Questions[object-storage](server)

I have a ceph cluster and running a few s3 bucket on it, 'gitlab-s3-api' user has full permission on everything on ( users=;buckets=;metadata=;usage=;zone=* ) but very oddly it cannot delete any file on its own bucket.

{
"user_id": "gitlab-s3-api",
"display_name": "Gitlab s3 bucket",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"subusers": [],
"keys": [
    {
        "user": "gitlab-s3-api",
        "access_key": "xxxx",
        "secret_key": "xxxx"
    }
],
"swift_keys": [],
"caps": [
    {
        "type": "buckets",
        "perm": "*"
    },
    {
        "type": "metadata",
        "perm": "*"
    },
    {
        "type": "usage",
        "perm": "*"
    },
    {
        "type": "users",
        "perm": "*"
    },
    {
        "type": "zone",
        "perm": "*"
    }
],
"op_mask": "read, write, delete",
"default_placement": "",
"default_storage_class": "",
"placement_tags": [],
"bucket_quota": {
    "enabled": true,
    "check_on_raw": false,
    "max_size": 32212254720,
    "max_size_kb": 31457280,
    "max_objects": -1
},
"user_quota": {
    "enabled": false,
    "check_on_raw": false,
    "max_size": -1,
    "max_size_kb": 0,
    "max_objects": -1
},
"temp_url_keys": [],
"type": "rgw",
"mfa_ids": []

}

I also added DeleteObject policy to the user but it does not work.

s3cmd info s3://gitlab
s3://gitlab/ (bucket):
   Location:  default
   Payer:     BucketOwner
   Expiration Rule: none
   Policy:    {
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam:::user/gitlab-s3-api"]},
    "Action": "s3:DeleteObject",
    "Resource": [
      "arn:aws:s3:::gitlab/*"
    ]
  }]
}

   CORS:      none
   ACL:       Gitlab s3 bucket: FULL_CONTROL

Here you can see that I cannot delete the object.

s3cmd rm s3://gitlab/ansible.cfg
ERROR: Error parsing xml: Malformed error XML returned from remote server..  ErrorXML: <html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

ERROR: S3 error: 403 (Forbidden)

I set up my Ceph Cluster by following this document. I have one Manager Node, one Monitor Node, and three OSD Nodes. The problem is that right after I finished setting up the cluster, the ceph health returned HEALTH_OK for all three nodes. However, when I get back to my cluster it wasn't ok. This is the output of the health check:

HEALTH_WARN Reduced data availability: 96 pgs inactive
PG_AVAILABILITY Reduced data availability: 96 pgs inactive
    pg 0.0 is stuck inactive for 35164.889973, current state unknown, last acting []
    pg 0.1 is stuck inactive for 35164.889973, current state unknown, last acting []
    pg 0.2 is stuck inactive for 35164.889973, current state unknown, last acting []

and also for all the other pgs. I'm new to ceph and I don't know why this has happened. I'm using Ceph version 13.2.10 mimic (stable). I have searched for an answer, but others who seem to have the same problem aren't experiencing node failure. All my osd nodes are down and this is the output for ceph -s:

  cluster:
    id:     xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
    health: HEALTH_WARN
            Reduced data availability: 96 pgs inactive

  services:
    mon: 1 daemons, quorum server-1
    mgr: server-1(active)
    osd: 3 osds: 0 up, 0 in

  data:
    pools:   2 pools, 96 pgs
    objects: 0  objects, 0 B
    usage:   0 B used, 0 B / 0 B avail
    pgs:     100.000% pgs unknown
             96 unknown

I have also checked the osd logs and I didn't understand what the problem is, but these few lines indicate that there is the problem with my version of Ceph and I have to upgrade to luminous but I already have a newer version:

2021-02-18 22:01:11.994 7fb070e25c00  0 osd.1 14 done with init, starting boot process
2021-02-18 22:01:11.994 7fb070e25c00  1 osd.1 14 start_boot
2021-02-18 22:01:11.998 7fb049add700 -1 osd.1 14 osdmap require_osd_release < luminous; please upgrade to luminous
2021-02-18 22:11:00.706 7fb050aeb700 -1 osd.1 15 osdmap require_osd_release < luminous; please upgrade to luminous
2021-02-18 22:35:52.276 7fb050aeb700 -1 osd.1 16 osdmap require_osd_release < luminous; please upgrade to luminous
2021-02-18 22:36:08.836 7fb050aeb700 -1 osd.1 17 osdmap require_osd_release < luminous; please upgrade to luminous
2021-02-19 04:05:00.895 7fb0512ec700  1 bluestore(/var/lib/ceph/osd/ceph-1) _balance_bluefs_freespace gifting 0x1f00000~100000 to bluefs
2021-02-19 04:05:00.931 7fb0512ec700  1 bluefs add_block_extent bdev 1 0x1f00000~100000
2021-02-19 04:23:51.208 7fb0512ec700  1 bluestore(/var/lib/ceph/osd/ceph-1) _balance_bluefs_freespace gifting 0x2400000~400000 to bluefs
2021-02-19 04:23:51.244 7fb0512ec700  1 bluefs add_block_extent bdev 1 0x2400000~400000

I also checked the osd versions by ceph tell osd.* version and this is the output:

Error ENXIO: problem getting command descriptions from osd.0
osd.0: problem getting command descriptions from osd.0
Error ENXIO: problem getting command descriptions from osd.1
osd.1: problem getting command descriptions from osd.1
Error ENXIO: problem getting command descriptions from osd.2
osd.2: problem getting command descriptions from osd.2

while ceph-osd --version returns Ceph version 13.2.10 mimic (stable).

I can't understand what the problem could be. I also tried systemctl start -l ceph-osd@# and it didn't work. I have no clue what else I can try or why did this happen in the first place.

I'd like to have many storage buckets, each with its own password or key for read & write access for use by end users.

Some options I've discovered:

1. ACLs: These work on a per-OpenStack-user basis. I don't think it makes sense to create a new OpenStack user for each end user.
2. Application credentials: These can't be set on a per-container basis, but rather on a class of operations. So you can restrict to containers, but that's for all containers, not a specific one.

Cloud-A announced Container Specific API Keys (documented elsewhere), but this appears to be non-standard. I'd like something that will be compatible with upstream OpenStack.

Does anyone have experience with using Openstack Swift object storage with s3fs and having multiple write mounts accessing the same file(s) at the same time?

The man page for s3, for example: https://linux.die.net/man/1/s3fs has this paragraph:

"Multi User capability While it is possible to share s3 buckets among multiple users, the current data consistency model for Amazons S3 service prevent the safe usage of multiple mounts from multiple users. While s3fs will currently allow multiple mounts, data corruption may result from such activity. A future release will contain a locking mechanism to safely guard against multiple read-write mounts. multiple read-only mounts following a single read-write mount is safe, but will not reflect changes made by the writeable mount to any of the file or filesystem metadata, limiting its usefulness there"

Is the locking mechanisim mentioned above implemented yet?

Thanks Mark

In an object storage solution, how is the object data actually written to the underlying storage volumes? i.e. In what format is it written? Does it use an intermediate file system, or does it access the block storage directly? Or is it different for each implementation?

Suppose I have some data stored on one on-premise object storage platform and I want to migrate them to another, by just pointing the application at the disks - not having to copy all the data over. example: ceph to minio. Would that be possible? i.e. do they use some standardized way of storing the underlying data?

What happens if I lose the object storage middleware and I just have the physical volumes (disks). Would I be able to retrieve or understand the data in any way?

Finally, can an object storage solution be based on tape volumes (since they are lower cost than disk)? Assuming that I'm not concerned about lower latency of having to load/unload tapes.