[pve-devel] [PATCH storage 2/2] Ceph: add keyring parameter for external clusters

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Jul 30 15:35:23 CEST 2021 

On 21/07/2021 17:13, Aaron Lauterer wrote:
> By adding the keyring for RBD storage or the secret for CephFS ones, it
> is possible to add an external Ceph cluster with only one API call.
> 
> Previously the keyring / secret file needed to be placed in
> /etc/pve/priv/ceph/$storeID.{keyring,secret} manually.
> 
> Signed-off-by: Aaron Lauterer <a.lauterer at proxmox.com>
> ---
>  PVE/API2/Storage/Config.pm  |  2 +-
>  PVE/CLI/pvesm.pm            | 12 ++++++++++--
>  PVE/Storage/CephFSPlugin.pm | 20 ++++++++++++++------
>  PVE/Storage/RBDPlugin.pm    | 24 ++++++++++++++++++------
>  4 files changed, 43 insertions(+), 15 deletions(-)
> 

> diff --git a/PVE/Storage/CephFSPlugin.pm b/PVE/Storage/CephFSPlugin.pm
> index 2aaa450..ae02cb8 100644
> --- a/PVE/Storage/CephFSPlugin.pm
> +++ b/PVE/Storage/CephFSPlugin.pm

> @@ -163,20 +164,27 @@ sub check_config {
>  sub on_add_hook {
>      my ($class, $storeid, $scfg, %param) = @_;
>  
> -    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
> +    my $secret = $param{keyring} if defined $param{keyring} // undef;
> +    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
>  
> -    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
> +    return;
> +}
> +
> +sub on_update_hook {
> +    my ($class, $storeid, $scfg, %param) = @_;
> +
> +    if (defined($param{keyring})) {
> +	PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $param{keyring});
> +    } else {
> +	PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
> +    }

this is dangerous, you will always delete the key on any update that did not
provided a new one.

Please look in other plugins about how one must handle this, e.g., PBS

if (exists($param{password})) {
    if (defined($param{password})) {
        pbs_set_password($scfg, $storeid, $param{password});
    } else {
        pbs_delete_password($scfg, $storeid);
    }
}

iow, first check if the param is set and only then you can deduct that undefined
means "must be deleted".


> @@ -327,20 +332,27 @@ sub options {
>  sub on_add_hook {
>      my ($class, $storeid, $scfg, %param) = @_;
>  
> -    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
> +    my $secret = $param{keyring} if defined $param{keyring} // undef;
> +    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
> +
> +    return;
> +}
> +
> +sub on_update_hook {
> +    my ($class, $storeid, $scfg, %param) = @_;
>  
> -    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
> +    if (defined($param{keyring})) {
> +	PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $param{keyring});
> +    } else {
> +	PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
> +    }

same here.

More information about the pve-devel mailing list