From fdd2aaa00b3753b393be5768f730f58d0a1e3b04 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Wed, 10 May 2023 14:18:36 +0100 Subject: [PATCH] Allow ceph client keyring files to have custom owner/group/mode This is required for a future patch enabling the ceph immutable object cache. Change-Id: Ifd78224acf389200a79aea25461b499a7c0da5d1 --- tasks/ceph_get_keyrings_from_files.yml | 11 ++++++----- tasks/ceph_get_keyrings_from_mons.yml | 10 +++++----- vars/main.yml | 10 +++++----- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/tasks/ceph_get_keyrings_from_files.yml b/tasks/ceph_get_keyrings_from_files.yml index aed38d6..e015537 100644 --- a/tasks/ceph_get_keyrings_from_files.yml +++ b/tasks/ceph_get_keyrings_from_files.yml @@ -21,7 +21,7 @@ {% set _keys = {} %} {% for client in ceph_client_filtered_clients %} {% set _ = _keys.update({ - client: lookup('file', ceph_keyrings_dir ~ '/' ~ client ~ '.keyring') + client: lookup('file', ceph_keyrings_dir ~ '/' ~ client['name'] ~ '.keyring') }) %} {% endfor %} @@ -35,16 +35,17 @@ - name: From files | Provision ceph client keyrings copy: - dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item }}.keyring" - content: "{{ ceph_client_keys[item] }}\n" # noqa 206 - group: "{{ cephkeys_access_group }}" + dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item['name'] }}.keyring" + content: "{{ ceph_client_keys[item['name']] }}\n" # noqa 206 + owner: "{{ client['owner'] | default('root') }}" + group: "{{ client['group'] | default(cephkeys_access_group) }}" # ideally the permission will be: 0600 and the owner/group will be either # glance , nova or cinder. For keys that require access by different users # (the cinder one) we should probably create a group 'cephkeys' and add # nova/cinder to it. # If I'm correct, the use case for multiple users is on the computre nodes, # access needed by users libvirt-qemu and nova - mode: 0640 + mode: "{{ client['mode'] | default ('0640') }}" with_items: "{{ ceph_client_filtered_clients }}" notify: - Restart os services diff --git a/tasks/ceph_get_keyrings_from_mons.yml b/tasks/ceph_get_keyrings_from_mons.yml index 7730bf7..a533d51 100644 --- a/tasks/ceph_get_keyrings_from_mons.yml +++ b/tasks/ceph_get_keyrings_from_mons.yml @@ -20,7 +20,7 @@ # the first get makes sure the client exists, so the second only runs when it # exists, the trick is the different output of both, the second has the right # output to put in a keyring; ceph admin should have already created the user - shell: "ceph auth get client.{{ item }} --cluster {{ ceph_cluster_name }} >/dev/null && ceph auth get-or-create client.{{ item }} --cluster {{ ceph_cluster_name }}" + shell: "ceph auth get client.{{ item['name'] }} --cluster {{ ceph_cluster_name }} >/dev/null && ceph auth get-or-create client.{{ item['name'] }} --cluster {{ ceph_cluster_name }}" with_items: "{{ ceph_client_filtered_clients }}" changed_when: false delegate_to: '{{ ceph_mon_host }}' @@ -36,18 +36,18 @@ # ceph get-or-create ... ... -o file? template: src: ceph.client.keyring.j2 - dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.item }}.keyring" + dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.item['name'] }}.keyring" backup: true - owner: root + owner: "{{ item.item.owner | default('root') }}" # TODO - group: "{{ cephkeys_access_group }}" + group: "{{ item.item.group | default(cephkeys_access_group) }}" # ideally the permission will be: 0600 and the owner/group will be either # glance , nova or cinder. For keys that require access by different users # (the cinder one) we should probably create a group 'cephkeys' and add # nova/cinder to it. # If I'm correct, the use case for multiple users is on the computre nodes, # access needed by users libvirt-qemu and nova - mode: 0640 + mode: "{{ item.item.mode | default('0640') }}" with_items: "{{ ceph_client_keyrings.results }}" when: - not item is skipped diff --git a/vars/main.yml b/vars/main.yml index df34b7c..ee7d904 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -20,27 +20,27 @@ ceph_components: - component: glance_api package: "{{ python_ceph_packages }}" client: - - '{{ glance_ceph_client }}' + - name: '{{ glance_ceph_client }}' service: '{{ ceph_glance_service_names }}' - component: cinder_volume package: "{{ [ 'ceph-common' ] + python_ceph_packages }}" client: - - '{{ cinder_ceph_client }}' + - name: '{{ cinder_ceph_client }}' service: '{{ ceph_cinder_service_names }}' - component: cinder_backup package: "{{ [ 'ceph-common' ] + python_ceph_packages }}" client: - - '{{ cinder_backup_ceph_client }}' + - name: '{{ cinder_backup_ceph_client }}' service: '{{ ceph_cinder_service_names }}' - component: nova_compute package: "{{ libvirt_packages + [ 'ceph-common' ] + python_ceph_packages }}" client: - - '{{ nova_ceph_client }}' + - name: "{{ nova_ceph_client }}" service: '{{ ceph_nova_service_names }}' - component: manila_share package: "{{ ['ceph-common'] + python_ceph_packages }}" client: - - "{{ manila_ceph_client }}" + - name: "{{ manila_ceph_client }}" service: "{{ ceph_manila_service_names }}" ceph_extra_components: []