rgw/sync-policy: Support disabling per-bucket replication #49803
Conversation
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
4c731fe
to
6931020
Compare
|
@yehudasa @cbodley @mattbenjamin .. please comment if the rule semantics mentioned in this PR seem correct to be followed to resolve the sync policies. The changes in this commit seem to work to disable bucket replication. But I will test all other cases too and confirm. |
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
6931020
to
3b29a79
Compare
|
@soumyakoduri the truth table appears to make sense; does this address the actual issue Daniel Parkes reported, or is it a fix for issues you found while debugging that? |
|
@soumyakoduri the table makes sense. Is it working at the <zone, bucket> granularity? E.g., can disable sync to/from a bucket at a specific zone. Also, is it possible to disable bucket as source, but not as target (and vice versa)? Will need to test all these cases. |
Thanks a lot Yehuda. yes..I will test these cases too and update . Hopefully will try to include them as part of #38238 as well. |
This PR is to specifically address https://bugzilla.redhat.com/show_bug.cgi?id=2132554 . But since the changes affect all the sync-policy use-cases, as discussed in the refactoring call, wanted to define and confirm the semantics for testing and any future reference. |
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
3b29a79
to
921377a
Compare
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
921377a
to
f2022a0
Compare
|
I have addressed few bugs and outlined the testcases I tested/plan to test here - https://docs.google.com/document/d/19oBQA-bYxLBR4BnekA2DTwJJaTFvjAfrqAk9G3RGU0I/edit#heading=h.4qac9dpc76m Please check if that covers all the cases @yehudasa |
|
@yehudasa I found another strange behaviour with sync policy - Out of 3 zones (zone1, zone2, zone3) within a zonegroup, if a policy is configured at zonegroup level to allow symmetrical sync between only zone1, zone2, I assume the sync shouldn't happen from zone1/zone2 <-> zone3. But that doesn't seem to be the case. I see objects getting sync'ed from zone1, zone2 to zone3 but strangely not viceversa (i.e, from zone3 -> zone2,zone1 is restricted as expected but zone1, zone2 -> zone3 is not disabled). Please provide your inputs on the same. |
I raised https://tracker.ceph.com/issues/58822 for the same. |
|
@yehudasa most of the cases listed (https://docs.google.com/document/d/19oBQA-bYxLBR4BnekA2DTwJJaTFvjAfrqAk9G3RGU0I/edit#) seem to be working at least for two-zones. With 3 zones, I am hitting the issue mentioned in https://tracker.ceph.com/issues/58822. I will request QE also to test all the cases in detail (provided we have fix for #58822 as well). Please review the latest changes and let me know your comments. |
soumyakoduri
changed the title
|
@yehudasa kindly review the changes. |
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
f2022a0
to
f5cc8d1
Compare
| @@ -482,6 +488,30 @@ void RGWBucketSyncFlowManager::pipe_set::insert(const rgw_sync_bucket_pipe& pipe | |||
| handlers.insert(h); | |||
| } | |||
|
|
|||
| void RGWBucketSyncFlowManager::pipe_set::remove_all() { | |||
| pipe_map.erase(pipe_map.begin(), pipe_map.end()); | |||
There was a problem hiding this comment.
@soumyakoduri any reason why you're not calling pipe_map.clear() instead?
There was a problem hiding this comment.
Thanks! Addressed it. Also this routine is currently not used anywhere (in this fix), but just added as a helper routine if any need arise later.
| @@ -494,14 +524,15 @@ bool RGWBucketSyncFlowManager::allowed_data_flow(const rgw_zone_id& source_zone, | |||
| bool check_activated) const | |||
| { | |||
| bool found = false; | |||
| bool found_activated = false; | |||
| bool found_activated = true; | |||
There was a problem hiding this comment.
this would return true if flow_groups are empty. However, I can't find anywhere were it's even called with check_activated true, so maybe a moot point. Am I missing something?
There was a problem hiding this comment.
Right. It is not used anywhere at the moment with check_activated set to true.
But while working on this fix, I assumed it will be set (if ever in future) only for the child policies.. So in case if any child/bucket policy is missing the flow-group, it should inherit from parent policy and hence should return "true" in such case.
Since its not needed for this fix, will take it up later as it may need further discussion.
| source_pipes->insert(pipe); | ||
| if (is_forbidden) { | ||
| ldpp_dout(dpp, 20) << __func__ << "(): flow manager (bucket=" << effective_bucket_key << "): removing source pipe: " << pipe << dendl; | ||
| source_pipes->disable(pipe); |
There was a problem hiding this comment.
@soumyakoduri do we have ordering issue, where we can enable stuff after we disabled that depending on the flow_group order?
There was a problem hiding this comment.
yes..while testing I noticed it.
If there are two policies set, for eg.,
- policy 1 - FORBIDDEN - <src_pipe,dest_pipe>
- policy 2 - ENABLED - <src_pipe, dest_pipe>
policy2 is processed last in the order and thus granted the access.
To avoid that, have included disabled_pipes to store the restricted <pipe_set>s if any and match with the ones being inserted.
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
f5cc8d1
to
561a461
Compare
|
jenkins test make check arm64 |
|
jenkins test windows |
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
561a461
to
fb98020
Compare
|
@yehudasa I addressed your comments and an issue (found during testing) with removing an element in pipe_map . Kindly review the changes. |
When the zones replicate, allow disabling replication for specific buckets using sync policy. These are the semantics to be followed while resolving the policy conflicts - ================================================== zonegroup bucket Result ================================================== enabled enabled enabled allowed enabled forbidden disabled allowed enabled enabled allowed disabled forbidden disabled forbidden enabled disabled allowed disabled forbidden disabled In case multiple group policies are set to reflect for any sync pair (<source-zone,source-bucket>, <dest-zone,dest-bucket>), the following rules are applied in the order - 1) Even if one policy status is FORBIDDEN, the sync will be disabled 2) Atleast one policy should be ENABLED for the sync to be allowed. Various cases tested are outlined here - https://docs.google.com/document/d/19oBQA-bYxLBR4BnekA2DTwJJaTFvjAfrqAk9G3RGU0I/edit#heading=h.4qac9dpc76m Signed-off-by: Soumya Koduri <skoduri@redhat.com>
soumyakoduri
force-pushed
the
wip-skoduri-sync-flow
branch
from
fb98020
to
aeb3a74
Compare
Thanks Yehuda. teuthology run: #49803 |
|
jenkins test make check arm64 |
When the zones replicate, allow disabling replication for specific buckets using sync policy.
These are the semantics to be followed while resolving the policy conflicts -
In case multiple group policies are set to reflect for any sync pair (<source-zone,source-bucket>, <dest-zone,dest-bucket>), the following rules are applied in the order -
Fixes: https://tracker.ceph.com/issues/58518
Signed-off-by: Soumya Koduri skoduri@redhat.com
Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windows