前文我们了解了MDS扩展相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/16759585.html;今天我们来聊一聊RadosGW的基础使用相关话题;
对象存储系统概述
对象存储系统(Object Storage System,简称OSS);对象存储(Object Storage) 是无层次结构的数据存储方法,通常用于云计算环境中;不同于其他数据存储方法,基于对象的存储不使用目录树;数据作为单独的对象进行存储;数据并不放置在目录层次结构中,而是存在于平面地址空间内的同一级别;应用通过唯一地址来识别每个单独的数据对象;每个对象可包含有助于检索的元数据;专为使用API在应用级别(而非用户级别)进行访问而设计;
对象与对象存储
对象是对象存储系统中数据存储的基本单位,每个Object是数据和数据属性集的综合体,数据属性可以根据应用的需求进行设置,包括数据分布、服务质量等;即每个对象都有单独元数据属性等信息(对象的大小可以不同,甚至可以包含整个数据结构,如文件、数据库表项等);为了简化存储系统管理任务,每个对象自我维护其属性;对象存储系统一般是一类智能设备,它具有自己的存储介质、处理器、内存以及网络系统等,负责管理本地的对象,是对象存储系统的核心;如下所示
提示:存储系统磁盘中存储的每个对象,它不像传统文件系统,统一管理元数据信息;每个对象的元数据信息和对象属性等都是对象自身负责管理;对象自身会拿出一部分空间来管理自身的元数据信息等信息;
块存储、文件存储与对象存储
提示:块存储就是通过scsi协议或rbd协议或存储区域网络的方式(SAN)将对应存储阵列中的磁盘设备虚拟为多个块设备,供客户端或应用程序使用;文件存储是将底层存储系统提供的磁盘设备抽象为一个文件系统,然后通过网络的方式向客户端或应用提供文件系统接口服务;对象存储是将底层存储系统通过虚拟化的形式将底层存储服务以RUSTful api向客户端或引用提供存储接口的方式,通常通过互联网的形式将对应接口供程序存取数据使用;
对象存储系统基础术语
一般说来,一个对象存储系统的核心资源类型应该包括用户(User)、存储桶(bucket)和对象(object);三者的关系是:用户将对象存储于对象存储系统上的存储桶中,存储桶隶属于用户并能够容纳对象,一个用户可以拥有一到多个存储桶,而一个存储桶常用于存储多个对象;
提示:RadosGW兼容亚马逊的S3接口和openstack的swift接口,但是s3和swift这两个接口并不完全兼容;所以两者的设计与设计上有所区别;但大多数对象存储系统对外呈现的核心资源类型大同小异;
Amazon S3:提供了user、bucket和object分别表示用户、存储桶和对象,其中bucket隶属于user,因此user名称即可做为bucket的名称空间,不同用户允许使用相同名称的bucket;
OpenStack Swift:提供了user、container和object分别对应于用户、存储桶和对象,不过它还额外为user提供了父级组件account,用于表示一个项目或租户,因此一个account中可包含一到多个user,它们可共享使用同一组container,并为container提供名称空间;
RadosGW:提供了user、subuser、bucket和object,其中的user对应于S3的user,而subuser则对应于Swift的user,不过user和subuser都不支持为bucket提供名称空间,因此,不同用户的存储桶也不允许同名;不过,自Jewel版本起,RadosGW引入了tenant(租户)用于为user和bucket提供名称空间,但它是个可选组件;Jewel版本之前,radosgw的所有user位于同一名称空间,它要求所有user的ID必须惟一,并且即便是不同user的bucket也不允许使用相同的bucket ID;
认证和授权
用户账号是认证(Authentication)、授权(Authorization)及存储配额(Quota)功能的载体,RGW依赖它对RESTful API进行请求认证、控制资源(存储桶和对象等)的访问权限并设定可用存储空间上限;S3和Swift使用了不同的认证机制;S3主要采用的是基于访问密钥(access key)和私有密钥(secret key)进行认证,RGW兼容其V2和V4两种认证机制,其中V2认证机制支持本地认证、LDAP认证和kerberos认证三种方式,所有未能通过认证的用户统统被视为匿名用户;Swift结合Swift私有密钥(swift key)使用令牌(token)认证方式,它支持临时URL认证、本地认证、OpenStack Keystone认证、第三方认证和匿名认证等方式;
通过身份认证后,RGW针对用户的每次资源操作请求都会进行授权检查,仅那些能够满足授权定义(ACL)的请求会被允许执行;S3使用bucket acl和object acl分别来控制bucket和object的访问控制权限,一般用于向bucket或object属主之外的其它用户进行授权;Swift API中的权限控制则分为user访问控制列表和bucket访问控制列表两种,前一种针对user进行设定,而后一定则专用于bucket及内部的object,且只有read和write两种权限;RadosGW为了支持通用的云存储功能,Ceph在RADOS集群的基础上提供了RGW(RADOS GateWay)数据抽象和管理层,它是原生兼容S3和Swift API的对象存储服务,支持数据压缩和多站点(Multi-Site)多活机制,并支持NFS协议访问接口等特性;S3和Swift是RESTful风格的API,它们基于http/https协议完成通信和数据交换;radosgw的http/https服务由内建的Civeweb提供,它同时也能支持多种主流的Web服务程序以代理的形式接收用户请求并转发至ceph-radosgw进程,这些Web服务程序包括nginx和haproxy等;
RGW的功能依赖于Ceph对象网关守护进程(ceph-radosgw)实现,它负责向客户端提供REST API接口,并将数据操作请求转换为底层RADOS存储集群的相关操作;出于冗余及负载均衡的需要,一个Ceph集群上的ceph-radosgw守护进程通常不止一个,这些支撑同一对象存储服务的守护进程联合起来构成一个zone(区域)用于代表一个独立的存储服务和存储空间;在容灾设计的架构中,管理员会基于两个或以上的Ceph集群定义出多个zone,这些zone之间通过同步机制实现冗余功能,并组成一个新的父级逻辑组件zonegroup;
多站点(Mutli-Sites)
zonegroup负责定义其下的各个zone之间的合作模式(active/passive或active/active)、调用的数据存储策略和同步机制等,并且能够为一个更大级别的应用通过多个zonegroup完成跨地域的协作,实现提升客户端接入的服务质量等功能,这也通常称为多站点(Mutli-Sites);为Ceph存储集群启用radosgw服务之后,它会默认生成一个名为default的zonegroup,其内含一个名为default的zone,管理员可按需扩展使用更多的zone或zonegroup;更进一步地,zonegroup还有其父级组件realm,用于界定跨地理位置进行复制时的边界;
配置Citeweb
自0.80版本起,Ceph放弃了基于apache和fastcgi提供radosgw服务的传统而代之以默认嵌入在ceph-radosgw进程中的Citeweb,这种新的实现方式更加轻便和简洁,但直到Ceph 11.0.1版本,Citeweb才开始支持SSL协议;Citeweb默认监听于TCP协议的7480端口提供http服务,修改配置需要编辑ceph.conf配置文件,以如下格式进行定义
[client.rgw.]rgw_host = rgw_frontends = "civetweb port=80"
示例:配置rgw监听在ceph-mon01的8080端口
[cephadm@ceph-admin ceph-cluster]$ cat ceph.conf[global]fsid = 7fd4a619-9767-4b46-9cee-78b9dfe88f34mon_initial_members = ceph-mon01mon_host = 192.168.0.71public_network = 192.168.0.0/24cluster_network = 172.16.30.0/24auth_cluster_required = cephxauth_service_required = cephxauth_client_required = cephx[mds.ceph-mon03]mds_standby_replay = truemds_standby_for_name = ceph-mon01[client.rgw.ceph-mon01]rgw_host = ceph-mon01rgw_frontends = "civetweb port=8080"[cephadm@ceph-admin ceph-cluster]$
推送配置至ceph-mon01
[cephadm@ceph-admin ceph-cluster]$ ceph-deploy --overwrite-conf config push ceph-mon01[ceph_deploy.conf][DEBUG ] found configuration file at: /home/cephadm/.cephdeploy.conf[ceph_deploy.cli][INFO ] Invoked (2.0.1): /bin/ceph-deploy --overwrite-conf config push ceph-mon01[ceph_deploy.cli][INFO ] ceph-deploy options:[ceph_deploy.cli][INFO ] username : None[ceph_deploy.cli][INFO ] verbose : False[ceph_deploy.cli][INFO ] overwrite_conf : True[ceph_deploy.cli][INFO ] subcommand : push[ceph_deploy.cli][INFO ] quiet : False[ceph_deploy.cli][INFO ] cd_conf : [ceph_deploy.cli][INFO ] cluster : ceph[ceph_deploy.cli][INFO ] client : ['ceph-mon01'][ceph_deploy.cli][INFO ] func : [ceph_deploy.cli][INFO ] ceph_conf : None[ceph_deploy.cli][INFO ] default_release : False[ceph_deploy.config][DEBUG ] Pushing config to ceph-mon01[ceph-mon01][DEBUG ] connection detected need for sudo[ceph-mon01][DEBUG ] connected to host: ceph-mon01 [ceph-mon01][DEBUG ] detect platform information from remote host[ceph-mon01][DEBUG ] detect machine type[ceph-mon01][DEBUG ] write cluster configuration to /etc/ceph/{cluster}.conf[cephadm@ceph-admin ceph-cluster]$
重启ceph-radosgw@rgw进程生效新配置
[cephadm@ceph-admin ceph-cluster]$ ssh ceph-mon01 'sudo systemctl restart ceph-radosgw@rgw'[cephadm@ceph-admin ceph-cluster]$ ssh ceph-mon01 'sudo ss -tnl|grep 8080' LISTEN 0 128 *:8080 *:* [cephadm@ceph-admin ceph-cluster]$
测试:ceph-mon01的8080是否可访问?
[cephadm@ceph-admin ceph-cluster]$ curl ceph-mon01:8080anonymous[cephadm@ceph-admin ceph-cluster]$
配置rgw以https的方式提供服务
1、准备证书
生成key
[root@ceph-mon01 ~]# mkdir /etc/ceph/ssl[root@ceph-mon01 ~]# cd /etc/ceph/ssl[root@ceph-mon01 ssl]# openssl genrsa -out /etc/ceph/ssl/ceph.test.keyGenerating RSA private key, 2048 bit long modulus............+++................................+++e is 65537 (0x10001)[root@ceph-mon01 ssl]# cat /etc/ceph/ssl/ceph.test.key-----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEAth2CA5M9psyG7Nmq4pWK8CMfgQpCfaQdKHU6qyQKq4/TflnBkhrWlz2sANEUQpLkzhjAeto7PU+ykgpMN3J8a3TZu3SIsKC/MBB1yDHx6raU33R0I6hbdtumjvP4XVWDcY0Zod4zkRH/iCkQKMw2RhjVEaKT+0KnHAle5RxLojcrqIz9iibmUqdH35T8aM8EIAwRcJx0QBYDlQJmqdhuHGt41ujqSpWcZEoGfsODxYuisZlkwOgTzTlfMcjOesPoSSqJ2X8zXzdbcMI6kEJb/xPa8ByTVOR8OAQJILezg2T5T6rMo3J9WVcGmDwqSczpzcyirRk+OavfawL3JJHsAQIDAQABAoIBAEphbOum5KROnsD3+gqHR3Li9YgPt653LA2NK8QgeVcu7BOL9zqESacF4k2HF35FXrwqcdr7bPySo31wRUbUNKry08bzRqzVSqEH6AM3GvZhUhaeCp1RsuGtvq5eSM9eEMx8874f8fHLZxGmq9nt5jDlDYkhXM1foL8buK1czCtZKqekhtFF9k5xis1d+QPeA0Pp/u94L0srzemhJDBcu52lw1kipnYWTn2jvfPoh0Ob/Bwm53Pl8ZhweD3peyxGpRZd41gY6LRzbFGG6QqG5syXzNeE9p5ozJjA3w0En1XwPOGnOcrrjCvY/Jk1mYkd9ERBpFDaPMIM52ArbIE84kECgYEA4bbxi0We62rwGOFJvPQ54O5hMEhxaYNxqcEDhwEBFUAU9f7Y6FFTk36obztXFjwhte3H9raIPuZjHpkZ+UZG4R1eESbWX1C3UvfFHHQFHqaS8l+sG1xhjVbyhif9wJwx8Wu4gAsdzmGXYQ1NzNXkucLX9Tn6xoAM6X7qbaBDkYkCgYEAzoz5EGkdmoPeYlV2aBgsvrcVQH8CHDdsg+8vgigq7WBsRO/lZPHRwdsjI60QJJ6RJkqJY01Rk5hOYSEqAckE8FKSS9ynFHxomAncvO0ZRpvH2aQr+Ecr5oi4mzyOt1LRVgxwguEGDBku0vXYaJQTXZM3FaeLLQ5aDrE9pg8fwLkCgYBOEgUB8xbAvsBFGsdyf9b1If6jwKrZoAlUedpKe+JwAzY8z+UeleKehZSkxJWerzXJw3ECuKfveaiXEMWXHuOtQYcjz5ceaMDABcs7yDVtIJh7FPRmklF7nbNNC9ANKvlrU6MBRtcMZ10AyKU8UE9IoUgpHeDLf8b3jFpxiJlWYQKBgBhC8tZ8ol+N8cc3Jqtfe5IDS1nCEWtjDzoIFFqDgVdUpiMK0rUiunK83MnKAEVs4rvOsYiagmSF1V8PWDHRfOUFre1/Q5jibB6/uc/vQbLLhZQI9qk5Iuz3Tkfdux3JepFS8LxO1jkBlEBvZDYUfpnVOvkuLujh8K4dH5Kr4BzxAoGAKVyF4cBthBBZ0d7hKLGjBLr0mNLPmroGbYnzLfqwz2OZiudvIrA1EDFPsQwJGHgkYd9tWhIvrp1orfOtRxocFYCUyBDba5yZjTplSKbYQ+muBHCmNsurc/KMUreFCZGVU/oEG0ebGVbavG8lAVKs17+tr/Ct2UpsgO99+XxeP5Y=-----END RSA PRIVATE KEY-----[root@ceph-mon01 ssl]#
自签证书签署
[root@ceph-mon01 ssl]# openssl req -new -x509 -key /etc/ceph/ssl/ceph.test.key -out /etc/ceph/ssl/ceph.test.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:SICHUANLocality Name (eg, city) [Default City]:GYOrganization Name (eg, company) [Default Company Ltd]:TESTOrganizational Unit Name (eg, section) []:TEST Common Name (eg, your name or your server's hostname) []:ceph-mon01.ilinux.ioEmail Address []:[root@ceph-mon01 ssl]# lsceph.test.key ceph.test.pem[root@ceph-mon01 ssl]#
合并key和自签名证书到一个文件
[root@ceph-mon01 ssl]# cat ceph.test.key ceph.test.pem > ceph.test.crt[root@ceph-mon01 ssl]# cat ceph.test.crt-----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEAth2CA5M9psyG7Nmq4pWK8CMfgQpCfaQdKHU6qyQKq4/TflnBkhrWlz2sANEUQpLkzhjAeto7PU+ykgpMN3J8a3TZu3SIsKC/MBB1yDHx6raU33R0I6hbdtumjvP4XVWDcY0Zod4zkRH/iCkQKMw2RhjVEaKT+0KnHAle5RxLojcrqIz9iibmUqdH35T8aM8EIAwRcJx0QBYDlQJmqdhuHGt41ujqSpWcZEoGfsODxYuisZlkwOgTzTlfMcjOesPoSSqJ2X8zXzdbcMI6kEJb/xPa8ByTVOR8OAQJILezg2T5T6rMo3J9WVcGmDwqSczpzcyirRk+OavfawL3JJHsAQIDAQABAoIBAEphbOum5KROnsD3+gqHR3Li9YgPt653LA2NK8QgeVcu7BOL9zqESacF4k2HF35FXrwqcdr7bPySo31wRUbUNKry08bzRqzVSqEH6AM3GvZhUhaeCp1RsuGtvq5eSM9eEMx8874f8fHLZxGmq9nt5jDlDYkhXM1foL8buK1czCtZKqekhtFF9k5xis1d+QPeA0Pp/u94L0srzemhJDBcu52lw1kipnYWTn2jvfPoh0Ob/Bwm53Pl8ZhweD3peyxGpRZd41gY6LRzbFGG6QqG5syXzNeE9p5ozJjA3w0En1XwPOGnOcrrjCvY/Jk1mYkd9ERBpFDaPMIM52ArbIE84kECgYEA4bbxi0We62rwGOFJvPQ54O5hMEhxaYNxqcEDhwEBFUAU9f7Y6FFTk36obztXFjwhte3H9raIPuZjHpkZ+UZG4R1eESbWX1C3UvfFHHQFHqaS8l+sG1xhjVbyhif9wJwx8Wu4gAsdzmGXYQ1NzNXkucLX9Tn6xoAM6X7qbaBDkYkCgYEAzoz5EGkdmoPeYlV2aBgsvrcVQH8CHDdsg+8vgigq7WBsRO/lZPHRwdsjI60QJJ6RJkqJY01Rk5hOYSEqAckE8FKSS9ynFHxomAncvO0ZRpvH2aQr+Ecr5oi4mzyOt1LRVgxwguEGDBku0vXYaJQTXZM3FaeLLQ5aDrE9pg8fwLkCgYBOEgUB8xbAvsBFGsdyf9b1If6jwKrZoAlUedpKe+JwAzY8z+UeleKehZSkxJWerzXJw3ECuKfveaiXEMWXHuOtQYcjz5ceaMDABcs7yDVtIJh7FPRmklF7nbNNC9ANKvlrU6MBRtcMZ10AyKU8UE9IoUgpHeDLf8b3jFpxiJlWYQKBgBhC8tZ8ol+N8cc3Jqtfe5IDS1nCEWtjDzoIFFqDgVdUpiMK0rUiunK83MnKAEVs4rvOsYiagmSF1V8PWDHRfOUFre1/Q5jibB6/uc/vQbLLhZQI9qk5Iuz3Tkfdux3JepFS8LxO1jkBlEBvZDYUfpnVOvkuLujh8K4dH5Kr4BzxAoGAKVyF4cBthBBZ0d7hKLGjBLr0mNLPmroGbYnzLfqwz2OZiudvIrA1EDFPsQwJGHgkYd9tWhIvrp1orfOtRxocFYCUyBDba5yZjTplSKbYQ+muBHCmNsurc/KMUreFCZGVU/oEG0ebGVbavG8lAVKs17+tr/Ct2UpsgO99+XxeP5Y=-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----MIIDpTCCAo2gAwIBAgIJAKiSRxIiMIwAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdTSUNIVUFOMQswCQYDVQQHDAJHWTENMAsGA1UECgwEVEVTVDENMAsGA1UECwwEVEVTVDEdMBsGA1UEAwwUY2VwaC1tb24wMS5pbGludXguaW8wHhcNMjIxMDA4MDcyMzI1WhcNMjMxMDA4MDcyMzI1WjBpMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHU0lDSFVBTjELMAkGA1UEBwwCR1kxDTALBgNVBAoMBFRFU1QxDTALBgNVBAsMBFRFU1QxHTAbBgNVBAMMFGNlcGgtbW9uMDEuaWxpbnV4LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAth2CA5M9psyG7Nmq4pWK8CMfgQpCfaQdKHU6qyQKq4/TflnBkhrWlz2sANEUQpLkzhjAeto7PU+ykgpMN3J8a3TZu3SIsKC/MBB1yDHx6raU33R0I6hbdtumjvP4XVWDcY0Zod4zkRH/iCkQKMw2RhjVEaKT+0KnHAle5RxLojcrqIz9iibmUqdH35T8aM8EIAwRcJx0QBYDlQJmqdhuHGt41ujqSpWcZEoGfsODxYuisZlkwOgTzTlfMcjOesPoSSqJ2X8zXzdbcMI6kEJb/xPa8ByTVOR8OAQJILezg2T5T6rMo3J9WVcGmDwqSczpzcyirRk+OavfawL3JJHsAQIDAQABo1AwTjAdBgNVHQ4EFgQUeeRFLKn76P9N7GzquqLSjfC1gwswHwYDVR0jBBgwFoAUeeRFLKn76P9N7GzquqLSjfC1gwswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAqHQ8hCz5bYmXqtJW6Uk1h0T8nHirrkUovLIp0xB6GhK9wsLh8bZze7FXQfgMCmTFIzOmsBJZGLuoqwfWwNtBuy7XfTRJBh1yWY3lvf3Bmd/5W+6tpZlGCfVyj1q6gOE1W2yZC0JAK+BRQyHTvG3dDosOZnIxw111IHkLWxJruz+Z8L7+FGCye+As6hUPNB/yrrmjTTCJDkqUSY6Haw1prLZqVlA3JinnQqFSNbc92/cX1frUkHsgwp2d5KCCQ6WSRxbXUfi1ZPEDfHftg6Xzfac+FRXu46ht8PfcDh4XNT0uDZYjtXrNRSOcnEiftc2pxDxLEo6Ilt3Zb53sdYtq4A==-----END CERTIFICATE-----[root@ceph-mon01 ssl]#
配置ceph-mon01以https提供服务
提示:我们需要在rgw_frontends里添加port=端口s,然后用ssl_certificate来指定证书即可
验证:重启服务,看看对应8443是否监听?
[root@ceph-mon01 ssl]# systemctl restart ceph-radosgw@rgw[root@ceph-mon01 ssl]# ss -tnlState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 172.16.30.71:6800 *:* LISTEN 0 128 192.168.0.71:6800 *:* LISTEN 0 128 172.16.30.71:6801 *:* LISTEN 0 128 192.168.0.71:6801 *:* LISTEN 0 128 172.16.30.71:6802 *:* LISTEN 0 128 192.168.0.71:6802 *:* LISTEN 0 128 172.16.30.71:6803 *:* LISTEN 0 128 192.168.0.71:6803 *:* LISTEN 0 128 192.168.0.71:6804 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:8443 *:* LISTEN 0 128 192.168.0.71:6789 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 100 [::1]:25 [::]:* [root@ceph-mon01 ssl]#
提示:可以看到重启服务以后对应8443端口处于正常监听;
验证:用客户端浏览器访问ceph-mon01的8443端口,看看是否能访问?
提示:可以看到用浏览器访问ceph-mon01的8443端口,会有一个证书安全提示;对应接口也是可以正常访问的;
配置rgw以http和https提供服务
提示:我们只需要在port后面写上对应http监听端口+https监听端口s即可监听对应协议的端口;
验证:重启服务,看看对应7480和8443是否正常处于监听状态?
提示:可以看到7480和8443都处于监听状态;
其它配置参数
num_threads:Citeweb以线程模型处理客户端请求,它为每个连接请求分配一个专用线程,因而此参数定义了其支持的最大并发连接数,默认值为50;
request_timeout_ms:网络发送与接收操作的超时时长,以ms为单位,默认值为30000;可以在必要时通过增大此值实现长连接的效果;
access_log_file:访问日志的文件路径,默认为空;
error_log_file:错误日志的文件路径,默认为空;
配置泛域名解析
S3的存储桶是用于存储对象的容器,每个对象都必须储存在一个特定的存储桶中,且每个对象都要直接通过RESTful API基于URL进行访问,URL格式为http(s)://bucket-name.radowgw-host[:port]/key;例如,对于存储在rgw01.ilinux.io上的S3 API对象存储系统上eshop存储桶中的名为images/commodity1.jpg 的对象,可通过http://eshop.rgw01.ilinux.io/images/commodity1.jpg对其进行寻址;因此,radosgw的S3 API接口的功能强依赖于DNS的泛域名解析服务,它必须能够正常解析任何“.”格式的名称至radosgw主机;
部署内网dns服务器
安装bind
[root@node12 ~]# yum install bind -y
bind基础配置
提示:在/etc/named.conf中我们把上面标识的地方给注释掉即可;
配置解析泛域名的解析文件
[root@node12 named]# tail /etc/named.rfc1912.zones zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; };};zone "ilinux.io" IN { type master; file "ilinux.io.zone";};[root@node12 named]#
检查配置文件
[root@node12 ~]# named-checkconf [root@node12 ~]#
提示:如果没有任何提示,说明我们的配置文件没有问题;
区域配置文件
[root@node12 named]# cat /var/named/ilinux.io.zone $TTL 1D@ IN SOA ns.ilinux.io. admin.ilinux.io. ( 0 1D 1H 1W 3H ); IN NS nsns IN A 192.168.0.52ceph-mon01 IN A 192.168.0.71ceph-mon02 IN A 192.168.0.72*.ceph-mon01 IN CNAME ceph-mon01*.ceph-mon02 IN CNAME ceph-mon02[root@node12 named]#
检查区域文件权限问题
[root@node12 named]# ll /var/named/total 20drwxrwx--- 2 named named 23 Oct 8 17:03 datadrwxrwx--- 2 named named 60 Oct 8 17:04 dynamic-rw-r--r-- 1 root root 225 Oct 8 16:52 ilinux.io.zone-rw-r----- 1 root named 2253 Apr 5 2018 named.ca-rw-r----- 1 root named 152 Dec 15 2009 named.empty-rw-r----- 1 root named 152 Jun 21 2007 named.localhost-rw-r----- 1 root named 168 Dec 15 2009 named.loopbackdrwxrwx--- 2 named named 6 Oct 4 15:06 slaves[root@node12 named]# chown :named /var/named/ilinux.io.zone [root@node12 named]# ll /var/named/total 20drwxrwx--- 2 named named 23 Oct 8 17:03 datadrwxrwx--- 2 named named 60 Oct 8 17:04 dynamic-rw-r--r-- 1 root named 225 Oct 8 16:52 ilinux.io.zone-rw-r----- 1 root named 2253 Apr 5 2018 named.ca-rw-r----- 1 root named 152 Dec 15 2009 named.empty-rw-r----- 1 root named 152 Jun 21 2007 named.localhost-rw-r----- 1 root named 168 Dec 15 2009 named.loopbackdrwxrwx--- 2 named named 6 Oct 4 15:06 slaves[root@node12 named]#
提示:我们刚才创建的区域文件是root宿主,root属组,需要修改为root宿主,named属组;
检查区域文件格式是否错误?
[root@node12 named]# named-checkzone ilinux.io /var/named/ilinux.io.zonezone ilinux.io/IN: loaded serial 0OK[root@node12 named]#
提示:显示ok,表示区域配置文件没有问题;
启动named进程,看看对应解析是否可域名是否可解析?
[root@node12 named]# systemctl start named[root@node12 named]# ss -tnulNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 192.168.0.52:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 ::1:323 :::* tcp LISTEN 0 10 192.168.0.52:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 128 127.0.0.1:953 *:* tcp LISTEN 0 100 127.0.0.1:25 *:* tcp LISTEN 0 128 *:16379 *:* tcp LISTEN 0 128 *:27017 *:* tcp LISTEN 0 50 *:3306 *:* tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 128 ::1:953 :::* tcp LISTEN 0 100 ::1:25 :::* [root@node12 named]#
提示:可以看到udp53号端口已经正常启动;
配置客户端主机,将对应dns指向192.168.0.52,看看对应域名是否可解析?
[root@node11 ~]# cat /etc/resolv.conf# Generated by NetworkManagernameserver 192.168.0.52[root@node11 ~]#
使用dig命令解析ceph-mon01.ilinux.io看看是否能正常解析?
[root@node11 ~]# dig ceph-mon01.ilinux.io; <> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <> ceph-mon01.ilinux.io;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56820;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;ceph-mon01.ilinux.io. IN A;; ANSWER SECTION:ceph-mon01.ilinux.io. 86400 IN A 192.168.0.71;; AUTHORITY SECTION:ilinux.io. 86400 IN NS ns.ilinux.io.;; ADDITIONAL SECTION:ns.ilinux.io. 86400 IN A 192.168.0.52;; Query time: 1 msec;; SERVER: 192.168.0.52#53(192.168.0.52);; WHEN: Sat Oct 08 17:26:18 CST 2022;; MSG SIZE rcvd: 98[root@node11 ~]# dig ceph-mon02.ilinux.io; <> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <> ceph-mon02.ilinux.io;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50240;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;ceph-mon02.ilinux.io. IN A;; ANSWER SECTION:ceph-mon02.ilinux.io. 86400 IN A 192.168.0.72;; AUTHORITY SECTION:ilinux.io. 86400 IN NS ns.ilinux.io.;; ADDITIONAL SECTION:ns.ilinux.io. 86400 IN A 192.168.0.52;; Query time: 1 msec;; SERVER: 192.168.0.52#53(192.168.0.52);; WHEN: Sat Oct 08 17:26:28 CST 2022;; MSG SIZE rcvd: 98[root@node11 ~]# dig file.ceph-mon02.ilinux.io; <> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <> file.ceph-mon02.ilinux.io;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37815;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;file.ceph-mon02.ilinux.io. IN A;; ANSWER SECTION:file.ceph-mon02.ilinux.io. 86400 IN CNAME ceph-mon02.ilinux.io.ceph-mon02.ilinux.io. 86400 IN A 192.168.0.72;; AUTHORITY SECTION:ilinux.io. 86400 IN NS ns.ilinux.io.;; ADDITIONAL SECTION:ns.ilinux.io. 86400 IN A 192.168.0.52;; Query time: 1 msec;; SERVER: 192.168.0.52#53(192.168.0.52);; WHEN: Sat Oct 08 17:26:38 CST 2022;; MSG SIZE rcvd: 117[root@node11 ~]#
提示:可以看到在客户端主机上将对应dns指向192.168.0.52以后,对应使用dig命令是可以正常解析ceph-mon01.ilinux.io;泛域名解析也是没有问题,到此我们的dns服务就搭建完成了;
配置每个radowgw守护进程的rgw_dns_name为其DNS名称
提示:我这里将ceph-mon02也启动了Radosgw,所以连同ceph-mon2一遍配置了;我们可以使用ceph-deploy将配置推送给集群各主机,然后再到每个主机上重启进程就好;
测试使用S3 API接口
使用radosgw-admin工具创建用户
[root@ceph-mon01 ssl]# radosgw-admin user create --uid=s3user --display-name="s3 test user"{ "user_id": "s3user", "display_name": "s3 test user", "email": "", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [], "keys": [ { "user": "s3user", "access_key": "433ZGVH2EJTJMG5EDP1B", "secret_key": "K0V73EieP8Wh6mng9xu9jA6iDbJGzfTXi2q3XQOU" } ], "swift_keys": [], "caps": [], "op_mask": "read, write, delete", "default_placement": "", "placement_tags": [], "bucket_quota": { "enabled": false, "check_on_raw": false, "max_size": -1, "max_size_kb": 0, "max_objects": -1 }, "user_quota": { "enabled": false, "check_on_raw": false, "max_size": -1, "max_size_kb": 0, "max_objects": -1 }, "temp_url_keys": [], "type": "rgw", "mfa_ids": []}[root@ceph-mon01 ssl]# radosgw-admin user list[ "s3user"][root@ceph-mon01 ssl]#
提示:创建账号在集群节点都可以创建,建议在admin host上创建;
在客户端主机上安装s3cmd工具
[root@node11 ~]# yum install -y s3cmd
提示:该工具来自epel源,安装前请配置好epel源;
配置s3cmd工具
[root@node11 ~]# s3cmd --configureEnter new values or accept defaults in brackets with Enter.Refer to user manual for detailed description of all options.Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.Access Key: 433ZGVH2EJTJMG5EDP1BSecret Key: K0V73EieP8Wh6mng9xu9jA6iDbJGzfTXi2q3XQOUDefault Region [US]: Use "s3.amazonaws.com" for S3 Endpoint and not modify it to the target Amazon S3.S3 Endpoint [s3.amazonaws.com]: ceph-mon01.ilinux.io:7480Use "%(bucket)s.s3.amazonaws.com" to the target Amazon S3. "%(bucket)s" and "%(location)s" vars can be usedif the target S3 system supports dns based buckets.DNS-style bucket+hostname:port template for accessing a bucket [%(bucket)s.s3.amazonaws.com]: [%(bucket)s.ceph-mon01.ilinux.io:7480Encryption password is used to protect your files from readingby unauthorized persons while in transfer to S3Encryption password: Path to GPG program [/usr/bin/gpg]: When using secure HTTPS protocol all communication with Amazon S3servers is protected from 3rd party eavesdropping. This method isslower than plain HTTP, and can only be proxied with Python 2.7 or newerUse HTTPS protocol [Yes]: NoOn some networks all internet access must go through a HTTP proxy.Try setting it here if you can't connect to S3 directlyHTTP Proxy server name: New settings: Access Key: 433ZGVH2EJTJMG5EDP1B Secret Key: K0V73EieP8Wh6mng9xu9jA6iDbJGzfTXi2q3XQOU Default Region: US S3 Endpoint: ceph-mon01.ilinux.io:7480 DNS-style bucket+hostname:port template for accessing a bucket: [%(bucket)s.ceph-mon01.ilinux.io:7480 Encryption password: Path to GPG program: /usr/bin/gpg Use HTTPS protocol: False HTTP Proxy server name: HTTP Proxy server port: 0Test access with supplied credentials? [Y/n] YPlease wait, attempting to list all buckets...Success. Your access key and secret key worked fine :-)Now verifying that encryption works...Not configured. Never mind.Save settings? [y/N] yConfiguration saved to '/root/.s3cfg'[root@node11 ~]#
提示:access key和secret key这两项在我们创建用户时,就会返回;把对应信息复制过来就好;s3 endport是用来指定rgw站点的域名和端口;dns-style是指定泛域名解析格式;上述配置信息保存在当前用户的.s3cfg文件中,我们也可以直接修改该文件来配置s3cmd工具;
用s3user创建bucket
[root@node11 ~]# s3cmd mb s3://imagesBucket 's3://images/' created[root@node11 ~]#
列出bucket
[root@node11 ~]# s3cmd ls2022-10-08 11:18 s3://images[root@node11 ~]#
上传文件
[root@node11 ~]# s3cmd put /usr/share/backgrounds/morning.jpg s3://images/test/test.jpgupload: '/usr/share/backgrounds/morning.jpg' -> 's3://images/test/test.jpg' [1 of 1] 980265 of 980265 100% in 1s 491.31 KB/s done[root@node11 ~]# s3cmd ls 2022-10-08 11:18 s3://images[root@node11 ~]# s3cmd ls s3://images DIR s3://images/test/[root@node11 ~]# s3cmd ls s3://images/test/2022-10-08 11:25 980265 s3://images/test/test.jpg[root@node11 ~]#
下载文件
[root@node11 ~]# lsalldatabase index.html oplog_rs[root@node11 ~]# s3cmd get s3://images/test/test.jpgdownload: 's3://images/test/test.jpg' -> './test.jpg' [1 of 1] 980265 of 980265 100% in 0s 67.25 MB/s done[root@node11 ~]# lsalldatabase index.html oplog_rs test.jpg[root@node11 ~]#
ok,基于s3cmd测试使用S3 API接口就到此结束了;更多radosgw的配置使用,请参考官方文档;
作者:Linux-1874 出处:https://www.cnblogs.com/qiuhom-1874/ 本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利.