Samuel Just [Thu, 24 Apr 2025 22:13:04 +0000 (15:13 -0700)]
vstart.sh: simplify crimson core assignment, use assign_crimson_cores.py
This commit simplifies the internal flow in a few ways:
- core assignment is entirely handled by prep_balance_cpu and
do_balance_cpu. The latter simply does as the cpu_table
instructs.
- assign_crimson_cores calls lscpu and taskset internally, no
need for temp files.
It also changes some defaults:
- if crimson-balance-cpu is unset or set to none, crimson-osd will not
pin cpus at all rather than using the simple sequential allocation
scheme, which could be much less efficient on platforms where
cpuids 0,1,2,3,... are on socket 0,1,2,3,... "osd" and "socket"
options provide numa aware assignments when requested.
New features:
- Alienstore cores are now assigned with assign_crimson_cores
using the same balance strategy using
--crimson-alien-num-cores.
- --crimson-reactor-physical-only and
--crimson-alienstore-physical-only will cause reactor or
alienstore cpus respectively to be allocated with one
cpu per physical core rather than including smt siblings.
Fixes: https://tracker.ceph.com/issues/71096 Signed-off-by: Samuel Just <sjust@redhat.com>
Samuel Just [Tue, 29 Apr 2025 01:53:11 +0000 (01:53 +0000)]
tools/contrib: add assign_crimson_cores as a more general replacement for balance_cpu
Improvements:
- shorter
- has tests
- uses lscpu -e --json to get logical<->physical mappings and avoid
needing to parse cpu ranges in lscpu --json
- supports allocating alienstore threads
- supports requiring physical cores only independently for alienstore
and seastar reactors
Ville Ojamo [Wed, 30 Apr 2025 07:37:57 +0000 (14:37 +0700)]
doc/radosgw: Improve language, capitalization and use config database
Use "RADOS Gateway" instead of "Rados Gateway", "rados gateway" etc.
I am aware of the term "Ceph Object Gateway" but this change intends to
be an uncontroversial low hanging fruit fix of obviously incorrectly
capitalized terms.
Use "RGW daemon" instead of "Gateway", "Rados Gateway" etc.
Use "RGW instance" instead of "rados gateway" for consistency with
exactly similar other instance.
If referring obviously clearly to an instance of the daemon with an
obviously not preferred term, change it to "RGW daemon"; for example
when talking about restarting the RGW.
Do not touch other instances that are not 100% clear.
The files touched mostly do not use "Ceph Object Gateway" so changing
the term to it would create inconsistency, or several more changes
would need to be done to update all instances to use this terminology.
Use configuration database instead of ceph.conf in d3n_datacache.rst.
Improve language in d3n_datacache.rst.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Correct the presentation of an example string in doc/cephadm/rgw.rst in
order to obviate an error reading "rgw.rst:202: WARNING: Inline emphasis start-string without end-string."
doc/rados: Update mClock doc on steps to override OSD IOPS capacity config
Describe the steps involved to
- Specify a global value for osd_mclock_max_capacity_iops_{ssd,hdd}, and
- Override existing individually scoped values for OSDs determined during
start-up for osd_mclock_max_capacity_iops_{ssd,hdd}.
The above is to help with the following:
- Steps to override existing setting with a global value.
- reduce the number of entries in the mon store and instead use a single
global specification for all OSDs in the cluster in case the underlying
hardware is the same for all OSDs.
scan_for_backfill was seperated to scan_for_backfill_primary and
scan_for_backfill_replica.
The fix from:
https://github.com/ceph/ceph/pull/62837/commits/88432ebd7432c513ccd495e77425401beddb9953
was only copied to the replica version.
Ville Ojamo [Tue, 29 Apr 2025 06:20:26 +0000 (13:20 +0700)]
doc/radosgw: Use privileged prompt for CLI commands in admin.rst
Instead of not defining a prompt to use in CLI commands and falling back
to the default unprivileged prompt, use explicit privileged bash prompt
for CLI commands that require privileges.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Samuel Just [Sat, 5 Apr 2025 01:57:33 +0000 (18:57 -0700)]
crimson: fix DynamicPerfStats usage in ClientRequest
ClientRequest::get_connection() return l_conn, which will be
null by the time PG::add_client_request_lat is called in
ClientRequest::do_process. Modify get_connection() to
return a Connection& from whichever of l_conn or r_conn
isn't null.
rgw: utilize is_impersonating for forwarded sts requests
With the introduction of is_impersonating in SysReqApplier,
RoleApplier can now use the same mechanism to mark when a request
has been forwarded by a system user on behalf of another role (e.g.,
through STS) to mark it as a system request (s->system_request).
In rgw_sync_pipe_params, the mode can be either system or user.
When in system mode, no user is involved, but the current
implementation holds an empty rgw_user, which can cause confusion
in pipe_rules::find_basic_info_without_tags().
With this change, rgw_user is now optional, ensuring that when no
user is involved, it is explicitly nullopt rather than an empty object.
Seena Fallah [Fri, 28 Mar 2025 20:55:20 +0000 (21:55 +0100)]
rgw: remote copy obj pass rgwx-perm-check-uid for perm evaluation
When copying object from remote source (bucket from another zonegroup)
the perms of the source is not evaluated resulting in reading from
unauthorized buckets.
passing `rgwx-perm-check-uid` will let the source zone evaluates the
perm and close this bug.
Seena Fallah [Fri, 28 Mar 2025 20:52:47 +0000 (21:52 +0100)]
rgw: RGWRadosPutObj evals source bucket perm for backward compatibility
As of a3f40b4 we no longer evaluate perms locally for source bucket,
this could cause broken permission evaluation dusring upgrade as one
zone is not respecting the perm evaluation based on the `rgwx-perm-check-uid`
arg.
Seena Fallah [Fri, 28 Mar 2025 20:48:34 +0000 (21:48 +0100)]
rgw: give hint via header for perm evaluation in GetObj
Return `Rgwx-Perm-Checked` header as a hint for the destination zone
to know whether the perms where considered or not.
This is just a backward compatibility for upgrade and can be dropped
in T+2 release.
Seena Fallah [Thu, 27 Feb 2025 10:53:44 +0000 (11:53 +0100)]
rgw: take account GetObject(Version)Tagging when replicating
In case the uid has no permission to read tagging, the tags should
not be replicated.
Ref. https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
Seena Fallah [Mon, 24 Feb 2025 22:41:13 +0000 (23:41 +0100)]
rgw: check source object replication by replication actions
Check for permissions of `s3:GetObjectVersionForReplication` in
addition to `s3:GetObject` and `s3:GetObjectVersion` when fetching
the object for multisite.
Seena Fallah [Mon, 24 Feb 2025 22:33:45 +0000 (23:33 +0100)]
rgw: only allow system override if identity is not impersonating
Since multisite now delegates permission checks for source objects
to the source zone (a3f40b4), we need to avoid allowing system-level
overrides when the request is impersonating another identity.
SysReqApplier should only grant override permission if the request
is truly system-authenticated and not acting on behalf of another
user or role (i.e., no rgwx-perm-check-uid or rgwx-perm-check-role
in the request).
rgw: SysReqApplier overrides is_admin_of based on impersonation
SysReqApplier now returns true for is_admin_of() when the requester
was a system user and was not impersonating any user/role using
rgwx-perm-check-uid or rgwx-perm-check-role.
projects / ceph.git / log