swift proxy #69


OpenStack Object Storage (code-named Swift) is open source software for
creating redundant, scalable object storage using clusters of standardized
servers to store petabytes of accessible data. It is not a file system or
real-time data storage system, but rather a long-term storage system for a
more permanent type of static data that can be retrieved, leveraged, and
then updated if necessary. Primary examples of data that best fit this
type of storage model are virtual machine images, photo storage, email
storage and backup archiving. Having no central "brain" or master point of
control provides greater scalability, redundancy and permanence.
This charm deploys the Swift proxy service, providing HTTP based access
onto underlying Swift storage services.


This charm provides the swift-proxy component of the OpenStack Swift object
storage system. It can be deployed as part of its own stand-alone storage
cluster or it can be integrated with the other OpenStack components, assuming
those are also managed by Juju. For Swift to function, you'll also need to
deploy additional swift-storage nodes using the cs:precise/swift-storage

For more information about Swift and its architecture, visit the
official project website

This charm was developed to support deploying multiple version of Swift on
Ubuntu Precise 12.04, as they relate to the release series of OpenStack. That
is, OpenStack Essex corresponds to Swift 1.4.8 while OpenStack Folsom shipped
1.7.4. This charm can be used to deploy either (and future) versions of Swift
onto an Ubuntu Precise 12.04 or Trusty 14.04 making use of the Ubuntu Cloud
Archive when needed.


Currently, Swift may be deployed in two ways. In either case, additional
storage nodes are required. The configuration option that dictates
how to deploy this charm is the 'zone-assignment' setting. This section
describes how to select the appropriate zone assignment policy, as well as
a few other configuration settings of interest. Many of the configuration
settings can be left as default.

Zone Assignment

This setting determines how the charm assigns new storage nodes to storage

The default, 'manual' option is suggested for production as it allows
administrators to carefully architect the storage cluster. It requires each
swift-storage service to be deployed with an explicit storage zone configured
in its deployment settings. Upon relation to a swift-proxy, the storage node
will request membership to its configured zone and be assigned by the
swift-proxy charm accordingly. Using the cs:precise/swift-storage charm with
this charm, a deployment would look something like:

$ cat >swift.cfg <<END
        zone-assignment: manual
        replicas: 3
        zone: 1
        block-device: /etc/swift/storage.img|2G
        zone: 2
        block-device: /etc/swift/storage.img|2G
        zone: 3
        block-device: /etc/swift/storage.img|2G
$ juju deploy --config=swift.cfg swift-proxy
$ juju deploy --config=swift.cfg swift-storage swift-storage-zone1
$ juju deploy --config=swift.cfg swift-storage swift-storage-zone2
$ juju deploy --config=swift.cfg swift-storage swift-storage-zone3
$ juju add-relation swift-proxy swift-storage-zone1
$ juju add-relation swift-proxy swift-storage-zone2
$ juju add-relation swift-proxy swift-storage-zone3

This will result in a configured storage cluster of 3 zones, each with one
node. To expand capacity of the storage system, nodes can be added to specific
zones in the ring.

$ juju add-unit swift-storage-zone1
$ juju add-unit -n5 swift-storage-zone3    # Adds 5 units to zone3

This charm will not balance the storage ring until there are enough storage
zones to meet its minimum replica requirement, in this case 3.

The other option for zone assignment is 'auto'. In this mode, swift-proxy
gets a relation to a single swift-storage service unit. Each machine unit
assigned to that service unit will be distributed evenly across zones.

$ cat >swift.cfg <<END
    zone-assignment: auto
    replicas: 3
    zone: 1
    block-device: /etc/swift/storage.img|2G
$ juju deploy --config=swift.cfg swift-proxy
$ juju deploy --config=swift.cfg swift-storage
$ juju add-relation swift-proxy swift-storage
# The swift-storage/0 unit ends up the first node in zone 1
$ juju add-unit swift-storage
# swift-storage/1 ends up the first node in zone 2.
$ juju add-unit swift-storage
# swift-storage/2 is the first in zone 3, replica requirement is satisfied
# the ring is balanced.

Extending the ring in the case is just a matter of adding more units to the
single service unit. New units will be distributed across the existing zones.

$ juju add-unit swift-storage
# swift-storage/3 is assigned to zone 1.
$ juju add-unit swift-storage
# swift-storage/4 is assigned to zone 2.

Installation repository.

The 'openstack-origin' setting allows Swift to be installed from installation
repositories and can be used to setup access to the Ubuntu Cloud Archive
to support installing Swift versions more recent than what is shipped with
Ubuntu 12.04 (1.4.8). For more information, see config.yaml.


By default, the charm will be deployed using the tempauth auth system. This is
a simple and not-recommended auth system that functions without any external
dependencies. See Swift documentation for details.

The charm may also be configured to use Keystone, either manually (via config)
or automatically via a relation to an existing Keystone service using the
cs:precise/keystone charm. The latter is preferred, however, if a Keystone
service is desired but it is not managed by Juju, the configuration for the
auth token middleware can be set manually via the charm's config. A relation
to a Keystone server via the identity-service interface will configure
swift-proxy with the appropriate credentials to make use of Keystone and is
required for any integration with other OpenStack components.


Swift may be used to as a storage backend for the Glance image service. To do
so, simply add a relation between swift-proxy and an existing Glance service
deployed using the cs:precise/glance charm.


There are two mutually exclusive high availability options: using virtual
IP(s) or DNS. In both cases, a relationship to hacluster is required which
provides the corosync back end HA functionality.

To use virtual IP(s) the clustered nodes must be on the same subnet such that
the VIP is a valid IP on the subnet for one of the node's interfaces and each
node has an interface in said subnet. The VIP becomes a highly-available API

At a minimum, the config option 'vip' must be set in order to use virtual IP
HA. If multiple networks are being used, a VIP should be provided for each
network, separated by spaces. Optionally, vip_iface or vip_cidr may be

To use DNS high availability there are several prerequisites. However, DNS HA
does not require the clustered nodes to be on the same subnet.
Currently the DNS HA feature is only available for MAAS 2.0 or greater
environments. MAAS 2.0 requires Juju 2.0 or greater. The clustered nodes must
have static or "reserved" IP addresses registered in MAAS. The DNS hostname(s)
must be pre-registered in MAAS before use with DNS HA.

At a minimum, the config option 'dns-ha' must be set to true and at least one
of 'os-public-hostname', 'os-internal-hostname' or 'os-internal-hostname' must
be set in order to use DNS HA. One or more of the above hostnames may be set.

The charm will throw an exception in the following circumstances:
If neither 'vip' nor 'dns-ha' is set and the charm is related to hacluster
If both 'vip' and 'dns-ha' are set as they are mutually exclusive
If 'dns-ha' is set and none of the os-{admin,internal,public}-hostname(s) are

Network Space support

This charm supports the use of Juju Network Spaces, allowing the charm to be bound to network space configurations managed directly by Juju. This is only supported with Juju 2.0 and above.

API endpoints can be bound to distinct network spaces supporting the network separation of public, internal and admin endpoints.

To use this feature, use the --bind option when deploying the charm:

juju deploy swift-proxy --bind "public=public-space internal=internal-space admin=admin-space"

alternatively these can also be provided as part of a juju native bundle configuration:

  charm: cs:xenial/swift-proxy
  num_units: 1
    public: public-space
    admin: admin-space
    internal: internal-space

NOTE: Spaces must be configured in the underlying provider prior to attempting to use them.

NOTE: Existing deployments using os-*-network configuration options will continue to function; these options are preferred over any network space binding provided if set.

Telemetry support

For OpenStack releases >= Mitaka, improved telemetry collection support is possible by
adding a relation between swift-proxy and rabbitmq-server:

juju add-relation swift-proxy rabbitmq-server

NOTE: In a busy Swift deployment this can place additional load on the underlying
message bus.


(string) Base64 encoded SSL key to use with certificate specified as ssl_cert.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup.
(int) Server timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
(int) Enable Static Large Objects (SLO) support. This allows the user to upload several object segments concurrently, after which a manifest is uploaded that describes how to concatenate them, enabling a single large object to be downloaded. . This option sets the maximum number of object segments allowed per large object, allowing control over the maximum large object size. The default minimum segment size is 1MB, while the maximum segment size corresponds to the largest object swift is configured to support (5GB by default). . Ex. Setting this to 1000 would allow up to 1000 5GB object segments to be uploaded for a maximum large object size of 5TB.
(boolean) Delay authentication to downstream WSGI services.
(string) Virtual IP(s) to use to front API services in HA configuration. . If multiple networks are being used, a VIP should be provided for each network, separated by spaces.
(string) Keystone admin username
(int) This is the Swift ring builder min_part_hours parameter. This setting represents the amount of time in hours that Swift will wait between subsequent ring re-balances in order to avoid large i/o loads as data is re-balanced when new devices are added to the cluster. Once your cluster has been built, you can set this to a higher value e.g. 1 (upstream default). Note that changing this value will result in an attempt to re-balance and if successful, rings will be redistributed.
(string) Hash to use across all swift-proxy servers - don't loose
(int) This value needs to be set according to the parameters of the cluster being deployed. In order to achieve an optimal distribution of objects within your cluster without over consuming system resources it is important that this value not be too low or high but it must also be high enough to account for future expansion of your cluster since it cannot be changed once the rings have been built. A rough calculation for this value should be no less than log2(total_disks * 100).
(string) Enable statsd metrics to be sent to the specified host. If this value is empty, statsd logging will be disabled.
(string) Keystone authentication protocol
(int) Number of TCP workers to launch (0 for the number of system cores).
(int) Queue timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
(string) The IP address and netmask of the OpenStack Admin network (e.g. . This network will be used for admin endpoints.
(int) Minimum replicas for each object stored in the cluster.
(string) Keystone authentication host
(boolean) If True enables IPv6 support. The charm will expect network interfaces to be configured with an IPv6 address. If set to False (default) IPv4 is expected. . NOTE: these charms do not currently support IPv6 privacy extension. In order for this charm to function correctly, the privacy extension must be disabled and a non-temporary address must be configured/available on your network interface.
(float) Sample rate determines what percentage of the metric points a client should send to the server. Only takes effect if statsd-host is set.
(string) Rabbitmq vhost name.
(string) The IP address and netmask of the OpenStack Public network (e.g., . This network will be used for public endpoints.
(string) Base64 encoded SSL certificate to install and use for API ports. . juju set swift-proxy ssl_cert="$(cat cert | base64)" \ ssl_key="$(cat key | base64)" . Setting this value (and ssl_key) will enable reverse proxying, point Swifts's entry in the Keystone catalog to use https, and override any certficiate and key issued by Keystone (if it is configured to do so).
(int) Default multicast port number that will be used to communicate between HA Cluster nodes.
(string) Which policy to use when assigning new storage nodes to zones. . manual - Allow swift-storage services to request zone membership. auto - Assign new swift-storage units to zones automatically. . The configured replica minimum must be met by an equal number of storage zones before the storage ring will be initially balance. Deployment requirements differ based on the zone-assignment policy configured, see this charm's README for details.
(string) Default network interface on which HA cluster will bind to communication with the other members of the HA Cluster.
(boolean) Enable logging of all request headers.
(string) Keystone admin tenant name
(int) Client timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
(int) How long the proxy server will wait on responses from the account/container/object servers.
(int) How long the proxy server will wait for an initial response and to read a chunk of data from the object servers while serving GET / HEAD requests. Timeouts from these requests can be recovered from so setting this to something lower than node-timeout would provide quicker error recovery while allowing for a longer timeout for non-recoverable requests (PUTs).
(string) The secret key to use to authenticate as an swauth admin
(int) TCP port to listen on.
(string) Username used to access rabbitmq queue.
(string) The hostname or address of the public endpoints created for swift-proxy in the keystone identity provider. This value will be used for public endpoints. For example, an os-public-hostname set to 'files.example.com' with will create the following public endpoint for the swift-proxy: https://files.example.com:80/swift/v1
(boolean) If True enables openstack upgrades for this charm via juju actions. You will still need to set openstack-origin to the new repository but instead of an upgrade running automatically across all units, it will wait for you to execute the openstack-upgrade action for this charm on each unit. If False it will revert to existing behavior of upgrading all units on config change.
(string) Repository from which to install. May be one of the following: distro (default), ppa:somecustom/ppa, a deb url sources entry, or a supported Ubuntu Cloud Archive e.g. . cloud:<series>-<openstack-release> cloud:<series>-<openstack-release>/updates cloud:<series>-<openstack-release>/staging cloud:<series>-<openstack-release>/proposed . See https://wiki.ubuntu.com/OpenStack/CloudArchive for info on which cloud archives are available and supported. . NOTE: updating this setting to a source that is known to provide a later version of OpenStack will trigger a software upgrade unless action-managed-upgrade is set to True.
(boolean) Use DNS HA with MAAS 2.0. Note if this is set do not set vip settings below.
(string) Comma-separated list of Swift operator roles.
(boolean) This provides similar support to min-hours but without having to modify the builders. If True, any changes to the builders will not result in a ring re-balance and sync until this value is set back to False.
(int) Keystone authentication port
(string) The IP address and netmask of the OpenStack Internal network (e.g. . This network will be used for internal endpoints.
(string) OpenStack region that this swift-proxy supports.
(string) Used by the nrpe-external-master subordinate charm. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like 'juju-myservice-0'. If you are running multiple environments with the same services in them this allows you to differentiate between them.
(string) Base64-encoded SSL CA to use with the certificate and key provided - only required if you are providing a privately signed ssl_cert and ssl_key.
(string) Apply system hardening. Supports a space-delimited list of modules to run. Supported modules currently include os, ssh, apache and mysql.
(string) Auth method to use, tempauth, swauth or keystone
(string) The hostname or address of the admin endpoints created for swift-proxy in the keystone identity provider. . This value will be used for admin endpoints. For example, an os-admin-hostname set to 'files.admin.example.com' with will create the following admin endpoint for the swift-proxy: . https://files.admin.example.com:80/swift/v1
(boolean) Enable debug level logging.
(string) The hostname or address of the internal endpoints created for swift-proxy in the keystone identity provider. . This value will be used for internal endpoints. For example, an os-internal-hostname set to 'files.internal.example.com' with will create the following internal endpoint for the swift-proxy: . https://files.internal.example.com:80/swift/v1
(int) Connect timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
(int) Destination port on the provided statsd host to send samples to. Only takes effect if statsd-host is set.
(string) Keystone admin password