[pve-devel] [PATCH manager 08/14] ceph: mon create: refactor and improve auth key creation
Dominik Csapak
d.csapak at proxmox.com
Tue Jun 18 15:42:52 CEST 2019
it makes no sense to have the mon key inside the client.admin.keyring
also the order and operations did not make much sense
also create the client admin keyring when creating the config
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
PVE/API2/Ceph.pm | 1 +
PVE/API2/Ceph/MON.pm | 26 +++++++-------------------
PVE/Ceph/Tools.pm | 18 ++++++++++++++++++
3 files changed, 26 insertions(+), 19 deletions(-)
diff --git a/PVE/API2/Ceph.pm b/PVE/API2/Ceph.pm
index be56caff..1ce74378 100644
--- a/PVE/API2/Ceph.pm
+++ b/PVE/API2/Ceph.pm
@@ -349,6 +349,7 @@ __PACKAGE__->register_method ({
cfs_write_file('ceph.conf', $cfg);
+ PVE::Ceph::Tools::get_or_create_admin_keyring();
PVE::Ceph::Tools::setup_pve_symlinks();
});
diff --git a/PVE/API2/Ceph/MON.pm b/PVE/API2/Ceph/MON.pm
index 75c28039..a0980886 100644
--- a/PVE/API2/Ceph/MON.pm
+++ b/PVE/API2/Ceph/MON.pm
@@ -199,28 +199,16 @@ __PACKAGE__->register_method ({
my $worker = sub {
my $upid = shift;
- my $pve_ckeyring_path = PVE::Ceph::Tools::get_config('pve_ckeyring_path');
- if (! -f $pve_ckeyring_path) {
- run_command("ceph-authtool $pve_ckeyring_path --create-keyring " .
- "--gen-key -n client.admin");
- }
+ my $client_keyring = PVE::Ceph::Tools::get_or_create_admin_keyring();
+ my $mon_keyring = PVE::Ceph::Tools::get_config('pve_mon_key_path');
- my $pve_mon_key_path = PVE::Ceph::Tools::get_config('pve_mon_key_path');
- if (! -f $pve_mon_key_path) {
- run_command("cp $pve_ckeyring_path $pve_mon_key_path.tmp");
- run_command("ceph-authtool $pve_mon_key_path.tmp -n client.admin " .
- "--cap mds 'allow' " .
- "--cap osd 'allow *' " .
- "--cap mgr 'allow *' " .
- "--cap mon 'allow *'");
- run_command("cp $pve_mon_key_path.tmp /etc/ceph/ceph.client.admin.keyring");
- run_command("chown ceph:ceph /etc/ceph/ceph.client.admin.keyring");
- run_command("ceph-authtool $pve_mon_key_path.tmp --gen-key -n mon. --cap mon 'allow *'");
- run_command("mv $pve_mon_key_path.tmp $pve_mon_key_path");
+ if (! -f $mon_keyring) {
+ run_command("ceph-authtool --create-keyring $mon_keyring ".
+ " --gen-key -n mon. --cap mon 'allow *'");
+ run_command("ceph-authtool $mon_keyring --import-keyring $client_keyring");
}
my $ccname = PVE::Ceph::Tools::get_config('ccname');
-
my $mondir = "/var/lib/ceph/mon/$ccname-$monid";
-d $mondir && die "monitor filesystem '$mondir' already exist\n";
@@ -239,7 +227,7 @@ __PACKAGE__->register_method ({
run_command("monmaptool --create --clobber --add $monid $monaddr --print $monmap");
}
- run_command("ceph-mon --mkfs -i $monid --monmap $monmap --keyring $pve_mon_key_path");
+ run_command("ceph-mon --mkfs -i $monid --monmap $monmap --keyring $mon_keyring");
run_command("chown ceph:ceph -R $mondir");
};
my $err = $@;
diff --git a/PVE/Ceph/Tools.pm b/PVE/Ceph/Tools.pm
index 65fc8c72..2e7ee2cc 100644
--- a/PVE/Ceph/Tools.pm
+++ b/PVE/Ceph/Tools.pm
@@ -19,6 +19,7 @@ my $ceph_cfgpath = "$ceph_cfgdir/$ccname.conf";
my $pve_mon_key_path = "/etc/pve/priv/$ccname.mon.keyring";
my $pve_ckeyring_path = "/etc/pve/priv/$ccname.client.admin.keyring";
+my $ckeyring_path = "/etc/ceph/ceph.client.admin.keyrign";
my $ceph_bootstrap_osd_keyring = "/var/lib/ceph/bootstrap-osd/$ccname.keyring";
my $ceph_bootstrap_mds_keyring = "/var/lib/ceph/bootstrap-mds/$ccname.keyring";
my $ceph_mds_data_dir = '/var/lib/ceph/mds';
@@ -220,6 +221,23 @@ sub setup_pve_symlinks {
}
}
+sub get_or_create_admin_keyring {
+ if (! -f $pve_ckeyring_path) {
+ run_command("ceph-authtool --create-keyring $pve_ckeyring_path " .
+ "--gen-key -n client.admin " .
+ "--cap mon 'allow *' " .
+ "--cap osd 'allow *' " .
+ "--cap mds 'allow *' " .
+ "--cap mgr 'allow *' ");
+ # we do not want to overwrite it
+ if (! -f $ckeyring_path) {
+ run_command("cp $pve_ckeyring_path $ckeyring_path");
+ run_command("chown ceph:ceph /etc/ceph/ceph.client.admin.keyring");
+ }
+ }
+ return $pve_ckeyring_path;
+}
+
# wipe the first 200 MB to clear off leftovers from previous use, otherwise a
# create OSD fails.
sub wipe_disks {
--
2.11.0
More information about the pve-devel
mailing list