airship/porthole
Code Issues Proposed changes

Chart/Dockerfile for Ceph Utility Container

Browse Source 
Change-Id: I06fa84b88f3a4828ee5151839c9e216879e56bde
Signed-off-by: Sreejith Punnapuzha <Sreejith.Punnapuzha@outlook.com>
This commit is contained in:
Sreejith Punnapuzha 2018-10-01 10:26:04 -05:00
parent d71a8b3f86
commit fcaf62a7fa
19 changed files with 881 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
.gitignore vendored
View File

@ -1,104 +1,77 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
# Packages
*.egg*
*.egg-info
dist
build
eggs
parts
var
sdist
develop-eggs
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
lib
lib64
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
cover/
.coverage*
!.coveragerc
.tox
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.pytest_cache/
.testrepository
.venv
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
# Mr Developer
.mr.developer.cfg
.project
.pydevproject
# Flask stuff:
instance/
.webassets-cache
# Complexity
output/*.html
output/*/index.html
# Scrapy stuff:
.scrapy
# Sphinx
doc/build
# Sphinx documentation
docs/_build/
# pbr generates these
AUTHORS
ChangeLog
# PyBuilder
target/
# Editors
*~
.*.swp
.*sw?
# Jupyter Notebook
.ipynb_checkpoints
# Files created by releasenotes build
releasenotes/build
# pyenv
.python-version
# Dev tools
.idea/
**/.vagrant
**/*.log
# celery beat schedule file
celerybeat-schedule
# Helm internals
*.lock
*/*.lock
*.tgz
**/*.tgz
**/_partials.tpl
**/_globals.tpl
# SageMath parsed files
*.sage.py
# Gate and Check Logs
logs/
tmp/
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
# Developer symlinks
helm-toolkit

26
Dockerfiles/ceph-utility/Dockerfile.ubuntu Executable file
View File

@ -0,0 +1,26 @@
ARG UBUNTU_RELEASE=xenial
FROM docker.io/ubuntu:${UBUNTU_RELEASE}
LABEL maintainer="sreejith.punnapuzha@outlook.com"
ARG CEPH_RELEASE=mimic
ARG UBUNTU_RELEASE=xenial
RUN set -xe \
&& echo '#!/bin/sh' > /usr/sbin/policy-rc.d \
&& echo 'exit 101' >> /usr/sbin/policy-rc.d \
&& chmod +x /usr/sbin/policy-rc.d \
&& sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& dpkg-divert --local --rename --add /sbin/initctl \
&& cp -a /usr/sbin/policy-rc.d /sbin/initctl \
&& sed -i 's/^exit.*/exit 0/' /sbin/initctl \
&& apt-get update && apt-get install -y wget curl apt-transport-https gnupg\
&& wget -q -O- 'https://download.ceph.com/keys/release.asc' | apt-key add - \
&& echo deb https://download.ceph.com/debian-${CEPH_RELEASE}/ ${UBUNTU_RELEASE} main | tee /etc/apt/sources.list.d/ceph.list \
&& apt-get update && apt-get install -y bash python-oslo.rootwrap moreutils vim sudo screen ceph-common python-rbd radosgw rsyslog x11-apps jq \
&& apt-get remove --purge -y wget apt-transport-https && apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* \
&& curl -sSL https://bootstrap.pypa.io/get-pip.py | python \
&& pip --no-cache-dir install --upgrade crush
CMD ["/bin/bash"]

46
Dockerfiles/ceph-utility/Makefile Normal file
View File

@ -0,0 +1,46 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
ifndef CEPH_RELEASE
$(error The TAG variable is missing.)
endif
ifndef UBUNTU_RELEASE
$(error The ENV variable is missing.)
endif
SHELL := /bin/bash
DOCKER_REGISTRY ?= quay.io
IMAGE_NAME ?= ceph-utility
IMAGE_PREFIX ?= attcomdev
IMAGE_TAG ?= latest
LABEL ?= mimic
IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}
# Build ceph-utility Docker image for this project
.PHONY: images
images: build_$(IMAGE_NAME)
# Make targets intended for use by the primary targets above.
.PHONY: build_$(IMAGE_NAME)
build_$(IMAGE_NAME):
docker build -f Dockerfile.ubuntu \
--network host \
--build-arg CEPH_RELEASE=$(CEPH_RELEASE) \
--build-arg UBUNTU_RELEASE=$(UBUNTU_RELEASE) \
-t $(IMAGE) \
--label $(LABEL) --label CEPH_RELEASE=$(CEPH_RELEASE) \
.

26
Dockerfiles/ceph-utility/README Normal file
View File

@ -0,0 +1,26 @@
Generic Docker Makefile
-----------------------
This is a generic make and dockerfile for ceph utility container. This can be used to create docker images using different ceph releases and ubuntu releases
Usage:
make CEPH_RELEASE=<release_name> UBUNTU_RELEASE=<release_name>
eg:
1. Create docker image for ceph luminous release on ubuntu xenial (16.04)
make CEPH_RELEASE=luminous UBUNTU_RELEASE=xenial
2. Create docker image for ceph mimic release on ubuntu xenial (16.04)
make CEPH_RELEASE=mimic UBUNTU_RELEASE=xenial
3. Create docker image for ceph luminous release on ubuntu bionic (18.04)
make CEPH_RELEASE=luminous UBUNTU_RELEASE=bionic
4. Create docker image for ceph mimic release on ubuntu bionic (18.04)
make CEPH_RELEASE=mimic UBUNTU_RELEASE=bionic

62
Makefile Normal file
View File

@ -0,0 +1,62 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# It's necessary to set this because some environments don't link sh -> bash.
SHELL := /bin/bash
HELM := helm
TASK := build
EXCLUDES := helm-toolkit doc tests tools logs tmp roles playbooks releasenotes
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
.PHONY: $(EXCLUDES) $(CHARTS)
all: $(CHARTS)
$(CHARTS):
@echo
@echo "===== Processing [$@] chart ====="
@make $(TASK)-$@
init-%:
if [ -f $*/Makefile ]; then make -C $*; fi
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
lint-%: init-%
if [ -d $* ]; then $(HELM) lint $*; fi
build-%: lint-%
if [ -d $* ]; then $(HELM) package $*; fi
clean:
@echo "Removed .b64, _partials.tpl, and _globals.tpl files"
rm -f helm-toolkit/secrets/*.b64
rm -f */templates/_partials.tpl
rm -f */templates/_globals.tpl
rm -f *tgz */charts/*tgz
rm -f */requirements.lock
-rm -rf */charts */tmpcharts
pull-all-images:
@./tools/pull-images.sh
pull-images:
@./tools/pull-images.sh $(filter-out $@,$(MAKECMDGOALS))
dev-deploy:
@./tools/gate/devel/start.sh $(filter-out $@,$(MAKECMDGOALS))
%:
@:

88
README Normal file
View File

@ -0,0 +1,88 @@
Utility Container
-----------------
1. Ceph utility Container
Installation
------------
1. Add the below to /etc/sudoers
root ALL=(ALL) NOPASSWD: ALL
ubuntu ALL=(ALL) NOPASSWD: ALL
2. Install the latest versions of Git, CA Certs & Make if necessary
#!/bin/bash
set -xe
sudo apt-get update
sudo apt-get install --no-install-recommends -y \
ca-certificates \
git \
make \
jq \
nmap \
curl \
uuid-runtime
3. Proxy Configuration
In order to deploy OpenStack-Helm behind corporate proxy servers, add the following entries to openstack-helm-infra/tools/gate/devel/local-vars.yaml.
proxy:
http: http://username:password@host:port
https: https://username:password@host:port
noproxy: 127.0.0.1,localhost,172.17.0.1,.svc.cluster.local
Add the address of the Kubernetes API, 172.17.0.1, and .svc.cluster.local to your no_proxy and NO_PROXY environment variables.
export no_proxy=${no_proxy},172.17.0.1,.svc.cluster.local
export NO_PROXY=${NO_PROXY},172.17.0.1,.svc.cluster.local
4. Clone the OpenStack-Helm Repos
#!/bin/bash
set -xe
git clone https://git.openstack.org/openstack/openstack-helm-infra.git
git clone https://git.openstack.org/openstack/openstack-helm.git
5. Deploy Kubernetes & Helm
cd openstack-helm
./tools/deployment/developer/common/010-deploy-k8s.sh
6. Install OpenStack-Helm
Setup Clients on the host and assemble the charts
./tools/deployment/developer/common/020-setup-client.sh
Deploy the ingress controller
./tools/deployment/developer/common/030-ingress.sh
7. Deploy Ceph
./tools/deployment/developer/ceph/040-ceph.sh
Activate the OpenStack namespace to be able to use Ceph
./tools/deployment/developer/ceph/045-ceph-ns-activate.sh
8. Deploy Porthole
git clone https://github.com/att-comdev/porthole.git
cd porthole
./install_utility.sh
Usage
-----
Get in to the utility pod using kubectl exec. To perform any operation on the ceph cluster use the below example.
example:
nccli ceph osd tree
nccli rbd ls
nccli rados lspools
TODO
----
1. Customize oslo filters to restrict commands.

18
ceph-utility/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: OpenStack-Helm Ceph Client
name: ceph-utility
version: 0.1.0

18
ceph-utility/requirements.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0

19
ceph-utility/templates/bin/_bootstrap.sh.tpl Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
sudo ./tmp/managekey.sh
tail -f /var/log/syslog

25
ceph-utility/templates/bin/_managekey.sh.tpl Normal file
View File

@ -0,0 +1,25 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
input="/opt/client-keyring"
while IFS= read -r var
do
echo -e "[client.admin]\nkey = $var"| tee /etc/ceph/ceph.client.admin.keyring > /dev/null
done < "$input"
chmod 600 /etc/ceph/ceph.client.admin.keyring
sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf
/etc/init.d/rsyslog restart

16
ceph-utility/templates/bin/_nccli-sudo.tpl Normal file
View File

@ -0,0 +1,16 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
nobody ALL=SETENV: NOPASSWD: /tmp/managekey.sh, /usr/local/bin/ceph-utility-rootwrap

22
ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl Normal file
View File

@ -0,0 +1,22 @@
#!/usr/bin/python
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# PBR Generated from u'console_scripts'
import sys
from oslo_rootwrap.cmd import main
if __name__ == "__main__":
sys.exit(main())

17
ceph-utility/templates/bin/utility/_nccli.tpl Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
script -f -a -q /var/log/syslog -c "sudo /usr/local/bin/ceph-utility-rootwrap /etc/ceph/rootwrap.conf $*"

44
ceph-utility/templates/configmap-bin.yaml Normal file
View File

@ -0,0 +1,44 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.configmap_bin .Values.deployment.ceph }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
data:
{{- if .Values.images.local_registry.active }}
image-repo-sync.sh: |
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
{{- end }}
{{- if .Values.bootstrap.enabled }}
bootstrap.sh: |
{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
managekey.sh: |
{{ tuple "bin/_managekey.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
ceph-utility-rootwrap: |
{{ tuple "bin/utility/_ceph-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
nccli: |
{{ tuple "bin/utility/_nccli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

32
ceph-utility/templates/configmap-etc-client.yaml Normal file
View File

@ -0,0 +1,32 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if or (.Values.deployment.ceph) (.Values.deployment.client_secrets) }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
data:
rootwrap.conf: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.cephrootwrap | indent 4 }}
ceph-rootwrap-filter: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.cephfilter | indent 4 }}
{{- end }}

27
ceph-utility/templates/configmap-etc-sudoers.yaml Normal file
View File

@ -0,0 +1,27 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.configmap_etc_sudoers .Values.deployment.ceph }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
data:
nccli-sudo: |
{{ tuple "bin/_nccli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

111
ceph-utility/templates/deployment-utility.yaml Normal file
View File

@ -0,0 +1,111 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.deployment_utility ( and .Values.deployment.ceph .Values.conf.features.utility) }}
{{- $envAll := . }}
{{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
labels:
{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
replicas: {{ .Values.pod.replicas.utility }}
selector:
matchLabels:
{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
labels:
{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
securityContext:
runAsUser: 65534
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "ceph" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
containers:
- name: {{ printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "ceph_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ceph_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/bootstrap.sh
volumeMounts:
- name: ceph-utility-bin
mountPath: /tmp/bootstrap.sh
subPath: bootstrap.sh
readOnly: true
- name: ceph-utility-bin
mountPath: /tmp/managekey.sh
subPath: managekey.sh
readOnly: true
- name: ceph-utility-bin
mountPath: /usr/local/bin/nccli
subPath: nccli
readOnly: true
- name: ceph-utility-bin
mountPath: /usr/local/bin/ceph-utility-rootwrap
subPath: ceph-utility-rootwrap
readOnly: true
- name: ceph-utility-sudoers
mountPath: /etc/sudoers.d/nccli-sudo
subPath: nccli-sudo
readOnly: true
- name: ceph-etc
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
- name: ceph-client-admin-keyring
mountPath: /opt/client-keyring
subPath: key
- name: ceph-utility-etc
mountPath: /etc/ceph/rootwrap.d/ceph-rootwrap-filter
subPath: ceph-rootwrap-filter
readOnly: true
- name: ceph-utility-etc
mountPath: /etc/ceph/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
volumes:
- name: ceph-utility-sudoers
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
defaultMode: 0644
- name: ceph-utility-bin
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
defaultMode: 0555
- name: ceph-utility-etc
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
defaultMode: 0555
- name: ceph-etc
configMap:
name: {{ .Values.conf.cephconf.etc }}
defaultMode: 0600
- name: ceph-client-admin-keyring
secret:
secretName: {{ .Values.secrets.keyrings.admin | quote }}
defaultMode: 0600
{{- end }}

178
ceph-utility/values.yaml Normal file
View File

@ -0,0 +1,178 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for ceph-client.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
deployment:
ceph: true
release_group: null
images:
pull_policy: IfNotPresent
tags:
ceph_utility: 'docker.io/sreejithpunnapuzha/ceph-utility:v0.0.2'
image_repo_sync: docker.io/docker:17.07.0
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
utility:
node_selector_key: openstack-helm-node-class
node_selector_value: primary
pod:
dns_policy: "ClusterFirstWithHostNet"
replicas:
utility: 1
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
resources:
enabled: false
utility:
requests:
memory: "100Mi"
cpu: "250m"
limits:
memory: "250Mi"
cpu: "500m"
jobs:
bootstrap:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "500m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
secrets:
keyrings:
admin: pvc-ceph-client-key
conf:
features:
utility: true
cephconf:
etc: ceph-etc
cephfilter:
Filters:
# ceph-rootwrap command filters for ceph utility container
# This file should be owned by (and only-writeable by) the root user
# Below are example command filters. access to ceph cluster can be restricted by creating a user with less privilages
ceph: CommandFilter, ceph, root
rados: CommandFilter, rados, root
radosgw-admin: CommandFilter, radosgw-admin, root
rbd: CommandFilter, rbd, root
# Below are examples of RegExpFilter. This will restict access to ceph cluster even with admin user
#rbd00: RegExpFilter, rbd, root, rbd, (^((?!clone|copy|cp|create|export|export-diff|flatten|import|import-diff|map|merge-diff|pool|remove|rm|rename|mv|resize|unmap).)*$)
#rbd01: RegExpFilter, rbd, root, rbd, image-meta, (^((?!get|remove|set).)*$)
#rbd02: RegExpFilter, rbd, root, rbd, journal, (^((?!client|export|import|reset).)*$)
#rbd03: RegExpFilter, rbd, root, rbd, lock, (^((?!add|remove).)*$)
#rbd04: RegExpFilter, rbd, root, rbd, mirror, image, (^((?!demote|disable|enable|promote).)*$)
#rbd05: RegExpFilter, rbd, root, rbd, mirror, pool, (^((?!demote|disable|enable|peer|promote).)*$)
#rbd06: RegExpFilter, rbd, root, rbd, nbd, (^((?!map|unmap).)*$)
#rbd07: RegExpFilter, rbd, root, rbd, object-map, (^((?!rm|del).)*$)
#rbd08: RegExpFilter, rbd, root, rbd, snap, (^((?!create|limit|protect|purge|remove|rm|rename|mv|rollback|revert|unprotect).)*$)
#rbd09: RegExpFilter, rbd, root, rbd, trash, (^((?!move|mv|remove|rm|restore).)*$)
cephrootwrap:
DEFAULT:
# Configuration for ceph-rootwrap
# This file should be owned by (and only-writeable by) the root user
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path: /etc/ceph/rootwrap.d
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
# Enable logging to syslog
# Default value is False
use_syslog: True
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility: syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level: INFO
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- ceph-utility-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
bootstrap:
jobs: null
cephfs_client_key_generator:
jobs: null
namespace_client_key_cleaner:
jobs: null
namespace_client_key_generator:
jobs: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
bootstrap:
enabled: true
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
monitoring:
prometheus:
enabled: true
manifests:
configmap_bin: true
configmap_etc_client: true
configmap_etc_sudoers: true
deployment_utility: true

54
install_ceph_utility.sh Executable file
View File

@ -0,0 +1,54 @@
#!/bin/bash
set -xe
#NOTE: Lint and package chart
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
#: ${PORTHOLE_PATH}:=""
make -C ${OSH_INFRA_PATH} ceph-provisioners
#NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""}
tee /tmp/ceph-utility-config.yaml <<EOF
endpoints:
identity:
namespace: openstack
object_store:
namespace: ceph
ceph_mon:
namespace: ceph
network:
public: 172.17.0.1/16
cluster: 172.17.0.1/16
deployment:
storage_secrets: false
ceph: false
rbd_provisioner: false
cephfs_provisioner: false
client_secrets: true
rgw_keystone_user_and_endpoints: false
bootstrap:
enabled: false
conf:
rgw_ks:
enabled: true
EOF
helm upgrade --install ceph-utility-config ${OSH_INFRA_PATH}/ceph-provisioners \
--namespace=utility \
--values=/tmp/ceph-utility-config.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_CEPH_NS_ACTIVATE}
#NOTE: Wait for deploy
./${OSH_INFRA_PATH}/tools/deployment/common/wait-for-pods.sh utility
make ceph-utility
helm upgrade --install ceph-utility ceph-utility \
--namespace=utility
#NOTE: Wait for deploy
./${OSH_INFRA_PATH}/tools/deployment/common/wait-for-pods.sh utility
#NOTE: Validate Deployment info
kubectl get -n utility jobs --show-all
kubectl get -n utility secrets
kubectl get -n utility configmaps