From 1f929336e363f1c3d168bad569460401e122de8f Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 26 Sep 2019 12:41:18 +0200 Subject: [PATCH] External Ceph: keys as variables Introduce user modifiable variables instead of fixed-names of Ceph keyring files for external Ceph functionality. Change-Id: I1a33b3f9d6eca5babf53b91187461e43aef865ce --- ansible/group_vars/all.yml | 8 + ansible/roles/cinder/tasks/external_ceph.yml | 11 +- .../cinder/templates/cinder-backup.json.j2 | 20 +- .../cinder/templates/cinder-volume.json.j2 | 6 +- ansible/roles/glance/tasks/external_ceph.yml | 32 ++- .../roles/glance/templates/glance-api.json.j2 | 12 +- ansible/roles/gnocchi/tasks/external_ceph.yml | 4 +- .../gnocchi/templates/gnocchi-api.json.j2 | 4 +- ansible/roles/manila/tasks/external_ceph.yml | 6 +- .../manila/templates/manila-share.json.j2 | 10 +- .../roles/nova-cell/tasks/external_ceph.yml | 5 +- .../nova-cell/templates/nova-compute.json.j2 | 12 +- .../reference/storage/external-ceph-guide.rst | 271 +++++++----------- .../ceph-keys-vars-6857d19d291c401d.yaml | 13 + 14 files changed, 206 insertions(+), 208 deletions(-) create mode 100644 releasenotes/notes/ceph-keys-vars-6857d19d291c401d.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index fecbaa9cf4..0d995983fc 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -1028,6 +1028,14 @@ ceph_mgr_host_type: "INVENTORY" ceph_osd_host_type: "IP" ceph_mds_host_type: "INVENTORY" +# External Ceph keyrings +ceph_cinder_keyring: "ceph.client.cinder.keyring" +ceph_cinder_backup_keyring: "ceph.client.cinder-backup.keyring" +ceph_glance_keyring: "ceph.client.glance.keyring" +ceph_gnocchi_keyring: "ceph.client.gnocchi.keyring" +ceph_manila_keyring: "ceph.client.manila.keyring" +ceph_nova_keyring: "{% if enable_ceph | bool %}ceph.client.nova.keyring{% else %}{{ ceph_cinder_keyring }}{% endif %}" + ##################### # VMware support ###################### diff --git a/ansible/roles/cinder/tasks/external_ceph.yml b/ansible/roles/cinder/tasks/external_ceph.yml index 48663935ce..03a7a7fe8d 100644 --- a/ansible/roles/cinder/tasks/external_ceph.yml +++ b/ansible/roles/cinder/tasks/external_ceph.yml @@ -21,12 +21,10 @@ - name: Copy over Ceph keyring files for cinder-volume copy: - src: "{{ item }}" + src: "{{ node_custom_config }}/cinder/cinder-volume/{{ ceph_cinder_keyring }}" dest: "{{ node_config_directory }}/cinder-volume/" mode: "0660" become: true - with_fileglob: - - "{{ node_custom_config }}/cinder/cinder-volume/ceph.client*" when: - external_ceph_cephx_enabled | bool - inventory_hostname in groups['cinder-volume'] @@ -36,13 +34,14 @@ - name: Copy over Ceph keyring files for cinder-backup copy: - src: "{{ item }}" + src: "{{ node_custom_config }}/cinder/{{ item }}" dest: "{{ node_config_directory }}/cinder-backup/" mode: "0660" become: true register: cinder_backup_ceph_keyring - with_fileglob: - - "{{ node_custom_config }}/cinder/cinder-backup/ceph.client*" + with_items: + - "cinder-backup/{{ ceph_cinder_keyring }}" + - "cinder-backup/{{ ceph_cinder_backup_keyring }}" when: - external_ceph_cephx_enabled | bool - inventory_hostname in groups['cinder-backup'] diff --git a/ansible/roles/cinder/templates/cinder-backup.json.j2 b/ansible/roles/cinder/templates/cinder-backup.json.j2 index 897e185a2f..c5d8dc15a9 100644 --- a/ansible/roles/cinder/templates/cinder-backup.json.j2 +++ b/ansible/roles/cinder/templates/cinder-backup.json.j2 @@ -14,10 +14,24 @@ "perm": "0600" }{% endif %}{% if cinder_backend_ceph | bool %}, { - "source": "{{ container_config_directory }}/ceph.*", - "dest": "/etc/ceph/", + "source": "{{ container_config_directory }}/ceph.conf", + "dest": "/etc/ceph/ceph.conf", "owner": "cinder", - "perm": "0700", + "perm": "0600", + "optional": {{ (not cinder_backend_ceph | bool) | string | lower }} + }, + { + "source": "{{ container_config_directory }}/{{ ceph_cinder_keyring }}", + "dest": "/etc/ceph/{{ ceph_cinder_keyring }}", + "owner": "cinder", + "perm": "0600", + "optional": {{ (not cinder_backend_ceph | bool) | string | lower }} + }, + { + "source": "{{ container_config_directory }}/{{ ceph_cinder_backup_keyring }}", + "dest": "/etc/ceph/{{ ceph_cinder_backup_keyring }}", + "owner": "cinder", + "perm": "0600", "optional": {{ (not cinder_backend_ceph | bool) | string | lower }} }{% endif %} ], diff --git a/ansible/roles/cinder/templates/cinder-volume.json.j2 b/ansible/roles/cinder/templates/cinder-volume.json.j2 index a787ae0045..6bd55850a9 100644 --- a/ansible/roles/cinder/templates/cinder-volume.json.j2 +++ b/ansible/roles/cinder/templates/cinder-volume.json.j2 @@ -8,10 +8,10 @@ "perm": "0600" }, { - "source": "{{ container_config_directory }}/ceph.*", - "dest": "/etc/ceph/", + "source": "{{ container_config_directory }}/{{ ceph_cinder_keyring }}", + "dest": "/etc/ceph/{{ ceph_cinder_keyring }}", "owner": "cinder", - "perm": "0700", + "perm": "0600", "optional": {{ (not cinder_backend_ceph | bool) | string | lower }} }, { diff --git a/ansible/roles/glance/tasks/external_ceph.yml b/ansible/roles/glance/tasks/external_ceph.yml index 62c977bd49..8f35332259 100644 --- a/ansible/roles/glance/tasks/external_ceph.yml +++ b/ansible/roles/glance/tasks/external_ceph.yml @@ -1,27 +1,29 @@ --- -- name: Copy over ceph files - copy: - src: "{{ item }}" - dest: "{{ node_config_directory }}/glance-api/" +- name: Copy over ceph.conf for Glance + template: + src: "{{ node_custom_config }}/glance/ceph.conf" + dest: "{{ node_config_directory }}/glance-api/ceph.conf" mode: "0660" become: true - when: - - glance_services['glance-api'].host_in_groups | bool - - glance_services['glance-api'].enabled | bool - with_fileglob: - - "{{ node_custom_config }}/glance/ceph*" + when: inventory_hostname in groups['glance-api'] + notify: + - Restart glance-api container + +- name: Copy over ceph Glance keyring + copy: + src: "{{ node_custom_config }}/glance/{{ ceph_glance_keyring }}" + dest: "{{ node_config_directory }}/glance-api/{{ ceph_glance_keyring }}" + mode: "0660" + become: true + when: inventory_hostname in groups['glance-api'] notify: - Restart glance-api container - name: Ensuring config directory has correct owner and permission file: - path: "{{ node_config_directory }}/{{ item }}" + path: "{{ node_config_directory }}/glance-api" recurse: yes owner: "{{ config_owner_user }}" group: "{{ config_owner_group }}" become: true - when: - - glance_services[item].host_in_groups | bool - - glance_services[item].enabled | bool - with_items: - - "glance-api" + when: inventory_hostname in groups['glance-api'] diff --git a/ansible/roles/glance/templates/glance-api.json.j2 b/ansible/roles/glance/templates/glance-api.json.j2 index fd2bd70d62..bfe9cbe989 100644 --- a/ansible/roles/glance/templates/glance-api.json.j2 +++ b/ansible/roles/glance/templates/glance-api.json.j2 @@ -14,10 +14,16 @@ "perm": "0600" }{% endif %}{% if glance_backend_ceph | bool %}, { - "source": "{{ container_config_directory }}/ceph.*", - "dest": "/etc/ceph/", + "source": "{{ container_config_directory }}/{{ ceph_glance_keyring }}", + "dest": "/etc/ceph/{{ ceph_glance_keyring }}", "owner": "glance", - "perm": "0700" + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/ceph.conf", + "dest": "/etc/ceph/ceph.conf", + "owner": "glance", + "perm": "0600" }{% endif %}{% if glance_backend_swift | bool %}, { "source": "{{ container_config_directory }}/glance-swift.conf", diff --git a/ansible/roles/gnocchi/tasks/external_ceph.yml b/ansible/roles/gnocchi/tasks/external_ceph.yml index e75c1ac269..780f8ce584 100644 --- a/ansible/roles/gnocchi/tasks/external_ceph.yml +++ b/ansible/roles/gnocchi/tasks/external_ceph.yml @@ -15,8 +15,8 @@ - name: Copy over ceph gnocchi keyring copy: - src: "{{ node_custom_config }}/gnocchi/ceph.client.gnocchi.keyring" - dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring" + src: "{{ node_custom_config }}/gnocchi/{{ ceph_gnocchi_keyring }}" + dest: "{{ node_config_directory }}/{{ item }}/{{ ceph_gnocchi_keyring }}" mode: "0660" become: true when: inventory_hostname in groups[item] diff --git a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 index 9fb1179d6c..53b27b353a 100644 --- a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 @@ -28,8 +28,8 @@ "perm": "0600" }, { - "source": "{{ container_config_directory }}/ceph.client.gnocchi.keyring", - "dest": "/etc/ceph/ceph.client.gnocchi.keyring", + "source": "{{ container_config_directory }}/{{ ceph_gnocchi_keyring }}", + "dest": "/etc/ceph/{{ ceph_gnocchi_keyring }}", "owner": "gnocchi", "perm": "0600" }{% endif %} diff --git a/ansible/roles/manila/tasks/external_ceph.yml b/ansible/roles/manila/tasks/external_ceph.yml index 2ffb04c038..c6f3bac771 100644 --- a/ansible/roles/manila/tasks/external_ceph.yml +++ b/ansible/roles/manila/tasks/external_ceph.yml @@ -12,12 +12,10 @@ - name: Copy over Ceph keyring files for manila copy: - src: "{{ item }}" - dest: "{{ node_config_directory }}/manila-share/" + src: "{{ node_custom_config }}/manila/{{ ceph_manila_keyring }}" + dest: "{{ node_config_directory }}/manila-share/{{ ceph_manila_keyring }}" mode: "0600" become: true - with_fileglob: - - "{{ node_custom_config }}/manila/ceph.client*" when: - inventory_hostname in groups['manila-share'] notify: diff --git a/ansible/roles/manila/templates/manila-share.json.j2 b/ansible/roles/manila/templates/manila-share.json.j2 index 00e7db8348..50e0456a08 100644 --- a/ansible/roles/manila/templates/manila-share.json.j2 +++ b/ansible/roles/manila/templates/manila-share.json.j2 @@ -8,8 +8,14 @@ "perm": "0600" }{% if enable_manila_backend_cephfs_native | bool or enable_manila_backend_cephfs_nfs | bool %}, { - "source": "{{ container_config_directory }}/ceph.*", - "dest": "/etc/ceph/", + "source": "{{ container_config_directory }}/ceph.conf", + "dest": "/etc/ceph/ceph.conf", + "owner": "manila", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/{{ ceph_manila_keyring }}", + "dest": "/etc/ceph/{{ ceph_manila_keyring }}", "owner": "manila", "perm": "0600" }{% endif %}{% if manila_policy_file is defined %}, diff --git a/ansible/roles/nova-cell/tasks/external_ceph.yml b/ansible/roles/nova-cell/tasks/external_ceph.yml index 1ad2ab123c..dc08748968 100644 --- a/ansible/roles/nova-cell/tasks/external_ceph.yml +++ b/ansible/roles/nova-cell/tasks/external_ceph.yml @@ -11,7 +11,7 @@ - name: Check nova keyring file stat: - path: "{{ node_custom_config }}/nova/ceph.client.nova.keyring" + path: "{{ node_custom_config }}/nova/{{ ceph_nova_keyring }}" delegate_to: localhost run_once: True register: nova_cephx_keyring_file @@ -22,7 +22,7 @@ - name: Check cinder keyring file stat: - path: "{{ node_custom_config }}/nova/ceph.client.cinder.keyring" + path: "{{ node_custom_config }}/nova/{{ ceph_cinder_keyring }}" delegate_to: localhost run_once: True register: cinder_cephx_keyring_file @@ -39,7 +39,6 @@ become: true with_items: - nova-compute - - nova-libvirt when: - inventory_hostname in groups[nova_cell_compute_group] - nova_backend == "rbd" diff --git a/ansible/roles/nova-cell/templates/nova-compute.json.j2 b/ansible/roles/nova-cell/templates/nova-compute.json.j2 index 22dd0c843f..2a762ae2b2 100644 --- a/ansible/roles/nova-cell/templates/nova-compute.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-compute.json.j2 @@ -14,10 +14,16 @@ "perm": "0600" }{% endif %}{% if nova_backend == "rbd" %}, { - "source": "{{ container_config_directory }}/ceph.*", - "dest": "/etc/ceph/", + "source": "{{ container_config_directory }}/{{ ceph_nova_keyring }}", + "dest": "/etc/ceph/{{ ceph_nova_keyring }}", "owner": "nova", - "perm": "0700" + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/ceph.conf", + "dest": "/etc/ceph/ceph.conf", + "owner": "nova", + "perm": "0600" }{% endif %}{% if nova_compute_virt_type == "vmware" and not vmware_vcenter_insecure | bool %}, { "source": "{{ container_config_directory }}/vmware_ca", diff --git a/doc/source/reference/storage/external-ceph-guide.rst b/doc/source/reference/storage/external-ceph-guide.rst index 792d521875..6cbb1fedef 100644 --- a/doc/source/reference/storage/external-ceph-guide.rst +++ b/doc/source/reference/storage/external-ceph-guide.rst @@ -64,229 +64,176 @@ Configuring External Ceph Glance ------ -Configuring Glance for Ceph includes three steps: +Configuring Glance for Ceph includes the following steps: #. Configure RBD back end in ``glance-api.conf`` -#. Create Ceph configuration file in ``/etc/ceph/ceph.conf`` -#. Create Ceph keyring file in ``/etc/ceph/ceph.client..keyring`` -Step 1 is done by using Kolla's INI merge mechanism: Create a file in -``/etc/kolla/config/glance/glance-api.conf`` with the following contents: + .. path /etc/kolla/config/glance/glance-api.conf + .. code-block:: ini -.. code-block:: ini + [glance_store] + stores = rbd + default_store = rbd + rbd_store_pool = images + rbd_store_user = glance + rbd_store_ceph_conf = /etc/ceph/ceph.conf - [glance_store] - stores = rbd - default_store = rbd - rbd_store_pool = images - rbd_store_user = glance - rbd_store_ceph_conf = /etc/ceph/ceph.conf +#. Copy Ceph configuration file to ``/etc/kolla/config/glance/ceph.conf`` -Now put ceph.conf and the keyring file (name depends on the username created in -Ceph) into the same directory, for example: + .. path /etc/kolla/config/glance/ceph.conf + .. code-block:: ini -.. path /etc/kolla/config/glance/ceph.conf -.. code-block:: ini + [global] + fsid = 1d89fec3-325a-4963-a950-c4afedd37fe3 + mon_initial_members = ceph-0 + mon_host = 192.168.0.56 + auth_cluster_required = cephx + auth_service_required = cephx + auth_client_required = cephx - [global] - fsid = 1d89fec3-325a-4963-a950-c4afedd37fe3 - mon_initial_members = ceph-0 - mon_host = 192.168.0.56 - auth_cluster_required = cephx - auth_service_required = cephx - auth_client_required = cephx +#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``: -.. code-block:: console + * ``ceph_glance_keyring`` (default: ``ceph.client.glance.keyring``) - $ cat /etc/kolla/config/glance/ceph.client.glance.keyring - - [client.glance] - key = AQAg5YRXS0qxLRAAXe6a4R1a15AoRx7ft80DhA== - -Kolla will pick up all files named ``ceph.*`` in this directory and copy them -to the ``/etc/ceph/`` directory of the container. +#. Copy Ceph keyring to ``/etc/kolla/config/glance/`` Cinder ------ -Configuring external Ceph for Cinder works very similar to -Glance. +Configuring Cinder for Ceph includes following steps: -Modify ``/etc/kolla/config/cinder/cinder-volume.conf`` file according to -the following configuration: +#. Configure RBD backend in ``cinder-volume.conf`` and ``cinder-backup.conf`` -.. code-block:: ini + .. path /etc/kolla/config/cinder/cinder-volume.conf + .. code-block:: ini - [DEFAULT] - enabled_backends=rbd-1 + [DEFAULT] + enabled_backends=rbd-1 - [rbd-1] - rbd_ceph_conf=/etc/ceph/ceph.conf - rbd_user=cinder - backend_host=rbd:volumes - rbd_pool=volumes - volume_backend_name=rbd-1 - volume_driver=cinder.volume.drivers.rbd.RBDDriver - rbd_secret_uuid = {{ cinder_rbd_secret_uuid }} + [rbd-1] + rbd_ceph_conf=/etc/ceph/ceph.conf + rbd_user=cinder + backend_host=rbd:volumes + rbd_pool=volumes + volume_backend_name=rbd-1 + volume_driver=cinder.volume.drivers.rbd.RBDDriver + rbd_secret_uuid = {{ cinder_rbd_secret_uuid }} -.. note:: + .. note:: - ``cinder_rbd_secret_uuid`` can be found in ``/etc/kolla/passwords.yml`` file. + ``cinder_rbd_secret_uuid`` can be found in ``/etc/kolla/passwords.yml``. -Modify ``/etc/kolla/config/cinder/cinder-backup.conf`` file according to -the following configuration: + .. path /etc/kolla/config/cinder/cinder-backup.conf + .. code-block:: ini -.. code-block:: ini + [DEFAULT] + backup_ceph_conf=/etc/ceph/ceph.conf + backup_ceph_user=cinder-backup + backup_ceph_chunk_size = 134217728 + backup_ceph_pool=backups + backup_driver = cinder.backup.drivers.ceph.CephBackupDriver + backup_ceph_stripe_unit = 0 + backup_ceph_stripe_count = 0 + restore_discard_excess_bytes = true - [DEFAULT] - backup_ceph_conf=/etc/ceph/ceph.conf - backup_ceph_user=cinder-backup - backup_ceph_chunk_size = 134217728 - backup_ceph_pool=backups - backup_driver = cinder.backup.drivers.ceph.CephBackupDriver - backup_ceph_stripe_unit = 0 - backup_ceph_stripe_count = 0 - restore_discard_excess_bytes = true + For more information about the Cinder backup configuration, see + :cinder-doc:`Ceph backup driver + `. -For more information about the Cinder backup configuration, see -:cinder-doc:`Ceph backup driver `. +#. Copy Ceph configuration file to ``/etc/kolla/config/cinder/ceph.conf`` -Next, copy the ``ceph.conf`` file into ``/etc/kolla/config/cinder/``: + Separate configuration options can be configured for + cinder-volume and cinder-backup by adding ceph.conf files to + ``/etc/kolla/config/cinder/cinder-volume`` and + ``/etc/kolla/config/cinder/cinder-backup`` respectively. They + will be merged with ``/etc/kolla/config/cinder/ceph.conf``. -.. code-block:: ini +#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``: + * ``ceph_cinder_keyring`` (default: ``ceph.client.cinder.keyring``) + * ``ceph_cinder_backup_keyring`` + (default: ``ceph.client.cinder-backup.keyring``) - [global] - fsid = 1d89fec3-325a-4963-a950-c4afedd37fe3 - mon_initial_members = ceph-0 - mon_host = 192.168.0.56 - auth_cluster_required = cephx - auth_service_required = cephx - auth_client_required = cephx - -Separate configuration options can be configured for -cinder-volume and cinder-backup by adding ceph.conf files to -``/etc/kolla/config/cinder/cinder-volume`` and -``/etc/kolla/config/cinder/cinder-backup`` respectively. They -will be merged with ``/etc/kolla/config/cinder/ceph.conf``. - -Ceph keyrings are deployed per service and placed into -``cinder-volume`` and ``cinder-backup`` directories, put the keyring files -to these directories, for example: +#. Copy Ceph keyring files to: + * ``/etc/kolla/config/cinder/cinder-volume/`` + * ``/etc/kolla/config/cinder/cinder-backup/`` + * ``/etc/kolla/config/cinder/cinder-backup/`` .. note:: ``cinder-backup`` requires two keyrings for accessing volumes and backup pool. -.. code-block:: console - - $ cat /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder.keyring - - [client.cinder] - key = AQAg5YRXpChaGRAAlTSCleesthCRmCYrfQVX1w== - -.. code-block:: console - - $ cat /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder-backup.keyring - - [client.cinder-backup] - key = AQC9wNBYrD8MOBAAwUlCdPKxWZlhkrWIDE1J/w== - -.. code-block:: console - - $ cat /etc/kolla/config/cinder/cinder-volume/ceph.client.cinder.keyring - - [client.cinder] - key = AQAg5YRXpChaGRAAlTSCleesthCRmCYrfQVX1w== - -It is important that the files are named ``ceph.client*``. - Nova ---- -Put ceph.conf, nova client keyring file and cinder client keyring file into -``/etc/kolla/config/nova``: +Configuring Nova for Ceph includes following steps: -.. warning:: +#. Copy Ceph configuration file to ``/etc/kolla/config/nova/ceph.conf`` +#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``: - If you are using ceph-ansible - please copy ceph.client.cinder.keyring - as /etc/kolla/config/nova/ceph.client.nova.keyring + * ``ceph_cinder_keyring`` (default: ``ceph.client.cinder.keyring``) + * ``ceph_nova_keyring`` (by default it's the same as ceph_cinder_keyring) -.. code-block:: console +#. Copy Ceph keyring file(s) to: - $ ls /etc/kolla/config/nova - ceph.client.cinder.keyring ceph.client.nova.keyring ceph.conf + * ``/etc/kolla/config/nova/`` + * ``/etc/kolla/config/nova/`` (if your Ceph deployment + created one) -Configure nova-compute to use Ceph as the ephemeral back end by creating -``/etc/kolla/config/nova/nova-compute.conf`` and adding the following -configurations: + .. warning:: -.. code-block:: ini + If you are using ceph-ansible or another deployment tool that doesn't + create separate key for Nova just copy the Cinder key. - [libvirt] - images_rbd_pool=vms - images_type=rbd - images_rbd_ceph_conf=/etc/ceph/ceph.conf - rbd_user=nova +#. Configure nova-compute to use Ceph as the ephemeral back end by creating + ``/etc/kolla/config/nova/nova-compute.conf`` and adding the following + configurations: -.. note:: + .. code-block:: ini - ``rbd_user`` might vary depending on your environment. + [libvirt] + images_rbd_pool=vms + images_type=rbd + images_rbd_ceph_conf=/etc/ceph/ceph.conf Gnocchi ------- -Modify ``/etc/kolla/config/gnocchi.conf`` file according to -the following configuration: +Configuring Gnocchi for Ceph includes following steps: -.. code-block:: ini +#. Copy Ceph configuration file to ``/etc/kolla/config/gnocchi/ceph.conf`` +#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``: - [storage] - driver = ceph - ceph_username = gnocchi - ceph_keyring = /etc/ceph/ceph.client.gnocchi.keyring - ceph_conffile = /etc/ceph/ceph.conf + * ``ceph_gnocchi_keyring`` + (default: ``ceph.client.gnocchi.keyring``) -Put ceph.conf and gnocchi client keyring file in -``/etc/kolla/config/gnocchi``: +#. Copy Ceph keyring to ``/etc/kolla/config/gnocchi/`` +#. Modify ``/etc/kolla/config/gnocchi.conf`` file according to the following + configuration: -.. code-block:: console + .. code-block:: ini - $ ls /etc/kolla/config/gnocchi - ceph.client.gnocchi.keyring ceph.conf gnocchi.conf + [storage] + driver = ceph + ceph_username = gnocchi + ceph_keyring = /etc/ceph/ceph.client.gnocchi.keyring + ceph_conffile = /etc/ceph/ceph.conf Manila ------ -Configuring Manila for Ceph includes four steps: +Configuring Manila for Ceph includes following steps: -#. Configure CephFS backend, setting ``enable_manila_backend_cephfs_native`` -#. Create Ceph configuration file in ``/etc/ceph/ceph.conf`` -#. Create Ceph keyring file in ``/etc/ceph/ceph.client..keyring`` +#. Configure CephFS backend by setting ``enable_manila_backend_cephfs_native`` + to ``true`` +#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``: + + * ``ceph_manila_keyring`` (default: ``ceph.client.manila.keyring``) + +#. Copy Ceph configuration file to ``/etc/kolla/config/manila/ceph.conf`` +#. Copy Ceph keyring to ``/etc/kolla/config/manila/`` #. Setup Manila in the usual way -Step 1 is done by using setting ``enable_manila_backend_cephfs_native=true`` - -Now put ceph.conf and the keyring file (name depends on the username created -in Ceph) into the same directory, for example: - -.. path /etc/kolla/config/manila/ceph.conf -.. code-block:: ini - - [global] - fsid = 1d89fec3-325a-4963-a950-c4afedd37fe3 - mon_host = 192.168.0.56 - auth_cluster_required = cephx - auth_service_required = cephx - auth_client_required = cephx - -.. code-block:: console - - $ cat /etc/kolla/config/manila/ceph.client.manila.keyring - - [client.manila] - key = AQAg5YRXS0qxLRAAXe6a4R1a15AoRx7ft80DhA== - For more details on the rest of the Manila setup, such as creating the share type ``default_share_type``, please see :doc:`Manila in Kolla `. diff --git a/releasenotes/notes/ceph-keys-vars-6857d19d291c401d.yaml b/releasenotes/notes/ceph-keys-vars-6857d19d291c401d.yaml new file mode 100644 index 0000000000..eb715d3ba5 --- /dev/null +++ b/releasenotes/notes/ceph-keys-vars-6857d19d291c401d.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + Introduce user modifiable variables instead of fixed names for Ceph + keyring files used by external Ceph functionality. +upgrade: + - | + For cinder (cinder-volume and cinder-backup), glance-api and manila + keyrings behavior has changed and kolla-ansible deployment will not copy + those keys using wildcards (ceph.*), instead will use newly introduced + variables. Your environment may render unusable after an upgrade if your + keys in /etc/kolla/config do not match default values for introduced + variables.