Open Stack

On 09/10/2014 09:49 AM, Vinay Avasthi wrote:
> Does openstack current release support running of multiple redundant
> instances of keystone in multiple data centers with the user database
> synchronized across data centers. Is there any document that describes
> what functionality is available.

Yes, this works perfectly fine. At AT&T, we used MySQL Galera 
replication to provide multi-master, synchronous replication of our 
identity database and image registry database across the WAN in >7 
datacenters. Since both the identity database and the image registry 
have relatively low write-to-read ratios, Galera is a good fit for WAN 
replication here.

The trick is to adjust up your WS-REP certification timeout values 
slightly so that it can tolerate the additional WAN latency a little better.

Specifically, adjust the wsrep_provider_options setting in your 
wsrep.cnf to increase the various timeouts a bit above their defaults:

wsrep_provider_options="evs.keepalive_period = PT3S; 
evs.inactive_check_period = PT10S; evs.suspect_timeout = PT30S; 
evs.inactive_timeout = PT1M; evs.consensus_timeout = PT1M;"

If you can use Percona XtraDB Cluster 5.6, you can also check out the 
new WAN segment functionality that helps in this type of setup:

http://www.percona.com/blog/2013/12/19/automatic-replication-relaying-galera-3/

Oh, and don't use the SQL token store! You do NOT want to be replicating 
Keystone tokens from one DC to another, as the write volume is insane on 
even a medium-sized deployment. Instead, use the memcache token driver 
in Keystone and have each DC handle its token handling for users hitting 
the Horizon endpoints in each DC. Note that you give up being able to 
use a Keystone token across multiple datacenters, but I think the 
performance benefits and stability offered by this solution is worth it.

Feel free to check out my slides about managing different data stores in 
your OpenStack deployments here:

http://bit.ly/openstack-data-storage

Best,
-jay