Migrate ceph keyring creation to kolla_ceph_keyring module

In this way, keyring caps is updatable.

Change-Id: Idf7f222645b5073e2c72d59eecf3d47b3f1dc6ba
This commit is contained in:
Jeffrey Zhang 2018-03-30 10:49:12 +08:00
parent 716a428c62
commit 3397668d10
13 changed files with 118 additions and 41 deletions

View File

@ -46,6 +46,16 @@ ceph_client_admin_keyring_caps:
osd: "allow *"
mgr: "allow *"
ceph_client_mgr_keyring_caps:
mon: 'allow profile mgr'
osd: 'allow *'
mds: 'allow *'
ceph_client_mds_keyring_caps:
mds: 'allow '
osd: 'allow *'
mon: 'allow rwx'
partition_name_osd_bootstrap: "{{ 'KOLLA_CEPH_OSD_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_BOOTSTRAP' }}"
partition_name_cache_bootstrap: "{{ 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP' }}"
partition_name_osd_data: "{{ 'KOLLA_CEPH_BSDATA' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_DATA' }}"

View File

@ -20,17 +20,20 @@
pool_pgp_num: "{{ cephfs_metadata_pool_pgp_num }}"
- name: Geting ceph mds keyring
command: docker exec ceph_mon ceph auth get-or-create mds.{{ hostvars[item]['inventory_hostname'] }} mds 'allow ' osd 'allow *' mon 'allow rwx'
kolla_ceph_keyring:
name: "mds.{{ hostvars[item]['inventory_hostname'] }}"
caps: "{{ ceph_client_mds_keyring_caps }}"
register: ceph_mds_auth
run_once: true
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: false
with_items: "{{ groups['ceph-mds'] }}"
- name: Pushing ceph mds keyring to ceph-mds
become: true
copy:
content: "{{ item.stdout }}\n"
content: |
[mds.{{ item.item }}]
key = {{ item.keyring.key }}
dest: "{{ node_config_directory }}/ceph-mds/ceph.mds.{{ inventory_hostname }}.keyring"
mode: 0600
when:

View File

@ -1,16 +1,19 @@
---
- name: Getting ceph mgr keyring
command: docker exec ceph_mon ceph auth get-or-create mgr.{{ item }} mon 'allow profile mgr' osd 'allow *' mds 'allow *'
kolla_ceph_keyring:
name: "mgr.{{ item }}"
caps: "{{ ceph_client_mgr_keyring_caps }}"
register: ceph_mgr_keyring
run_once: true
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: false
with_items: "{{ groups['ceph-mgr'] }}"
- name: Pushing ceph mgr keyring to ceph-mgr
become: true
copy:
content: "{{ item.stdout }}\n"
content: |
[mgr.{{ item.item }}]
key = {{ item.keyring.key }}
dest: "{{ node_config_directory }}/ceph-mgr/ceph.mgr.{{ inventory_hostname }}.keyring"
mode: 0600
when:

View File

@ -77,6 +77,24 @@ cinder_backup_cache_mode: "{{ ceph_cinder_backup_cache_mode }}"
cinder_backup_pool_pg_num: "{{ ceph_pool_pg_num }}"
cinder_backup_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
ceph_client_cinder_keyring_caps:
mon: 'allow r'
osd: >-
allow class-read object_prefix rbd_children,
allow rwx pool={{ ceph_cinder_pool_name }},
allow rwx pool={{ ceph_cinder_pool_name }}-cache,
allow rwx pool={{ ceph_nova_pool_name }},
allow rwx pool={{ ceph_nova_pool_name }}-cache,
allow rx pool={{ ceph_glance_pool_name }},
allow rx pool={{ ceph_glance_pool_name }}-cache
ceph_client_cinder_backup_keyring_caps:
mon: 'allow r'
osd: >-
allow class-read object_prefix rbd_children,
allow rwx pool={{ ceph_cinder_backup_pool_name }},
allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache
####################
# Database

View File

@ -54,32 +54,34 @@
pool_pgp_num: "{{ cinder_backup_pool_pgp_num }}"
pool_application: "rbd"
# TODO(SamYaple): Improve changed_when tests
- name: Pulling cephx keyring for cinder
command: docker exec ceph_mon ceph auth get-or-create client.cinder mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rx pool={{ ceph_glance_pool_name }}, allow rx pool={{ ceph_glance_pool_name }}-cache'
kolla_ceph_keyring:
name: client.cinder
caps: "{{ ceph_client_cinder_keyring_caps }}"
register: cephx_key_cinder
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: False
run_once: True
# TODO(SamYaple): Improve changed_when tests
- name: Pulling cephx keyring for cinder-backup
command: docker exec ceph_mon ceph auth get-or-create client.cinder-backup mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_backup_pool_name }}, allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache'
kolla_ceph_keyring:
name: client.cinder-backup
caps: "{{ ceph_client_cinder_backup_keyring_caps }}"
register: cephx_key_cinder_backup
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: False
run_once: True
- name: Pushing cephx keyring
copy:
content: "{{ item.content }}\n\r"
content: |
[client.{{ item.key_name }}]
key = {{ item.key }}
dest: "{{ node_config_directory }}/{{ item.service_name }}/ceph.client.{{ item.key_name }}.keyring"
mode: "0600"
become: true
with_items:
- { service_name: "cinder-volume", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
- { service_name: "cinder-backup", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
- { service_name: "cinder-backup", key_name: "cinder-backup", content: "{{ cephx_key_cinder_backup.stdout }}" }
- { service_name: "cinder-volume", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" }
- { service_name: "cinder-backup", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" }
- { service_name: "cinder-backup", key_name: "cinder-backup", key: "{{ cephx_key_cinder_backup.keyring.key }}" }
when:
- inventory_hostname in groups[item.service_name]
- cinder_services[item.service_name].enabled | bool

View File

@ -47,6 +47,13 @@ glance_cache_mode: "{{ ceph_glance_cache_mode }}"
glance_pool_pg_num: "{{ ceph_pool_pg_num }}"
glance_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
ceph_client_glance_keyring_caps:
mon: 'allow r'
osd: >-
allow class-read object_prefix rbd_children,
allow rwx pool={{ ceph_glance_pool_name }},
allow rwx pool={{ ceph_glance_pool_name }}-cache
####################
# Database

View File

@ -25,17 +25,19 @@
pool_pgp_num: "{{ glance_pool_pgp_num }}"
pool_application: "rbd"
# TODO(SamYaple): Improve changed_when tests
- name: Pulling cephx keyring
command: docker exec ceph_mon ceph auth get-or-create client.glance mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache'
kolla_ceph_keyring:
name: client.glance
caps: "{{ ceph_client_glance_keyring_caps }}"
register: cephx_key
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: False
run_once: True
- name: Pushing cephx keyring
copy:
content: "{{ cephx_key.stdout }}\n\r"
content: |
[client.glance]
key = {{ cephx_key.keyring.key }}
dest: "{{ node_config_directory }}/glance-api/ceph.client.glance.keyring"
mode: "0600"
when: inventory_hostname in groups['glance-api']

View File

@ -48,6 +48,13 @@ gnocchi_cache_mode: "{{ ceph_gnocchi_cache_mode }}"
gnocchi_pool_pg_num: "{{ ceph_pool_pg_num }}"
gnocchi_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
ceph_client_gnocchi_keyring_caps:
mon: 'allow r'
osd: >-
allow class-read object_prefix rbd_children,
allow rwx pool={{ ceph_gnocchi_pool_name }},
allow rwx pool={{ ceph_gnocchi_pool_name }}-cache
####################
# Database

View File

@ -31,17 +31,19 @@
pool_pgp_num: "{{ gnocchi_pool_pgp_num }}"
pool_application: "rgw"
# TODO(SamYaple): Improve changed_when tests
- name: Pulling cephx keyring
command: docker exec ceph_mon ceph auth get-or-create client.gnocchi mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_gnocchi_pool_name }}, allow rwx pool={{ ceph_gnocchi_pool_name }}-cache'
kolla_ceph_keyring:
name: client.gnocchi
caps: "{{ ceph_client_gnocchi_keyring_caps }}"
register: cephx_key
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: False
run_once: True
- name: Pushing cephx keyring
copy:
content: "{{ cephx_key.stdout }}\n\r"
content: |
[client.gnocchi]
key = {{ cephx_key.keyring.key }}
dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring"
mode: "0600"
when: inventory_hostname in groups[item]

View File

@ -44,6 +44,21 @@ manila_services:
- "kolla_logs:/var/log/kolla/"
#####################
## Ceph
#####################
ceph_client_manila_keyring_caps:
mon: >-
allow r,
allow command "auth del",
allow command "auth caps",
allow command "auth get",
allow command "auth get-or-create"
osd: 'allow rw'
mds: 'allow *'
#####################
## Database
#####################

View File

@ -15,15 +15,18 @@
become: true
- name: Pulling cephx keyring for manila
command: docker exec ceph_mon ceph auth get-or-create client.manila mon 'allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"' osd 'allow rw' mds 'allow *'
kolla_ceph_keyring:
name: client.manila
caps: "{{ ceph_client_manila_keyring_caps }}"
register: cephx_key_manila
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: False
run_once: True
- name: Pushing cephx keyring
copy:
content: "{{ cephx_key_manila.stdout }}\n\r"
content: |
[client.manila]
key = {{ cephx_key_manila.keyring.key }}
dest: "{{ node_config_directory }}/manila-share/ceph.client.manila.keyring"
mode: "0600"
become: true

View File

@ -154,6 +154,17 @@ nova_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
# qemu (1, 6, 0) or later. Set to "" to disable.
nova_hw_disk_discard: "unmap"
ceph_client_nova_keyring_caps:
mon: 'allow r'
osd: >-
allow class-read object_prefix rbd_children,
allow rwx pool={{ ceph_cinder_pool_name }},
allow rwx pool={{ ceph_cinder_pool_name }}-cache,
allow rwx pool={{ ceph_nova_pool_name }},
allow rwx pool={{ ceph_nova_pool_name }}-cache,
allow rwx pool={{ ceph_glance_pool_name }},
allow rwx pool={{ ceph_glance_pool_name }}-cache
####################
# Database

View File

@ -33,20 +33,12 @@
pool_pgp_num: "{{ nova_pool_pgp_num }}"
pool_application: "rbd"
# TODO(SamYaple): Improve changed_when tests
- name: Pulling cephx keyring for nova
command: docker exec ceph_mon ceph auth get-or-create client.nova mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache'
register: cephx_key
kolla_ceph_keyring:
name: client.nova
caps: "{{ ceph_client_nova_keyring_caps }}"
register: nova_cephx_key
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: False
run_once: True
# TODO(SamYaple): Improve failed_when and changed_when tests
- name: Pulling nova cephx keyring for libvirt
command: docker exec ceph_mon ceph auth get-key client.nova
register: nova_cephx_raw_key
delegate_to: "{{ groups['ceph-mon'][0] }}"
changed_when: False
run_once: True
- name: Pulling cinder cephx keyring for libvirt
@ -61,7 +53,9 @@
- name: Pushing cephx keyring for nova
copy:
content: "{{ cephx_key.stdout }}\n\r"
content: |
[client.nova]
key = {{ nova_cephx_key.keyring.key }}
dest: "{{ node_config_directory }}/nova-compute/ceph.client.nova.keyring"
mode: "0600"
when: inventory_hostname in groups['compute']
@ -92,7 +86,7 @@
- item.enabled | bool
with_items:
- uuid: "{{ rbd_secret_uuid }}"
content: "{{ nova_cephx_raw_key.stdout }}"
content: "{{ nova_cephx_key.keyring.key }}"
enabled: true
- uuid: "{{ cinder_rbd_secret_uuid }}"
content: "{{ cinder_cephx_raw_key.stdout|default('') }}"