External Ceph: keys as variables

Introduce user modifiable variables instead of fixed-names
of Ceph keyring files for external Ceph functionality.

Change-Id: I1a33b3f9d6eca5babf53b91187461e43aef865ce
This commit is contained in:
Michal Nasiadka 2019-09-26 12:41:18 +02:00
parent 7671384919
commit 1f929336e3
14 changed files with 206 additions and 208 deletions

View File

@ -1028,6 +1028,14 @@ ceph_mgr_host_type: "INVENTORY"
ceph_osd_host_type: "IP" ceph_osd_host_type: "IP"
ceph_mds_host_type: "INVENTORY" ceph_mds_host_type: "INVENTORY"
# External Ceph keyrings
ceph_cinder_keyring: "ceph.client.cinder.keyring"
ceph_cinder_backup_keyring: "ceph.client.cinder-backup.keyring"
ceph_glance_keyring: "ceph.client.glance.keyring"
ceph_gnocchi_keyring: "ceph.client.gnocchi.keyring"
ceph_manila_keyring: "ceph.client.manila.keyring"
ceph_nova_keyring: "{% if enable_ceph | bool %}ceph.client.nova.keyring{% else %}{{ ceph_cinder_keyring }}{% endif %}"
##################### #####################
# VMware support # VMware support
###################### ######################

View File

@ -21,12 +21,10 @@
- name: Copy over Ceph keyring files for cinder-volume - name: Copy over Ceph keyring files for cinder-volume
copy: copy:
src: "{{ item }}" src: "{{ node_custom_config }}/cinder/cinder-volume/{{ ceph_cinder_keyring }}"
dest: "{{ node_config_directory }}/cinder-volume/" dest: "{{ node_config_directory }}/cinder-volume/"
mode: "0660" mode: "0660"
become: true become: true
with_fileglob:
- "{{ node_custom_config }}/cinder/cinder-volume/ceph.client*"
when: when:
- external_ceph_cephx_enabled | bool - external_ceph_cephx_enabled | bool
- inventory_hostname in groups['cinder-volume'] - inventory_hostname in groups['cinder-volume']
@ -36,13 +34,14 @@
- name: Copy over Ceph keyring files for cinder-backup - name: Copy over Ceph keyring files for cinder-backup
copy: copy:
src: "{{ item }}" src: "{{ node_custom_config }}/cinder/{{ item }}"
dest: "{{ node_config_directory }}/cinder-backup/" dest: "{{ node_config_directory }}/cinder-backup/"
mode: "0660" mode: "0660"
become: true become: true
register: cinder_backup_ceph_keyring register: cinder_backup_ceph_keyring
with_fileglob: with_items:
- "{{ node_custom_config }}/cinder/cinder-backup/ceph.client*" - "cinder-backup/{{ ceph_cinder_keyring }}"
- "cinder-backup/{{ ceph_cinder_backup_keyring }}"
when: when:
- external_ceph_cephx_enabled | bool - external_ceph_cephx_enabled | bool
- inventory_hostname in groups['cinder-backup'] - inventory_hostname in groups['cinder-backup']

View File

@ -14,10 +14,24 @@
"perm": "0600" "perm": "0600"
}{% endif %}{% if cinder_backend_ceph | bool %}, }{% endif %}{% if cinder_backend_ceph | bool %},
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/ceph.conf",
"dest": "/etc/ceph/", "dest": "/etc/ceph/ceph.conf",
"owner": "cinder", "owner": "cinder",
"perm": "0700", "perm": "0600",
"optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
},
{
"source": "{{ container_config_directory }}/{{ ceph_cinder_keyring }}",
"dest": "/etc/ceph/{{ ceph_cinder_keyring }}",
"owner": "cinder",
"perm": "0600",
"optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
},
{
"source": "{{ container_config_directory }}/{{ ceph_cinder_backup_keyring }}",
"dest": "/etc/ceph/{{ ceph_cinder_backup_keyring }}",
"owner": "cinder",
"perm": "0600",
"optional": {{ (not cinder_backend_ceph | bool) | string | lower }} "optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
}{% endif %} }{% endif %}
], ],

View File

@ -8,10 +8,10 @@
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/{{ ceph_cinder_keyring }}",
"dest": "/etc/ceph/", "dest": "/etc/ceph/{{ ceph_cinder_keyring }}",
"owner": "cinder", "owner": "cinder",
"perm": "0700", "perm": "0600",
"optional": {{ (not cinder_backend_ceph | bool) | string | lower }} "optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
}, },
{ {

View File

@ -1,27 +1,29 @@
--- ---
- name: Copy over ceph files - name: Copy over ceph.conf for Glance
copy: template:
src: "{{ item }}" src: "{{ node_custom_config }}/glance/ceph.conf"
dest: "{{ node_config_directory }}/glance-api/" dest: "{{ node_config_directory }}/glance-api/ceph.conf"
mode: "0660" mode: "0660"
become: true become: true
when: when: inventory_hostname in groups['glance-api']
- glance_services['glance-api'].host_in_groups | bool notify:
- glance_services['glance-api'].enabled | bool - Restart glance-api container
with_fileglob:
- "{{ node_custom_config }}/glance/ceph*" - name: Copy over ceph Glance keyring
copy:
src: "{{ node_custom_config }}/glance/{{ ceph_glance_keyring }}"
dest: "{{ node_config_directory }}/glance-api/{{ ceph_glance_keyring }}"
mode: "0660"
become: true
when: inventory_hostname in groups['glance-api']
notify: notify:
- Restart glance-api container - Restart glance-api container
- name: Ensuring config directory has correct owner and permission - name: Ensuring config directory has correct owner and permission
file: file:
path: "{{ node_config_directory }}/{{ item }}" path: "{{ node_config_directory }}/glance-api"
recurse: yes recurse: yes
owner: "{{ config_owner_user }}" owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}" group: "{{ config_owner_group }}"
become: true become: true
when: when: inventory_hostname in groups['glance-api']
- glance_services[item].host_in_groups | bool
- glance_services[item].enabled | bool
with_items:
- "glance-api"

View File

@ -14,10 +14,16 @@
"perm": "0600" "perm": "0600"
}{% endif %}{% if glance_backend_ceph | bool %}, }{% endif %}{% if glance_backend_ceph | bool %},
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/{{ ceph_glance_keyring }}",
"dest": "/etc/ceph/", "dest": "/etc/ceph/{{ ceph_glance_keyring }}",
"owner": "glance", "owner": "glance",
"perm": "0700" "perm": "0600"
},
{
"source": "{{ container_config_directory }}/ceph.conf",
"dest": "/etc/ceph/ceph.conf",
"owner": "glance",
"perm": "0600"
}{% endif %}{% if glance_backend_swift | bool %}, }{% endif %}{% if glance_backend_swift | bool %},
{ {
"source": "{{ container_config_directory }}/glance-swift.conf", "source": "{{ container_config_directory }}/glance-swift.conf",

View File

@ -15,8 +15,8 @@
- name: Copy over ceph gnocchi keyring - name: Copy over ceph gnocchi keyring
copy: copy:
src: "{{ node_custom_config }}/gnocchi/ceph.client.gnocchi.keyring" src: "{{ node_custom_config }}/gnocchi/{{ ceph_gnocchi_keyring }}"
dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring" dest: "{{ node_config_directory }}/{{ item }}/{{ ceph_gnocchi_keyring }}"
mode: "0660" mode: "0660"
become: true become: true
when: inventory_hostname in groups[item] when: inventory_hostname in groups[item]

View File

@ -28,8 +28,8 @@
"perm": "0600" "perm": "0600"
}, },
{ {
"source": "{{ container_config_directory }}/ceph.client.gnocchi.keyring", "source": "{{ container_config_directory }}/{{ ceph_gnocchi_keyring }}",
"dest": "/etc/ceph/ceph.client.gnocchi.keyring", "dest": "/etc/ceph/{{ ceph_gnocchi_keyring }}",
"owner": "gnocchi", "owner": "gnocchi",
"perm": "0600" "perm": "0600"
}{% endif %} }{% endif %}

View File

@ -12,12 +12,10 @@
- name: Copy over Ceph keyring files for manila - name: Copy over Ceph keyring files for manila
copy: copy:
src: "{{ item }}" src: "{{ node_custom_config }}/manila/{{ ceph_manila_keyring }}"
dest: "{{ node_config_directory }}/manila-share/" dest: "{{ node_config_directory }}/manila-share/{{ ceph_manila_keyring }}"
mode: "0600" mode: "0600"
become: true become: true
with_fileglob:
- "{{ node_custom_config }}/manila/ceph.client*"
when: when:
- inventory_hostname in groups['manila-share'] - inventory_hostname in groups['manila-share']
notify: notify:

View File

@ -8,8 +8,14 @@
"perm": "0600" "perm": "0600"
}{% if enable_manila_backend_cephfs_native | bool or enable_manila_backend_cephfs_nfs | bool %}, }{% if enable_manila_backend_cephfs_native | bool or enable_manila_backend_cephfs_nfs | bool %},
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/ceph.conf",
"dest": "/etc/ceph/", "dest": "/etc/ceph/ceph.conf",
"owner": "manila",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/{{ ceph_manila_keyring }}",
"dest": "/etc/ceph/{{ ceph_manila_keyring }}",
"owner": "manila", "owner": "manila",
"perm": "0600" "perm": "0600"
}{% endif %}{% if manila_policy_file is defined %}, }{% endif %}{% if manila_policy_file is defined %},

View File

@ -11,7 +11,7 @@
- name: Check nova keyring file - name: Check nova keyring file
stat: stat:
path: "{{ node_custom_config }}/nova/ceph.client.nova.keyring" path: "{{ node_custom_config }}/nova/{{ ceph_nova_keyring }}"
delegate_to: localhost delegate_to: localhost
run_once: True run_once: True
register: nova_cephx_keyring_file register: nova_cephx_keyring_file
@ -22,7 +22,7 @@
- name: Check cinder keyring file - name: Check cinder keyring file
stat: stat:
path: "{{ node_custom_config }}/nova/ceph.client.cinder.keyring" path: "{{ node_custom_config }}/nova/{{ ceph_cinder_keyring }}"
delegate_to: localhost delegate_to: localhost
run_once: True run_once: True
register: cinder_cephx_keyring_file register: cinder_cephx_keyring_file
@ -39,7 +39,6 @@
become: true become: true
with_items: with_items:
- nova-compute - nova-compute
- nova-libvirt
when: when:
- inventory_hostname in groups[nova_cell_compute_group] - inventory_hostname in groups[nova_cell_compute_group]
- nova_backend == "rbd" - nova_backend == "rbd"

View File

@ -14,10 +14,16 @@
"perm": "0600" "perm": "0600"
}{% endif %}{% if nova_backend == "rbd" %}, }{% endif %}{% if nova_backend == "rbd" %},
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/{{ ceph_nova_keyring }}",
"dest": "/etc/ceph/", "dest": "/etc/ceph/{{ ceph_nova_keyring }}",
"owner": "nova", "owner": "nova",
"perm": "0700" "perm": "0600"
},
{
"source": "{{ container_config_directory }}/ceph.conf",
"dest": "/etc/ceph/ceph.conf",
"owner": "nova",
"perm": "0600"
}{% endif %}{% if nova_compute_virt_type == "vmware" and not vmware_vcenter_insecure | bool %}, }{% endif %}{% if nova_compute_virt_type == "vmware" and not vmware_vcenter_insecure | bool %},
{ {
"source": "{{ container_config_directory }}/vmware_ca", "source": "{{ container_config_directory }}/vmware_ca",

View File

@ -64,15 +64,11 @@ Configuring External Ceph
Glance Glance
------ ------
Configuring Glance for Ceph includes three steps: Configuring Glance for Ceph includes the following steps:
#. Configure RBD back end in ``glance-api.conf`` #. Configure RBD back end in ``glance-api.conf``
#. Create Ceph configuration file in ``/etc/ceph/ceph.conf``
#. Create Ceph keyring file in ``/etc/ceph/ceph.client.<username>.keyring``
Step 1 is done by using Kolla's INI merge mechanism: Create a file in
``/etc/kolla/config/glance/glance-api.conf`` with the following contents:
.. path /etc/kolla/config/glance/glance-api.conf
.. code-block:: ini .. code-block:: ini
[glance_store] [glance_store]
@ -82,8 +78,7 @@ Step 1 is done by using Kolla's INI merge mechanism: Create a file in
rbd_store_user = glance rbd_store_user = glance
rbd_store_ceph_conf = /etc/ceph/ceph.conf rbd_store_ceph_conf = /etc/ceph/ceph.conf
Now put ceph.conf and the keyring file (name depends on the username created in #. Copy Ceph configuration file to ``/etc/kolla/config/glance/ceph.conf``
Ceph) into the same directory, for example:
.. path /etc/kolla/config/glance/ceph.conf .. path /etc/kolla/config/glance/ceph.conf
.. code-block:: ini .. code-block:: ini
@ -96,25 +91,20 @@ Ceph) into the same directory, for example:
auth_service_required = cephx auth_service_required = cephx
auth_client_required = cephx auth_client_required = cephx
.. code-block:: console #. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
$ cat /etc/kolla/config/glance/ceph.client.glance.keyring * ``ceph_glance_keyring`` (default: ``ceph.client.glance.keyring``)
[client.glance] #. Copy Ceph keyring to ``/etc/kolla/config/glance/<ceph_glance_keyring>``
key = AQAg5YRXS0qxLRAAXe6a4R1a15AoRx7ft80DhA==
Kolla will pick up all files named ``ceph.*`` in this directory and copy them
to the ``/etc/ceph/`` directory of the container.
Cinder Cinder
------ ------
Configuring external Ceph for Cinder works very similar to Configuring Cinder for Ceph includes following steps:
Glance.
Modify ``/etc/kolla/config/cinder/cinder-volume.conf`` file according to #. Configure RBD backend in ``cinder-volume.conf`` and ``cinder-backup.conf``
the following configuration:
.. path /etc/kolla/config/cinder/cinder-volume.conf
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
@ -131,11 +121,9 @@ the following configuration:
.. note:: .. note::
``cinder_rbd_secret_uuid`` can be found in ``/etc/kolla/passwords.yml`` file. ``cinder_rbd_secret_uuid`` can be found in ``/etc/kolla/passwords.yml``.
Modify ``/etc/kolla/config/cinder/cinder-backup.conf`` file according to
the following configuration:
.. path /etc/kolla/config/cinder/cinder-backup.conf
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
@ -149,19 +137,10 @@ the following configuration:
restore_discard_excess_bytes = true restore_discard_excess_bytes = true
For more information about the Cinder backup configuration, see For more information about the Cinder backup configuration, see
:cinder-doc:`Ceph backup driver <configuration/block-storage/backup/ceph-backup-driver.html>`. :cinder-doc:`Ceph backup driver
<configuration/block-storage/backup/ceph-backup-driver.html>`.
Next, copy the ``ceph.conf`` file into ``/etc/kolla/config/cinder/``: #. Copy Ceph configuration file to ``/etc/kolla/config/cinder/ceph.conf``
.. code-block:: ini
[global]
fsid = 1d89fec3-325a-4963-a950-c4afedd37fe3
mon_initial_members = ceph-0
mon_host = 192.168.0.56
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
Separate configuration options can be configured for Separate configuration options can be configured for
cinder-volume and cinder-backup by adding ceph.conf files to cinder-volume and cinder-backup by adding ceph.conf files to
@ -169,55 +148,44 @@ cinder-volume and cinder-backup by adding ceph.conf files to
``/etc/kolla/config/cinder/cinder-backup`` respectively. They ``/etc/kolla/config/cinder/cinder-backup`` respectively. They
will be merged with ``/etc/kolla/config/cinder/ceph.conf``. will be merged with ``/etc/kolla/config/cinder/ceph.conf``.
Ceph keyrings are deployed per service and placed into #. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
``cinder-volume`` and ``cinder-backup`` directories, put the keyring files * ``ceph_cinder_keyring`` (default: ``ceph.client.cinder.keyring``)
to these directories, for example: * ``ceph_cinder_backup_keyring``
(default: ``ceph.client.cinder-backup.keyring``)
#. Copy Ceph keyring files to:
* ``/etc/kolla/config/cinder/cinder-volume/<ceph_cinder_keyring>``
* ``/etc/kolla/config/cinder/cinder-backup/<ceph_cinder_keyring>``
* ``/etc/kolla/config/cinder/cinder-backup/<ceph_cinder_backup_keyring>``
.. note:: .. note::
``cinder-backup`` requires two keyrings for accessing volumes ``cinder-backup`` requires two keyrings for accessing volumes
and backup pool. and backup pool.
.. code-block:: console
$ cat /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder.keyring
[client.cinder]
key = AQAg5YRXpChaGRAAlTSCleesthCRmCYrfQVX1w==
.. code-block:: console
$ cat /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder-backup.keyring
[client.cinder-backup]
key = AQC9wNBYrD8MOBAAwUlCdPKxWZlhkrWIDE1J/w==
.. code-block:: console
$ cat /etc/kolla/config/cinder/cinder-volume/ceph.client.cinder.keyring
[client.cinder]
key = AQAg5YRXpChaGRAAlTSCleesthCRmCYrfQVX1w==
It is important that the files are named ``ceph.client*``.
Nova Nova
---- ----
Put ceph.conf, nova client keyring file and cinder client keyring file into Configuring Nova for Ceph includes following steps:
``/etc/kolla/config/nova``:
#. Copy Ceph configuration file to ``/etc/kolla/config/nova/ceph.conf``
#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
* ``ceph_cinder_keyring`` (default: ``ceph.client.cinder.keyring``)
* ``ceph_nova_keyring`` (by default it's the same as ceph_cinder_keyring)
#. Copy Ceph keyring file(s) to:
* ``/etc/kolla/config/nova/<ceph_cinder_keyring>``
* ``/etc/kolla/config/nova/<ceph_nova_keyring>`` (if your Ceph deployment
created one)
.. warning:: .. warning::
If you are using ceph-ansible - please copy ceph.client.cinder.keyring If you are using ceph-ansible or another deployment tool that doesn't
as /etc/kolla/config/nova/ceph.client.nova.keyring create separate key for Nova just copy the Cinder key.
.. code-block:: console #. Configure nova-compute to use Ceph as the ephemeral back end by creating
$ ls /etc/kolla/config/nova
ceph.client.cinder.keyring ceph.client.nova.keyring ceph.conf
Configure nova-compute to use Ceph as the ephemeral back end by creating
``/etc/kolla/config/nova/nova-compute.conf`` and adding the following ``/etc/kolla/config/nova/nova-compute.conf`` and adding the following
configurations: configurations:
@ -227,17 +195,21 @@ configurations:
images_rbd_pool=vms images_rbd_pool=vms
images_type=rbd images_type=rbd
images_rbd_ceph_conf=/etc/ceph/ceph.conf images_rbd_ceph_conf=/etc/ceph/ceph.conf
rbd_user=nova
.. note::
``rbd_user`` might vary depending on your environment.
Gnocchi Gnocchi
------- -------
Modify ``/etc/kolla/config/gnocchi.conf`` file according to Configuring Gnocchi for Ceph includes following steps:
the following configuration:
#. Copy Ceph configuration file to ``/etc/kolla/config/gnocchi/ceph.conf``
#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
* ``ceph_gnocchi_keyring``
(default: ``ceph.client.gnocchi.keyring``)
#. Copy Ceph keyring to ``/etc/kolla/config/gnocchi/<ceph_gnocchi_keyring>``
#. Modify ``/etc/kolla/config/gnocchi.conf`` file according to the following
configuration:
.. code-block:: ini .. code-block:: ini
@ -247,46 +219,21 @@ the following configuration:
ceph_keyring = /etc/ceph/ceph.client.gnocchi.keyring ceph_keyring = /etc/ceph/ceph.client.gnocchi.keyring
ceph_conffile = /etc/ceph/ceph.conf ceph_conffile = /etc/ceph/ceph.conf
Put ceph.conf and gnocchi client keyring file in
``/etc/kolla/config/gnocchi``:
.. code-block:: console
$ ls /etc/kolla/config/gnocchi
ceph.client.gnocchi.keyring ceph.conf gnocchi.conf
Manila Manila
------ ------
Configuring Manila for Ceph includes four steps: Configuring Manila for Ceph includes following steps:
#. Configure CephFS backend, setting ``enable_manila_backend_cephfs_native`` #. Configure CephFS backend by setting ``enable_manila_backend_cephfs_native``
#. Create Ceph configuration file in ``/etc/ceph/ceph.conf`` to ``true``
#. Create Ceph keyring file in ``/etc/ceph/ceph.client.<username>.keyring`` #. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
* ``ceph_manila_keyring`` (default: ``ceph.client.manila.keyring``)
#. Copy Ceph configuration file to ``/etc/kolla/config/manila/ceph.conf``
#. Copy Ceph keyring to ``/etc/kolla/config/manila/<ceph_manila_keyring>``
#. Setup Manila in the usual way #. Setup Manila in the usual way
Step 1 is done by using setting ``enable_manila_backend_cephfs_native=true``
Now put ceph.conf and the keyring file (name depends on the username created
in Ceph) into the same directory, for example:
.. path /etc/kolla/config/manila/ceph.conf
.. code-block:: ini
[global]
fsid = 1d89fec3-325a-4963-a950-c4afedd37fe3
mon_host = 192.168.0.56
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
.. code-block:: console
$ cat /etc/kolla/config/manila/ceph.client.manila.keyring
[client.manila]
key = AQAg5YRXS0qxLRAAXe6a4R1a15AoRx7ft80DhA==
For more details on the rest of the Manila setup, such as creating the share For more details on the rest of the Manila setup, such as creating the share
type ``default_share_type``, please see :doc:`Manila in Kolla <manila-guide>`. type ``default_share_type``, please see :doc:`Manila in Kolla <manila-guide>`.

View File

@ -0,0 +1,13 @@
---
features:
- |
Introduce user modifiable variables instead of fixed names for Ceph
keyring files used by external Ceph functionality.
upgrade:
- |
For cinder (cinder-volume and cinder-backup), glance-api and manila
keyrings behavior has changed and kolla-ansible deployment will not copy
those keys using wildcards (ceph.*), instead will use newly introduced
variables. Your environment may render unusable after an upgrade if your
keys in /etc/kolla/config do not match default values for introduced
variables.