Standardize additional storage classes

[garloff]

As a SCS container user, I want to have the ability to claim persistent volume from storage with specific requirements:

• [ ] encrypted
• [ ] performance tiers
• [ ] low-latency / local
• [ ] RWX

Todo: Research what is needed and standardize requirements, names, ....

Definition of Ready:

• [ ] User Story is small enough to be finished within one sprint
• [ ] User Story is clear and understood by the whole team
• [ ] Acceptance criteria are defined
• [ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

• [ ] All acceptance criteria are met
• [ ] Changes have been reviewed
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[garloff]

Block storage performance: standard, high, veryhigh (How many tiers do we need?) (Independently of this, larger volumes tend to have higher bandwidth ...)

• We would need to write down minimal bandwidth/maximal latency (IOPS) requirements per class Classes could be IOPS-200, IOPS-500, IOPS-1000, IOPS-2000, IOPS-5000, ...

Team is wondering about the benefit, as users will look this up and test and also have to check pricing.

This could be just a naming convention, not prescribing that providers need to provide all classes mandatorily.

[garloff]

Encryption:

• Is encryption at rest, so stolen disks/not properly security-erased broken disks are not risk -> Should we require this to be just always on, not even an option? If done at the ceph layer, the overhead should be small.

=> Ask IaaS team to investigate and standardize this.

[garloff]

Local storage is wanted. (Databases, other apps that replicate data themselves.)

• Low latency
• No replication needed

Nice to have, so we could standardize it ... Not mandatory, but we standardize naming and properties. Not available on e.g. Azure AWS: Instance-storage ... Local storage is attached to node - not "persistent" Local path provisioner (and pinning of pods to nodes) for application cluster -> local throwaway storage

[batistein]

@garloff In the past few weeks, we've often seen the demand for ReadWriteMany support. More and more new cloud-native software relies directly on volumes. Without ReadWriteMany support it is often not possible to scale beyond 1 replica.

A good example of this is owncloud ocis, which no longer requires a database. It relies heavily on volumes. See: https://github.com/owncloud/ocis-charts/blob/master/charts/ocis/values.yaml#L434-L436

[garloff]

Solution options for RWX:

1. Shared network filesystem (like NFS, CIFS, cephfs)
   • OpenStack could provide this via the Manila Service (currently not enabled by default in SCS)
2. ClusterFS with Multi-Attach

[batistein]

more projects where RWX is needed:

• https://github.com/zammad/zammad-helm/blob/main/zammad/values.yaml#L350
• https://goharbor.io/docs/2.1.0/install-config/harbor-ha-helm/

[garloff]

Options to investigate for implementation (we don't know yet if they achieve production quality): 1a) manila and csi-manila 1b) rook (possibly with size=1 when using ceph storage from IaaS -- need to ensure that the volume can be attached to VMs in all AZs)

[garloff]

Ad 1a: Preliminary results from investigating the manila option (with cephfs) @matfechner:

• performance seems OKish
• using tenant network for cephfs communication may cause security concerns; also questions on multi-tenancy and quota support for cephfs

[garloff]

Ad 1b: Full ceph cluster in the user's k8s cluster, significant infra needed, performance not great.

[garloff]

Ad 1b: Alternative might be using a different k8s storage, e.g. Longhorn instead ceph with rook.

[horazont]

https://goharbor.io/docs/2.1.0/install-config/harbor-ha-helm/

To quote from that page:

If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the persistence.imageChartStorage.type to the value you want to use and fill the corresponding section and set jobservice.jobLogger to database.

So RWX does not seem to be strictly required.

[NotTheEvilOne]

As for type "encrypted". Even thought OpenStack supports encryption using "barbican" and "cinder" the CSI implementation does not as for today. See cloud-provider-openstack@1881

This is the case for other CSI implementations as well. So I think it would not be helpful to add this to a list of required storage classes.

[akafazov]

I have also encountered several times need for RWX, link here: https://github.com/Daiteap/daiteap-platform/blob/master/helm/platform-api/templates/deployment.yaml#L230-L231

Use case:

• storing media files (avatars) for web application, so that multiple PODs can write/read the profile images