helperfile.adoc

TXC 2024 - Lab 1518 Helper Commands

Chapter 1

Accessing your Workstation via ssh: export USERNAME={your_username} export USERIP={your_public_ip} chmod 0600 ~Downloads/ssh_private_key.pem ssh -i ~/Downloads/ssh_private_key.pem -p 2223 ${USERNAME}@${USERIP}

Accessing your Workstation using a browser via CLI

Windows: cmd.exe set USERIP={your_public_ip} start https://${your_public_ip}

MacOS/Linux: set USERIP={your_public_ip} open -a "Google Chrome" "https://${USERIP}" open -a "Safari" "https://${USERIP}"

Adding Node Labels

grep node1 /etc/hosts | awk '{ print $2 }' | sed -e 's/node1-/node[2-4]-/g’

Generate URL for Certificate exception

grep node1 /etc/hosts | awk '{ print $2 }' | sed -e 's#ceph-node1-#https://ceph-node1#g' | sed -e 's/.$/:3000/'

Create Object Store User Account

ssh ceph-node1 sudo ceph pg stat

Configure AWS CLI

ssh ceph-node1 sudo radosgw-admin user info --uid=labuser | jq -r '.keys[0] | .access_key, .secret_key '

export AKEY=$(ssh ceph-node1 sudo radosgw-admin user info --uid=labuser | jq -r '.keys[0].access_key');echo $AKEY export SKEY=$(ssh ceph-node1 sudo radosgw-admin user info --uid=labuser | jq -r '.keys[0].secret_key');echo $SKEY aws configure set aws_access_key_id $AKEY --profile labuser aws configure set aws_secret_access_key $SKEY --profile labuser aws configure set endpoint_url https://ceph-node3 --profile labuser aws configure set region multizg --profile labuser aws configure set ca_bundle /root/ssl-cert/rootCA.pem --profile labuser

Usign AWS CLI

List buckets

aws --profile labuser s3 ls

Create bucket

aws --profile labuser s3api create-bucket --bucket s3-bucket-2 aws --profile labuser s3 ls

Upload Object

truncate -s 10M 10MB.bin aws --profile labuser s3 cp 10MB.bin s3://s3-bucket-1/10MB.bin

Get Bucket Listing

aws --profile labuser s3 ls s3://s3-bucket-1 aws --profile labuser s3 cp s3://s3-bucket-1/10MB.bin GET-10MB.bin echo $(openssl dgst -md5 ./10MB.bin | awk '{print $2}');echo $(openssl dgst -md5 ./GET-10MB.bin | awk '{print $2}')

Quotas

truncate -s 1M ./1MB.bin for i in {1..12} ; do aws --profile labuser s3 cp ./1MB.bin s3://s3-bucket-2/1MB-${i}.bin ; done

ssh ceph-node1 sudo radosgw-admin quota disable --quota-scope=user --uid=labuser ssh ceph-node1 sudo radosgw-admin user info --uid=labuser | jq '.user_quota.enabled'

Rate Limiting

ssh ceph-node1 sudo radosgw-admin ratelimit set --ratelimit-scope=user --uid=labuser --max-read-ops=3 ssh ceph-node1 sudo radosgw-admin ratelimit enable --ratelimit-scope=user --uid=labuser ssh ceph-node1 sudo radosgw-admin ratelimit get --ratelimit-scope=user --uid=labuser

aws --profile labuser s3 cp 1MB.bin s3://s3-bucket-1/1MB.bin for i in {1..5} ; do aws --profile labuser s3api head-object --bucket s3-bucket-1 --key 1MB.bin | grep ETag ; done aws --profile labuser s3 cp 1MB.bin s3://s3-bucket-1/1MB-2.bin aws --profile labuser s3 cp 1MB.bin s3://s3-bucket-1/1MB-2.bin

ssh ceph-node1 sudo radosgw-admin ratelimit disable --ratelimit-scope=user --uid=labuser

Storage Classes

ssh ceph-node1 sudo ceph osd pool create zone1.rgw.hdd.storage.class.buckets.data 32 32 ssh ceph-node1 sudo ceph osd pool application enable zone1.rgw.hdd.storage.class.buckets.data rgw ssh ceph-node1 sudo radosgw-admin zone get | jq .placement_pools ssh ceph-node1 sudo radosgw-admin zonegroup placement add --rgw-zonegroup multizg --placement-id default-placement --storage-class STANDARD_IA ssh ceph-node1 sudo radosgw-admin zone placement add --rgw-zone zone1 --placement-id default-placement --storage-class STANDARD_IA --data-pool zone1.rgw.hdd.storage.class.buckets.data --compression lz4 ssh ceph-node1 sudo radosgw-admin period update --commit

Life Cycle Policy

aws --profile labuser s3 mb s3://bucketpolicy cat > lc_transition_rule <<EOL { "Rules": [ { "ID": "TransitionRule", "Filter": { "Prefix": "" }, "Status": "Enabled", "Transitions": [ { "Days": 10, "StorageClass": "STANDARD_IA" } ] } ] } EOL

aws --profile labuser s3api put-bucket-lifecycle-configuration --lifecycle-configuration file://lc_transition_rule --bucket bucketpolicy aws --profile labuser s3api get-bucket-lifecycle-configuration --bucket bucketpolicy

aws --profile labuser s3 cp 1MB.bin s3://bucketpolicy/

ssh ceph-node1 sudo ceph df -f json | jq '.pools[] | select(.name=="zone1.rgw.hdd.storage.class.buckets.data")' ssh ceph-node1 sudo ceph config set client.rgw rgw_lc_debug_interval 60 ssh ceph-node1 sudo ceph orch restart rgw.rgwsrv

aws --profile labuser s3api head-object --bucket bucketpolicy --key 1MB.bin ssh ceph-node1 sudo ceph df | grep -E '(OBJECTS|zone1.rgw.hdd.storage.class.buckets.data)'

aws --profile labuser s3 cp 10MB.bin s3://bucketpolicy --storage-class STANDARD_IA

Security and Audit

ssh ceph-node1 sudo ceph config set client.rgw rgw_enable_ops_log true ssh ceph-node1 sudo ceph config set client.rgw rgw_ops_log_rados false ssh ceph-node1 sudo ceph config set client.rgw rgw_ops_log_file_path /var/log/ceph/audit_rgw.log ssh ceph-node1 sudo ceph orch ls | grep rgw ssh ceph-node1 sudo ceph orch restart rgw.rgwsrv

>Sharing Bucket export AKEY=$(ssh ceph-node1 sudo radosgw-admin user info --uid=demouser | jq -r '.keys[0].access_key');echo $AKEY export SKEY=$(ssh ceph-node1 sudo radosgw-admin user info --uid=demouser | jq -r '.keys[0].secret_key');echo $SKEY aws configure set aws_access_key_id $AKEY --profile demouser aws configure set aws_secret_access_key $SKEY --profile demouser aws configure set endpoint_url https://ceph-node3 --profile demouser aws configure set region multizg --profile demouser aws configure set ca_bundle /root/ssl-cert/rootCA.pem --profile demouser

aws --profile labuser s3 ls s3://demobucket aws --profile labuser s3 cp /etc/hosts s3://demobucket/hosts aws --profile demouser s3 ls s3://demobucket

GetObject Policy

{ "Id": "Policy1722543216639", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1722543108108", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": "arn:aws:s3:::demobucket", "Principal": { "AWS": [ "arn:aws:iam:::user/demouser" ] } }, { "Sid": "Stmt1722543202837", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::demobucket/*", "Principal": { "AWS": [ "arn:aws:iam:::user/demouser" ] } } ] }

GetObjet + PutObject Policy

{ "Id": "Policy1722543216639", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1722543108108", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": "arn:aws:s3:::demobucket", "Principal": { "AWS": [ "arn:aws:iam:::user/demouser" ] } }, { "Sid": "Stmt1722543202837", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::demobucket/*", "Principal": { "AWS": [ "arn:aws:iam:::user/demouser" ] } } ] }

aws --profile labuser s3 cp /etc/hosts s3://demobucket/hosts aws --profile demouser s3 ls s3://demobucket

aws --profile demouser s3 cp s3://demobucket/hosts /tmp cat /tmp/hosts

aws --profile demouser s3 cp 1MB.bin s3://demobucket/ aws --profile demouser s3 cp 1MB.bin s3://demobucket/ aws --profile demouser s3 ls s3://demobucket/ aws --profile demouser s3 rm s3://demobucket/1MB.bin