diff --git a/README b/README index a886a83..6abd7a8 100644 --- a/README +++ b/README @@ -80,8 +80,5 @@ bootstrapping key and propagate it to the other nodes in the cluster. Since all OSDs run on nodes that also run mon, we don't need this and did not implement it. -The charm does not currently implement cephx and its explicitly turned off in -the configuration generated for ceph. - See http://ceph.com/docs/master/dev/mon-bootstrap/ for more information on Ceph monitor cluster deployment strategies and pitfalls. diff --git a/TODO b/TODO index 2916c33..22e0889 100644 --- a/TODO +++ b/TODO @@ -4,4 +4,3 @@ Ceph Charm * fix tunables (http://tracker.newdream.net/issues/2210) * more than 192 PGs * fixup data placement in crush to be host not osd driven - * cephx support diff --git a/hooks/ceph.py b/hooks/ceph.py index 2a193d5..567ec3f 100644 --- a/hooks/ceph.py +++ b/hooks/ceph.py @@ -71,3 +71,51 @@ def is_osd_disk(dev): except subprocess.CalledProcessError: pass return False + +_bootstrap_keyring = "/var/lib/ceph/bootstrap-osd/ceph.keyring" + + +def import_osd_bootstrap_key(key): + if not os.path.exists(_bootstrap_keyring): + cmd = [ + 'ceph-authtool', + _bootstrap_keyring, + '--create-keyring', + '--name=client.bootstrap-osd', + '--add-key={}'.format(key) + ] + subprocess.check_call(cmd) + +# OSD caps taken from ceph-create-keys +_osd_bootstrap_caps = [ + 'allow command osd create ...', + 'allow command osd crush set ...', + r'allow command auth add * osd allow\ * mon allow\ rwx', + 'allow command mon getmap' + ] + + +def get_osd_bootstrap_key(): + cmd = [ + 'ceph', + '--name', 'mon.', + '--keyring', + '/var/lib/ceph/mon/ceph-{}/keyring'.format( + utils.get_unit_hostname() + ), + 'auth', 'get-or-create', 'client.bootstrap-osd', + 'mon', '; '.join(_osd_bootstrap_caps) + ] + output = subprocess.check_output(cmd).strip() # IGNORE:E1103 + # get-or-create appears to have different output depending + # on whether its 'get' or 'create' + # 'create' just returns the key, 'get' is more verbose and + # needs parsing + key = None + if len(output.splitlines()) == 1: + key = output + else: + for element in output.splitlines(): + if 'key' in element: + key = element.split(' = ')[1].strip() # IGNORE:E1103 + return key diff --git a/hooks/hooks.py b/hooks/hooks.py index 423b493..c596ec3 100755 --- a/hooks/hooks.py +++ b/hooks/hooks.py @@ -142,6 +142,7 @@ def mon_relation(): bootstrap_monitor_cluster() ceph.wait_for_quorum() + for dev in utils.config_get('osd-devices').split(' '): osdize(dev) subprocess.call(['udevadm', 'trigger', @@ -161,6 +162,7 @@ def notify_osds(): for relid in utils.relation_ids('osd'): utils.relation_set(fsid=utils.config_get('fsid'), + osd_bootstrap_key=ceph.get_osd_bootstrap_key(), rid=relid) utils.juju_log('INFO', 'End notify_osds.') @@ -171,8 +173,10 @@ def osd_relation(): if ceph.is_quorum(): utils.juju_log('INFO', - 'mon cluster in quorum - providing OSD with fsid') - utils.relation_set(fsid=utils.config_get('fsid')) + 'mon cluster in quorum - \ + providing OSD with fsid & keys') + utils.relation_set(fsid=utils.config_get('fsid'), + osd_bootstrap_key=ceph.get_osd_bootstrap_key()) else: utils.juju_log('INFO', 'mon cluster not in quorum - deferring fsid provision') diff --git a/revision b/revision index 39f5b69..d15a2cc 100644 --- a/revision +++ b/revision @@ -1 +1 @@ -71 +80 diff --git a/templates/ceph.conf b/templates/ceph.conf index 32103fb..072535f 100644 --- a/templates/ceph.conf +++ b/templates/ceph.conf @@ -1,5 +1,5 @@ [global] - auth supported = none + auth supported = cephx keyring = /etc/ceph/$cluster.$name.keyring mon host = {{ mon_hosts }} fsid = {{ fsid }}