From 3397668d10aac69e016e7c6bd72d16c625e1e0d1 Mon Sep 17 00:00:00 2001 From: Jeffrey Zhang Date: Fri, 30 Mar 2018 10:49:12 +0800 Subject: [PATCH] Migrate ceph keyring creation to kolla_ceph_keyring module In this way, keyring caps is updatable. Change-Id: Idf7f222645b5073e2c72d59eecf3d47b3f1dc6ba --- ansible/roles/ceph/defaults/main.yml | 10 ++++++++++ ansible/roles/ceph/tasks/start_mdss.yml | 9 ++++++--- ansible/roles/ceph/tasks/start_mgrs.yml | 9 ++++++--- ansible/roles/cinder/defaults/main.yml | 18 ++++++++++++++++++ ansible/roles/cinder/tasks/ceph.yml | 22 ++++++++++++---------- ansible/roles/glance/defaults/main.yml | 7 +++++++ ansible/roles/glance/tasks/ceph.yml | 10 ++++++---- ansible/roles/gnocchi/defaults/main.yml | 7 +++++++ ansible/roles/gnocchi/tasks/ceph.yml | 10 ++++++---- ansible/roles/manila/defaults/main.yml | 15 +++++++++++++++ ansible/roles/manila/tasks/ceph.yml | 9 ++++++--- ansible/roles/nova/defaults/main.yml | 11 +++++++++++ ansible/roles/nova/tasks/ceph.yml | 22 ++++++++-------------- 13 files changed, 118 insertions(+), 41 deletions(-) diff --git a/ansible/roles/ceph/defaults/main.yml b/ansible/roles/ceph/defaults/main.yml index 6c312da401..950a8a7b18 100644 --- a/ansible/roles/ceph/defaults/main.yml +++ b/ansible/roles/ceph/defaults/main.yml @@ -46,6 +46,16 @@ ceph_client_admin_keyring_caps: osd: "allow *" mgr: "allow *" +ceph_client_mgr_keyring_caps: + mon: 'allow profile mgr' + osd: 'allow *' + mds: 'allow *' + +ceph_client_mds_keyring_caps: + mds: 'allow ' + osd: 'allow *' + mon: 'allow rwx' + partition_name_osd_bootstrap: "{{ 'KOLLA_CEPH_OSD_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_BOOTSTRAP' }}" partition_name_cache_bootstrap: "{{ 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP' }}" partition_name_osd_data: "{{ 'KOLLA_CEPH_BSDATA' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_DATA' }}" diff --git a/ansible/roles/ceph/tasks/start_mdss.yml b/ansible/roles/ceph/tasks/start_mdss.yml index f09481130d..1d03ffc38b 100644 --- a/ansible/roles/ceph/tasks/start_mdss.yml +++ b/ansible/roles/ceph/tasks/start_mdss.yml @@ -20,17 +20,20 @@ pool_pgp_num: "{{ cephfs_metadata_pool_pgp_num }}" - name: Geting ceph mds keyring - command: docker exec ceph_mon ceph auth get-or-create mds.{{ hostvars[item]['inventory_hostname'] }} mds 'allow ' osd 'allow *' mon 'allow rwx' + kolla_ceph_keyring: + name: "mds.{{ hostvars[item]['inventory_hostname'] }}" + caps: "{{ ceph_client_mds_keyring_caps }}" register: ceph_mds_auth run_once: true delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: false with_items: "{{ groups['ceph-mds'] }}" - name: Pushing ceph mds keyring to ceph-mds become: true copy: - content: "{{ item.stdout }}\n" + content: | + [mds.{{ item.item }}] + key = {{ item.keyring.key }} dest: "{{ node_config_directory }}/ceph-mds/ceph.mds.{{ inventory_hostname }}.keyring" mode: 0600 when: diff --git a/ansible/roles/ceph/tasks/start_mgrs.yml b/ansible/roles/ceph/tasks/start_mgrs.yml index 1e566f04fc..d4f1af1ac6 100644 --- a/ansible/roles/ceph/tasks/start_mgrs.yml +++ b/ansible/roles/ceph/tasks/start_mgrs.yml @@ -1,16 +1,19 @@ --- - name: Getting ceph mgr keyring - command: docker exec ceph_mon ceph auth get-or-create mgr.{{ item }} mon 'allow profile mgr' osd 'allow *' mds 'allow *' + kolla_ceph_keyring: + name: "mgr.{{ item }}" + caps: "{{ ceph_client_mgr_keyring_caps }}" register: ceph_mgr_keyring run_once: true delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: false with_items: "{{ groups['ceph-mgr'] }}" - name: Pushing ceph mgr keyring to ceph-mgr become: true copy: - content: "{{ item.stdout }}\n" + content: | + [mgr.{{ item.item }}] + key = {{ item.keyring.key }} dest: "{{ node_config_directory }}/ceph-mgr/ceph.mgr.{{ inventory_hostname }}.keyring" mode: 0600 when: diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml index ce3bb926db..9725988db2 100644 --- a/ansible/roles/cinder/defaults/main.yml +++ b/ansible/roles/cinder/defaults/main.yml @@ -77,6 +77,24 @@ cinder_backup_cache_mode: "{{ ceph_cinder_backup_cache_mode }}" cinder_backup_pool_pg_num: "{{ ceph_pool_pg_num }}" cinder_backup_pool_pgp_num: "{{ ceph_pool_pgp_num }}" +ceph_client_cinder_keyring_caps: + mon: 'allow r' + osd: >- + allow class-read object_prefix rbd_children, + allow rwx pool={{ ceph_cinder_pool_name }}, + allow rwx pool={{ ceph_cinder_pool_name }}-cache, + allow rwx pool={{ ceph_nova_pool_name }}, + allow rwx pool={{ ceph_nova_pool_name }}-cache, + allow rx pool={{ ceph_glance_pool_name }}, + allow rx pool={{ ceph_glance_pool_name }}-cache + +ceph_client_cinder_backup_keyring_caps: + mon: 'allow r' + osd: >- + allow class-read object_prefix rbd_children, + allow rwx pool={{ ceph_cinder_backup_pool_name }}, + allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache + #################### # Database diff --git a/ansible/roles/cinder/tasks/ceph.yml b/ansible/roles/cinder/tasks/ceph.yml index 3303786d3c..71599a62b6 100644 --- a/ansible/roles/cinder/tasks/ceph.yml +++ b/ansible/roles/cinder/tasks/ceph.yml @@ -54,32 +54,34 @@ pool_pgp_num: "{{ cinder_backup_pool_pgp_num }}" pool_application: "rbd" -# TODO(SamYaple): Improve changed_when tests - name: Pulling cephx keyring for cinder - command: docker exec ceph_mon ceph auth get-or-create client.cinder mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rx pool={{ ceph_glance_pool_name }}, allow rx pool={{ ceph_glance_pool_name }}-cache' + kolla_ceph_keyring: + name: client.cinder + caps: "{{ ceph_client_cinder_keyring_caps }}" register: cephx_key_cinder delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: False run_once: True -# TODO(SamYaple): Improve changed_when tests - name: Pulling cephx keyring for cinder-backup - command: docker exec ceph_mon ceph auth get-or-create client.cinder-backup mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_backup_pool_name }}, allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache' + kolla_ceph_keyring: + name: client.cinder-backup + caps: "{{ ceph_client_cinder_backup_keyring_caps }}" register: cephx_key_cinder_backup delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: False run_once: True - name: Pushing cephx keyring copy: - content: "{{ item.content }}\n\r" + content: | + [client.{{ item.key_name }}] + key = {{ item.key }} dest: "{{ node_config_directory }}/{{ item.service_name }}/ceph.client.{{ item.key_name }}.keyring" mode: "0600" become: true with_items: - - { service_name: "cinder-volume", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" } - - { service_name: "cinder-backup", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" } - - { service_name: "cinder-backup", key_name: "cinder-backup", content: "{{ cephx_key_cinder_backup.stdout }}" } + - { service_name: "cinder-volume", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" } + - { service_name: "cinder-backup", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" } + - { service_name: "cinder-backup", key_name: "cinder-backup", key: "{{ cephx_key_cinder_backup.keyring.key }}" } when: - inventory_hostname in groups[item.service_name] - cinder_services[item.service_name].enabled | bool diff --git a/ansible/roles/glance/defaults/main.yml b/ansible/roles/glance/defaults/main.yml index 662c41eff6..3559d77ab6 100644 --- a/ansible/roles/glance/defaults/main.yml +++ b/ansible/roles/glance/defaults/main.yml @@ -47,6 +47,13 @@ glance_cache_mode: "{{ ceph_glance_cache_mode }}" glance_pool_pg_num: "{{ ceph_pool_pg_num }}" glance_pool_pgp_num: "{{ ceph_pool_pgp_num }}" +ceph_client_glance_keyring_caps: + mon: 'allow r' + osd: >- + allow class-read object_prefix rbd_children, + allow rwx pool={{ ceph_glance_pool_name }}, + allow rwx pool={{ ceph_glance_pool_name }}-cache + #################### # Database diff --git a/ansible/roles/glance/tasks/ceph.yml b/ansible/roles/glance/tasks/ceph.yml index b8c246e265..0055f19425 100644 --- a/ansible/roles/glance/tasks/ceph.yml +++ b/ansible/roles/glance/tasks/ceph.yml @@ -25,17 +25,19 @@ pool_pgp_num: "{{ glance_pool_pgp_num }}" pool_application: "rbd" -# TODO(SamYaple): Improve changed_when tests - name: Pulling cephx keyring - command: docker exec ceph_mon ceph auth get-or-create client.glance mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache' + kolla_ceph_keyring: + name: client.glance + caps: "{{ ceph_client_glance_keyring_caps }}" register: cephx_key delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: False run_once: True - name: Pushing cephx keyring copy: - content: "{{ cephx_key.stdout }}\n\r" + content: | + [client.glance] + key = {{ cephx_key.keyring.key }} dest: "{{ node_config_directory }}/glance-api/ceph.client.glance.keyring" mode: "0600" when: inventory_hostname in groups['glance-api'] diff --git a/ansible/roles/gnocchi/defaults/main.yml b/ansible/roles/gnocchi/defaults/main.yml index 613b91881a..a902032ee9 100644 --- a/ansible/roles/gnocchi/defaults/main.yml +++ b/ansible/roles/gnocchi/defaults/main.yml @@ -48,6 +48,13 @@ gnocchi_cache_mode: "{{ ceph_gnocchi_cache_mode }}" gnocchi_pool_pg_num: "{{ ceph_pool_pg_num }}" gnocchi_pool_pgp_num: "{{ ceph_pool_pgp_num }}" +ceph_client_gnocchi_keyring_caps: + mon: 'allow r' + osd: >- + allow class-read object_prefix rbd_children, + allow rwx pool={{ ceph_gnocchi_pool_name }}, + allow rwx pool={{ ceph_gnocchi_pool_name }}-cache + #################### # Database diff --git a/ansible/roles/gnocchi/tasks/ceph.yml b/ansible/roles/gnocchi/tasks/ceph.yml index 60fa152cf3..e39537b3ae 100644 --- a/ansible/roles/gnocchi/tasks/ceph.yml +++ b/ansible/roles/gnocchi/tasks/ceph.yml @@ -31,17 +31,19 @@ pool_pgp_num: "{{ gnocchi_pool_pgp_num }}" pool_application: "rgw" -# TODO(SamYaple): Improve changed_when tests - name: Pulling cephx keyring - command: docker exec ceph_mon ceph auth get-or-create client.gnocchi mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_gnocchi_pool_name }}, allow rwx pool={{ ceph_gnocchi_pool_name }}-cache' + kolla_ceph_keyring: + name: client.gnocchi + caps: "{{ ceph_client_gnocchi_keyring_caps }}" register: cephx_key delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: False run_once: True - name: Pushing cephx keyring copy: - content: "{{ cephx_key.stdout }}\n\r" + content: | + [client.gnocchi] + key = {{ cephx_key.keyring.key }} dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring" mode: "0600" when: inventory_hostname in groups[item] diff --git a/ansible/roles/manila/defaults/main.yml b/ansible/roles/manila/defaults/main.yml index 0d4a5d876e..c65f3b7aec 100644 --- a/ansible/roles/manila/defaults/main.yml +++ b/ansible/roles/manila/defaults/main.yml @@ -44,6 +44,21 @@ manila_services: - "kolla_logs:/var/log/kolla/" +##################### +## Ceph +##################### + +ceph_client_manila_keyring_caps: + mon: >- + allow r, + allow command "auth del", + allow command "auth caps", + allow command "auth get", + allow command "auth get-or-create" + osd: 'allow rw' + mds: 'allow *' + + ##################### ## Database ##################### diff --git a/ansible/roles/manila/tasks/ceph.yml b/ansible/roles/manila/tasks/ceph.yml index 497dff917e..e0a3fe51f1 100644 --- a/ansible/roles/manila/tasks/ceph.yml +++ b/ansible/roles/manila/tasks/ceph.yml @@ -15,15 +15,18 @@ become: true - name: Pulling cephx keyring for manila - command: docker exec ceph_mon ceph auth get-or-create client.manila mon 'allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"' osd 'allow rw' mds 'allow *' + kolla_ceph_keyring: + name: client.manila + caps: "{{ ceph_client_manila_keyring_caps }}" register: cephx_key_manila delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: False run_once: True - name: Pushing cephx keyring copy: - content: "{{ cephx_key_manila.stdout }}\n\r" + content: | + [client.manila] + key = {{ cephx_key_manila.keyring.key }} dest: "{{ node_config_directory }}/manila-share/ceph.client.manila.keyring" mode: "0600" become: true diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml index 4bdd3fe0d9..8a22cbffdf 100644 --- a/ansible/roles/nova/defaults/main.yml +++ b/ansible/roles/nova/defaults/main.yml @@ -154,6 +154,17 @@ nova_pool_pgp_num: "{{ ceph_pool_pgp_num }}" # qemu (1, 6, 0) or later. Set to "" to disable. nova_hw_disk_discard: "unmap" +ceph_client_nova_keyring_caps: + mon: 'allow r' + osd: >- + allow class-read object_prefix rbd_children, + allow rwx pool={{ ceph_cinder_pool_name }}, + allow rwx pool={{ ceph_cinder_pool_name }}-cache, + allow rwx pool={{ ceph_nova_pool_name }}, + allow rwx pool={{ ceph_nova_pool_name }}-cache, + allow rwx pool={{ ceph_glance_pool_name }}, + allow rwx pool={{ ceph_glance_pool_name }}-cache + #################### # Database diff --git a/ansible/roles/nova/tasks/ceph.yml b/ansible/roles/nova/tasks/ceph.yml index 1500f5fbde..625bc0c288 100644 --- a/ansible/roles/nova/tasks/ceph.yml +++ b/ansible/roles/nova/tasks/ceph.yml @@ -33,20 +33,12 @@ pool_pgp_num: "{{ nova_pool_pgp_num }}" pool_application: "rbd" -# TODO(SamYaple): Improve changed_when tests - name: Pulling cephx keyring for nova - command: docker exec ceph_mon ceph auth get-or-create client.nova mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache' - register: cephx_key + kolla_ceph_keyring: + name: client.nova + caps: "{{ ceph_client_nova_keyring_caps }}" + register: nova_cephx_key delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: False - run_once: True - -# TODO(SamYaple): Improve failed_when and changed_when tests -- name: Pulling nova cephx keyring for libvirt - command: docker exec ceph_mon ceph auth get-key client.nova - register: nova_cephx_raw_key - delegate_to: "{{ groups['ceph-mon'][0] }}" - changed_when: False run_once: True - name: Pulling cinder cephx keyring for libvirt @@ -61,7 +53,9 @@ - name: Pushing cephx keyring for nova copy: - content: "{{ cephx_key.stdout }}\n\r" + content: | + [client.nova] + key = {{ nova_cephx_key.keyring.key }} dest: "{{ node_config_directory }}/nova-compute/ceph.client.nova.keyring" mode: "0600" when: inventory_hostname in groups['compute'] @@ -92,7 +86,7 @@ - item.enabled | bool with_items: - uuid: "{{ rbd_secret_uuid }}" - content: "{{ nova_cephx_raw_key.stdout }}" + content: "{{ nova_cephx_key.keyring.key }}" enabled: true - uuid: "{{ cinder_rbd_secret_uuid }}" content: "{{ cinder_cephx_raw_key.stdout|default('') }}"