[Openstack-operators] Fwd: Re: Request for Load data for Keystone
Adam Young
ayoung at redhat.com
Wed Jan 29 21:10:35 UTC 2014
On Wed, Jan 29, 2014 at 02:51:21PM -0500, Adam Young wrote:
:On 01/29/2014 12:03 PM, Jonathan D. Proulx wrote:
:>:active tokens
:>
:>I'd love to know how to find this.
Any thought on how to coax this out of memcache?
I've stolen a ruby script that dumps all keys from local memcache
server (https://gist.github.com/bkimble/1365005) this puts the count
at 32,053 keys some of these are expired. I only have a 3600s. token
life set, the oldest keys returned expired (according to memcache) 2hr ago
some of these stats that may be relevant:
STAT uptime 179926
STAT time 1391027065
STAT curr_connections 1509
STAT total_connections 21866
STAT cmd_get 30832352
STAT cmd_set 2512044
STAT cmd_flush 0
STAT cmd_touch 0
STAT get_hits 7798159
STAT get_misses 23034193
STAT delete_misses 52
STAT delete_hits 10
STAT cas_hits 497990
STAT cas_badval 1261948
STAT bytes_read 6296430965134
STAT bytes_written 6297906840077
STAT limit_maxbytes 48104472576
STAT expired_unfetched 2018
STAT evicted_unfetched 0
STAT bytes 1242072368
STAT curr_items 403975
STAT total_items 1250095
STAT evictions 0
STAT reclaimed 348075
:>:How many token revocation events are you seeing? How long is your
:>:token revocation list getting? Which events dominate (change
:>:password, revoke roles?)
:>
:>How do I get this info?
:
:Since you are using Memcached, it might be harder. The memcache
:backend is accessable via the port (for example)
:
:http://memcached.org/
:
:telnet localhost 11211
:
:
:When you revoke a token...it appends it to a key called 'revocation-list'
:Which you should be able to query out of there.
VALUE revocation-list 0 31193
{followed by 10 json data structures, which appear to be only very
recently expired tokens}
:Caveat, I am a developer, and I break things all the time. Don't do
:nothing stupid. That being said:
:
:You probably want to run two Keystone servers with identical
:everything except ports. Common Database, shared memcached, etc. Run
:one on SSL, the other not on SSL, then update the auth URLS for your
:services one at a time. Once all of your servers are using SSL,
:drop the insecure Keystone server.
Sounds like a reasonable transition strategy. I hadn't considered
that I could have both the old and new services sharing the live data,
but of course I can that is rather the normal use case for memcache
and mysql after all.
Thanks,
-Jon
More information about the OpenStack-operators
mailing list