[Openstack-operators] Request for Load data for Keystone

Sam Morrison sorrison at gmail.com
Wed Feb 5 02:42:27 UTC 2014

Hi Adam,

Here are some stats from the NeCTAR cloud inline:

On 29 Jan 2014, at 8:33 am, Adam Young <ayoung at redhat.com> wrote:

> I'm a Keystone core dev.  I often find myself in the position of thinking about Keystone Performance  without real numbers to back it up.
> Can people with "real live clouds" provide some insight?  Here's what I'd like to know?
> How big is your Keystone data set?  How many
> users

> projects

> domains
0 (or 1 which is the default domain)

> active tokens

> 1.  UUID vs PKI tokens?

> 2.  Apache HTTPD vs Eventlet:
> Which do you run?  Do you see performance issues with either?
Eventlet, we have 36 keystone user api servers and 36 admin api servers behind a LB
In terms of performance it seems pretty good although we’ve never run anything to get any real numbers. If you had any we can run and give you numbers.

> How many token revocation events are you seeing?  How long is your token revocation list getting?  Which events dominate (change password, revoke roles?)
We currently have 3, all from change password.

> Do you run the SQL token backend?  If so, how often do you clean out the expired tokens?
We run the memcache backend.

> Non performance related questions:
> Are you using the V3 API?  If not, what is keeping you on V2?
V2, haven’t looked into the V3 API yet, nothing stopping us moving to it but there hasn’t been any reason for us to

> Do you use trusts?  Do you even understand what they provide?
No, haven’t looked into this either but we may have a need to soon.

> Do you use SSL or Kerberos?  Do you want to, but find something is keeping you from doing so?

We have SSL termination on our Hardware LBs 

Happy to answer more questions.


Sam Morrison
Technical Lead
NeCTAR Research Cloud Lead Node
The University of Melbourne

More information about the OpenStack-operators mailing list