diff --git a/README b/README index a886a83e..6abd7a81 100644 --- a/README +++ b/README @@ -80,8 +80,5 @@ bootstrapping key and propagate it to the other nodes in the cluster. Since all OSDs run on nodes that also run mon, we don't need this and did not implement it. -The charm does not currently implement cephx and its explicitly turned off in -the configuration generated for ceph. - See http://ceph.com/docs/master/dev/mon-bootstrap/ for more information on Ceph monitor cluster deployment strategies and pitfalls. diff --git a/TODO b/TODO index 2916c337..22e0889d 100644 --- a/TODO +++ b/TODO @@ -4,4 +4,3 @@ Ceph Charm * fix tunables (http://tracker.newdream.net/issues/2210) * more than 192 PGs * fixup data placement in crush to be host not osd driven - * cephx support diff --git a/hooks/ceph.py b/hooks/ceph.py index 2a193d58..567ec3fa 100644 --- a/hooks/ceph.py +++ b/hooks/ceph.py @@ -71,3 +71,51 @@ def is_osd_disk(dev): except subprocess.CalledProcessError: pass return False + +_bootstrap_keyring = "/var/lib/ceph/bootstrap-osd/ceph.keyring" + + +def import_osd_bootstrap_key(key): + if not os.path.exists(_bootstrap_keyring): + cmd = [ + 'ceph-authtool', + _bootstrap_keyring, + '--create-keyring', + '--name=client.bootstrap-osd', + '--add-key={}'.format(key) + ] + subprocess.check_call(cmd) + +# OSD caps taken from ceph-create-keys +_osd_bootstrap_caps = [ + 'allow command osd create ...', + 'allow command osd crush set ...', + r'allow command auth add * osd allow\ * mon allow\ rwx', + 'allow command mon getmap' + ] + + +def get_osd_bootstrap_key(): + cmd = [ + 'ceph', + '--name', 'mon.', + '--keyring', + '/var/lib/ceph/mon/ceph-{}/keyring'.format( + utils.get_unit_hostname() + ), + 'auth', 'get-or-create', 'client.bootstrap-osd', + 'mon', '; '.join(_osd_bootstrap_caps) + ] + output = subprocess.check_output(cmd).strip() # IGNORE:E1103 + # get-or-create appears to have different output depending + # on whether its 'get' or 'create' + # 'create' just returns the key, 'get' is more verbose and + # needs parsing + key = None + if len(output.splitlines()) == 1: + key = output + else: + for element in output.splitlines(): + if 'key' in element: + key = element.split(' = ')[1].strip() # IGNORE:E1103 + return key diff --git a/hooks/hooks.py b/hooks/hooks.py index 423b493a..c596ec30 100755 --- a/hooks/hooks.py +++ b/hooks/hooks.py @@ -142,6 +142,7 @@ def mon_relation(): bootstrap_monitor_cluster() ceph.wait_for_quorum() + for dev in utils.config_get('osd-devices').split(' '): osdize(dev) subprocess.call(['udevadm', 'trigger', @@ -161,6 +162,7 @@ def notify_osds(): for relid in utils.relation_ids('osd'): utils.relation_set(fsid=utils.config_get('fsid'), + osd_bootstrap_key=ceph.get_osd_bootstrap_key(), rid=relid) utils.juju_log('INFO', 'End notify_osds.') @@ -171,8 +173,10 @@ def osd_relation(): if ceph.is_quorum(): utils.juju_log('INFO', - 'mon cluster in quorum - providing OSD with fsid') - utils.relation_set(fsid=utils.config_get('fsid')) + 'mon cluster in quorum - \ + providing OSD with fsid & keys') + utils.relation_set(fsid=utils.config_get('fsid'), + osd_bootstrap_key=ceph.get_osd_bootstrap_key()) else: utils.juju_log('INFO', 'mon cluster not in quorum - deferring fsid provision') diff --git a/revision b/revision index 39f5b693..d15a2cc4 100644 --- a/revision +++ b/revision @@ -1 +1 @@ -71 +80 diff --git a/templates/ceph.conf b/templates/ceph.conf index 32103fb5..072535f5 100644 --- a/templates/ceph.conf +++ b/templates/ceph.conf @@ -1,5 +1,5 @@ [global] - auth supported = none + auth supported = cephx keyring = /etc/ceph/$cluster.$name.keyring mon host = {{ mon_hosts }} fsid = {{ fsid }}