings of the Identity operations (list
:users in particular).  Those will be addressed separately.
:OpenStack-operators mailing list
:OpenStack-operators at lists.openstack.org

More information about the OpenStack-operators mailing list