<div dir="ltr">Hi Morgan,<div><br></div><div>Thank you very much for the detailed reply.</div><div><br></div><div>What's the relationship between the dogpile family of drivers and the SQL and memcached token storage backends? The Keystone dev docs say that dogpile is a caching layer on top of other keystone functions. You mention that dogpile can also work as a key/value store. So is the dogpile stuff superseding the "original" token backends? Or are those still needed but dogpile sits on top and ultimately does a better job?</div>
<div><br></div><div>I'm asking the above from the point of view of running a pre-Icehouse cloud. So I'm just trying to figure what options I currently have, will have, and if I should plan for some type of backend switch (even if it's just additional configuration in keystone.conf).</div>
<div><br></div><div>Thanks,</div><div>Joe </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 22, 2014 at 1:25 PM, Morgan Fainberg <span dir="ltr"><<a href="mailto:morgan.fainberg@gmail.com" target="_blank">morgan.fainberg@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">For Keystone, there will be a MongoDB backend in Juno that uses the Dogpile-based key-value storage. The Dogpile storage of tokens (available in icehouse) requires a simple backend that implements the basic types of interfaces (get, set, delete, get_multi, set_multi, delete_multi, etc) and that can communicate to whatever storage/cache system you want to use. Obviously it’s optimized for caching (the library is named dogpile.cache), but it works well as a key-value-store implementation as well.<br>
<br>
There are also significant strides towards supporting no-persistence (when using PKI tokens). There are still some roadblocks from getting us clear of needing the token persistence backends as an option.<br>
<br>
With that said… Back on the original topic.<br>
<br>
We definitely are using memcached incorrectly (as a persistent store), but at the time we needed to provide some alternatives to alleviate the issues you are highlighting with storing tokens in SQL (there are ways to make the SQL backend better as well). This incorrect use of memcached does drive towards wanting connection *AND* storage level redundancy.<br>
<br>
With regards to the MemoryCache oslo-incubator library (and oslo.cache basic library) there is some work that has been proposed (a spec) to move to dogpile.cache and really focus on using caching backends (such as memcachd) correctly across OpenStack. This opens the door to having more control on how we work with memcache (or any other backend) that we use for caching. This change is a tentative target for Kilo and the subsequent cycles.<br>
<br>
Now with all of that in mind, some of the issue comes from the basic python memcache library and how it handles dead servers (with socket timeouts, marking them dead, etc) and probably how we’re setting those timeouts / limits.<br>
<br>
There is a lot of room for improvement in how we cache; just remember caching is one of the hardest things to do right. Doing caching wrong opens up the potential for a lot of bugs.<br>
<br>
—<br>
<span class="HOEnZb"><font color="#888888">Morgan Fainberg<br>
</font></span><div class="im HOEnZb"><br>
<br>
-----Original Message-----<br>
From: Joe Topjian <<a href="mailto:joe@topjian.net">joe@topjian.net</a>><br>
Reply: Joe Topjian <<a href="mailto:joe@topjian.net">joe@topjian.net</a>>><br>
Date: August 22, 2014 at 12:03:56<br>
To: Morgan Fainberg <<a href="mailto:morgan.fainberg@gmail.com">morgan.fainberg@gmail.com</a>>><br>
Cc: openstack-operators <<a href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>>><br>
Subject: Re: [Openstack-operators] memcached redundancy<br>
<br>
</div><div class="im HOEnZb">> It sounds like there are two incorrect uses of memcached: The actual<br>
> communication of the openstack components to memcached and using memcached<br>
> itself as a persistent token store. Though from what it sounds like, if the<br>
> former was done better, the latter wouldn't be too much of an issue?<br>
><br>
> I do agree that using something like memcached, which explicitly advertises<br>
> itself as a bad solution for persistent storage, can ultimately be asking<br>
> for trouble.<br>
><br>
> With that said, though, it looks like there are currently two choices for a<br>
> keystone token backend: memcached and SQL. Both have obvious downsides.<br>
> Personally I'd rather deal with my current memcached issues than go back to<br>
> storing tokens in SQL.<br>
><br>
> ... unless I'm missing something? Is there more to the current state of<br>
> Keystone token backends than the memcached and SQL backends that have been<br>
> around for the past few years?<br>
><br>
><br>
><br>
><br>
</div><div class="im HOEnZb">> On Fri, Aug 22, 2014 at 12:39 PM, Morgan Fainberg > > wrote:<br>
><br>
> > While keystone uses memcache as a possible token storage backend we are<br>
> > working towards eliminating the design that makes memcache a desirable<br>
> > token backend.<br>
> ><br>
> > Using memcache for the token backend is not the best approach as the token<br>
> > backend (up through icehouse and in some cases will hold true for Juno)<br>
> > assumes stable storage for at least the life of the token.<br>
> ><br>
> > I agree with Josh, we are likely using memcached incorrectly in a number<br>
> > of cases.<br>
> ><br>
> > --Morgan<br>
> ><br>
> ><br>
</div><div class="im HOEnZb">> > On Thursday, August 21, 2014, Joshua Harlow wrote:<br>
> ><br>
> >> +1 for this, remember the 'cache' in memcache *strongly* indicates what<br>
> >> it should be used for.<br>
> >><br>
> >> A useful link to read over @<br>
> >> <a href="http://joped.com/2009/03/a-rant-about-proper-memcache-usage/" target="_blank">http://joped.com/2009/03/a-rant-about-proper-memcache-usage/</a><br>
> >><br>
> >> -Josh<br>
> >><br>
</div><div class="HOEnZb"><div class="h5">> >> On Aug 21, 2014, at 11:19 AM, Clint Byrum wrote:<br>
> >><br>
> >> > Excerpts from Joe Topjian's message of 2014-08-14 09:09:59 -0700:<br>
> >> >> Hello,<br>
> >> >><br>
> >> >> I have an OpenStack cloud with two HA cloud controllers. Each<br>
> >> controller<br>
> >> >> runs the standard controller components: glance, keystone, nova minus<br>
> >> >> compute and network, cinder, horizon, mysql, rabbitmq, and memcached.<br>
> >> >><br>
> >> >> Everything except memcached is accessed through haproxy and everything<br>
> >> is<br>
> >> >> working great (well, rabbit can be finicky ... I might post about that<br>
> >> if<br>
> >> >> it continues).<br>
> >> >><br>
> >> >> The problem I currently have is how to effectively work with memcached<br>
> >> in<br>
> >> >> this environment. Since all components are load balanced, they need<br>
> >> access<br>
> >> >> to the same memcached servers. That's solved by the ability to specify<br>
> >> >> multiple memcached servers in the various openstack config files.<br>
> >> >><br>
> >> >> But if I take a server down for maintenance, I notice a 2-3 second<br>
> >> delay in<br>
> >> >> all requests. I've confirmed it's memcached by editing the list of<br>
> >> >> memcached servers in the config files and the delay goes away.<br>
> >> ><br>
> >> > I've seen a few responses to this that show a _massive_ misunderstanding<br>
> >> > of how memcached is intended to work.<br>
> >> ><br>
> >> > Memcached should never need to be load balanced at the connection<br>
> >> > level. It has a consistent hash ring based on the keys to handle<br>
> >> > load balancing and failover. If you have 2 servers, and 1 is gone,<br>
> >> > the failover should happen automatically. This gets important when you<br>
> >> > have, say, 5 memcached servers as it means that given 1 failed server,<br>
> >> > you retain n-1 RAM for caching.<br>
> >> ><br>
> >> > What I suspect is happening is that we're not doing that right by<br>
> >> > either not keeping persistent connections, or retrying dead servers<br>
> >> > too aggressively.<br>
> >> ><br>
> >> > In fact, it looks like the default one used in oslo-incubator's<br>
> >> > 'memorycache', the 'memcache' driver, will by default retry dead servers<br>
> >> > every 30 seconds, and wait 3 seconds for a timeout, which probably<br>
> >> > matches the behavior you see. None of the places I looked in Nova seem<br>
> >> > to allow passing in a different dead_retry or timeout. In my experience,<br>
> >> > you probably want something like dead_retry == 600, so only one slow<br>
> >> > operation every 10 minutes per process (so if you have 10 nova-api's<br>
> >> > running, that's 10 requests every 10 minutes).<br>
> >> ><br>
> >> > It is also possible that some of these objects are being re-created on<br>
> >> > every request, as is common if caching is implemented too deep inside<br>
> >> > "middleware" and not at the edges of a solution. I haven't dug deep<br>
> >> > enough in, but suffice to say, replicating and load balancing may be the<br>
> >> > cheaper solution to auditing the code and fixing it at this point.<br>
> >> ><br>
> >> > _______________________________________________<br>
> >> > OpenStack-operators mailing list<br>
> >> > <a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
> >> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
> >><br>
> >><br>
> >> _______________________________________________<br>
> >> OpenStack-operators mailing list<br>
> >> <a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
> >> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
> >><br>
> ><br>
> > _______________________________________________<br>
> > OpenStack-operators mailing list<br>
> > <a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
> ><br>
> ><br>
><br>
<br>
</div></div></blockquote></div><br></div>