ceph
/
ceph-ansible
mirror of https://github.com/ceph/ceph-ansible.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ceph-ansible/roles/ceph-mon/tasks/openstack_config.yml

77 lines
2.5 KiB
YAML
Raw Normal View History

Ability to populate OpenStack installation Creates pools, keys and users. Signed-off-by: Sébastien Han <sebastien.han@enovance.com>
2015-01-30 20:34:35 +08:00
---
mon: rework openstack keys creation We now allow a user to pass a key secret. Fixes: https://github.com/ceph/ceph-ansible/issues/1617 Signed-off-by: Sébastien Han <seb@redhat.com>
2017-06-23 18:35:39 +08:00
- name: create openstack pool(s)
mon: add support for pgp, pool type and rule name When creating pools, it's crucial to expose all the options available as part of the pool creation command. As explained in: http://docs.ceph.com/docs/jewel/rados/operations/pools/ Signed-off-by: Sébastien Han <seb@redhat.com>
2018-03-06 21:22:48 +08:00
command: >
mon: add support for erasure code pool You can now specify type: erasure and erasure_profile to use when declaring the pool dictionnary. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-03-06 21:26:53 +08:00
{{ docker_exec_cmd }} ceph --cluster {{ cluster }}
mon: add support for pgp, pool type and rule name When creating pools, it's crucial to expose all the options available as part of the pool creation command. As explained in: http://docs.ceph.com/docs/jewel/rados/operations/pools/ Signed-off-by: Sébastien Han <seb@redhat.com>
2018-03-06 21:22:48 +08:00
osd pool create {{ item.name }}
{{ item.pg_num }}
{{ item.pgp_num | default(item.pg_num) }}
mon: add support for erasure code pool You can now specify type: erasure and erasure_profile to use when declaring the pool dictionnary. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-03-06 21:26:53 +08:00
{{ item.rule_name | default("replicated_rule") }}
{{ item.type | default("replicated") }}
{%- if item.type | default("replicated") == 'erasure' and item.erasure_profile != '' %}
{{ item.erasure_profile }}
{%- endif %}
Refer to expected-num-ojects as expected_num_objects, not size Follow up patch to PR 2432 [1] which replaces "size" (sorry if the original bug used that term, which can be confusing) with expected_num_objects as is used in the Ceph documentation [2]. [1] https://github.com/ceph/ceph-ansible/pull/2432/files [2] http://docs.ceph.com/docs/jewel/rados/operations/pools
2018-03-26 04:36:27 +08:00
{{ item.expected_num_objects | default('') }}
add unique filter to openstack pool names could have scenario where different openstack components would use the same pool, but the logic would create the same pool more than once add unique filter to account for this
2017-01-24 03:53:43 +08:00
with_items: "{{ openstack_pools | unique }}"
Cosmetic Add more visibility for the 'when' statement. Signed-off-by: leseb <seb@redhat.com>
2015-06-26 06:26:03 +08:00
changed_when: false
Ability to populate OpenStack installation Creates pools, keys and users. Signed-off-by: Sébastien Han <sebastien.han@enovance.com>
2015-01-30 20:34:35 +08:00
Set application for OpenStack pools Since Luminous we need to set the application tag for each pool, otherwise a CEPH_WARNING is generated when the pools are in use. We should assign the OpenStack pools to their default which would be "rbd". When updating to Luminous this would happen automatically to the vms, images, backups and volumes pools, but for new deploys this is not the case.
2018-02-09 22:12:35 +08:00
- name: assign rbd application to pool(s)
command: "{{ docker_exec_cmd }} ceph --cluster {{ cluster }} osd pool application enable {{ item.name }} rbd"
with_items: "{{ openstack_pools | unique }}"
changed_when: false
when:
- ceph_release_num[ceph_release] >= ceph_release_num['luminous']
ceph_key: use ceph_key in the playbook Replaced all the occurence of raw command using the 'command' module with the ceph_key module instead. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-04-04 22:22:36 +08:00
- name: create openstack cephx key(s)
ceph_key:
state: present
name: "{{ item.name }}"
caps: "{{ item.caps }}"
secret: "{{ item.key | default('') }}"
containerized: "{{ docker_exec_cmd | default(False) }}"
cluster: "{{ cluster }}"
Allow deployer to customize openstack pools By overriding the openstack_pools variable introduced by this commit, the deployer may choose not to create some of the openstack pools, or to add new pools which were not foreseen by ceph-ansible, e.g. for a gnocchi storage backend. For backwards compatibility, we keep the openstack_glance_pool, openstack_cinder_pool, openstack_nova_pool and openstack_cinder_backup_pool variables, although the user may now choose to specify the pools directly as dictionary literals inside the openstack_pools list.
2016-09-21 20:21:41 +08:00
with_items: "{{ openstack_keys }}"
Fix openstack config skipping Previously, creating pools was skipped if cephx was disabled; instead, we should only skip key creation if cephx is disabled, and create pools any time openstack_config is true.
2016-02-27 05:39:27 +08:00
when: cephx
mon: rework openstack keys creation We now allow a user to pass a key secret. Fixes: https://github.com/ceph/ceph-ansible/issues/1617 Signed-off-by: Sébastien Han <seb@redhat.com>
2017-06-23 18:35:39 +08:00
ceph_key: use ceph_key in the playbook Replaced all the occurence of raw command using the 'command' module with the ceph_key module instead. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-04-04 22:22:36 +08:00
- name: fetch openstack cephx key(s)
Mon: Copy openstack keyring files on all mons Copies all created openstack keys on all mons. Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
2017-07-19 05:11:55 +08:00
fetch:
src: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
dest: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
flat: yes
with_items: "{{ openstack_keys }}"
ceph_key: use ceph_key in the playbook Replaced all the occurence of raw command using the 'command' module with the ceph_key module instead. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-04-04 22:22:36 +08:00
- name: copy to other mons the openstack cephx key(s)
Mon: Copy openstack keyring files on all mons Copies all created openstack keys on all mons. Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
2017-07-19 05:11:55 +08:00
copy:
src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
dest: "/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
with_nested:
- "{{ groups[mon_group_name] }}"
- "{{ openstack_keys }}"
delegate_to: "{{ item.0 }}"
when:
- cephx
- openstack_config
- item.0 != groups[mon_group_name] | last
Allow user to define ACLs for OpenStack keys The keys and openstack_keys structure now supports an optional key called acls whose value is a list of strings one could pass to setfacl. The ansible ACL module applies the ACLs to all openstack keys with this property. Fixes: #1688
2017-07-20 06:20:18 +08:00
ceph_key: use ceph_key in the playbook Replaced all the occurence of raw command using the 'command' module with the ceph_key module instead. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-04-04 22:22:36 +08:00
- name: chmod openstack cephx key(s) on the other mons and this mon
Make acls and mode parameters of opentack_keys optional Only chmod or setfacl the requested keyring(s) in the opentack_keys data structure when the mode or acls keys of that data structure exist. User may specify four permission combinations for the keyring file(s): 1. only set ACL, 2. only set mode, 3. set neither mode nor ACL, 4. set mode and then ACL. Fixes: #2092
2017-10-26 07:46:02 +08:00
file:
Set permissions and ACLs of OpenStack keys on all ceph-mons If ceph-ansible deploys a Ceph cluster with "openstack_config: true" and sets the openstack_keys map to have certain ACLs or permissions, the requested ACLs or permissions are only set on one of the monitor nodes [2] when they should be set on all of them. This patch solves [3] the above issue by having the chmod and setfacl tasks iterate the list of mon nodes (including the mon node that the task was delegated to) to apply the chmod of setfacl to the keys in openstack_keys. [1] ``` openstack_keys: - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups", mode: "0600", acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"] } ``` [2] ``` $ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.26 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names 192.168.1.23 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names $ ``` [3] ``` (undercloud) [stack@hci-director ceph-ansible]$ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.25 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.27 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names (undercloud) [stack@hci-director ceph-ansible]$ ```
2017-11-07 06:24:48 +08:00
path: "/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
mode: "{{ item.1.mode|default(omit) }}" # if mode not in list, uses mode from ps umask
with_nested:
- "{{ groups[mon_group_name] }}"
- "{{ openstack_keys }}"
delegate_to: "{{ item.0 }}"
Make acls and mode parameters of opentack_keys optional Only chmod or setfacl the requested keyring(s) in the opentack_keys data structure when the mode or acls keys of that data structure exist. User may specify four permission combinations for the keyring file(s): 1. only set ACL, 2. only set mode, 3. set neither mode nor ACL, 4. set mode and then ACL. Fixes: #2092
2017-10-26 07:46:02 +08:00
when:
- openstack_config
- cephx
Set permissions and ACLs of OpenStack keys on all ceph-mons If ceph-ansible deploys a Ceph cluster with "openstack_config: true" and sets the openstack_keys map to have certain ACLs or permissions, the requested ACLs or permissions are only set on one of the monitor nodes [2] when they should be set on all of them. This patch solves [3] the above issue by having the chmod and setfacl tasks iterate the list of mon nodes (including the mon node that the task was delegated to) to apply the chmod of setfacl to the keys in openstack_keys. [1] ``` openstack_keys: - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups", mode: "0600", acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"] } ``` [2] ``` $ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.26 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names 192.168.1.23 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names $ ``` [3] ``` (undercloud) [stack@hci-director ceph-ansible]$ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.25 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.27 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names (undercloud) [stack@hci-director ceph-ansible]$ ```
2017-11-07 06:24:48 +08:00
ceph_key: use ceph_key in the playbook Replaced all the occurence of raw command using the 'command' module with the ceph_key module instead. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-04-04 22:22:36 +08:00
- name: setfacl for openstack cephx key(s) on the other mons and this mon
Set permissions and ACLs of OpenStack keys on all ceph-mons If ceph-ansible deploys a Ceph cluster with "openstack_config: true" and sets the openstack_keys map to have certain ACLs or permissions, the requested ACLs or permissions are only set on one of the monitor nodes [2] when they should be set on all of them. This patch solves [3] the above issue by having the chmod and setfacl tasks iterate the list of mon nodes (including the mon node that the task was delegated to) to apply the chmod of setfacl to the keys in openstack_keys. [1] ``` openstack_keys: - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups", mode: "0600", acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"] } ``` [2] ``` $ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.26 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names 192.168.1.23 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names $ ``` [3] ``` (undercloud) [stack@hci-director ceph-ansible]$ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.25 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.27 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names (undercloud) [stack@hci-director ceph-ansible]$ ```
2017-11-07 06:24:48 +08:00
command: "setfacl -m {{ item.1.acls | join(',') }} /etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
with_nested:
- "{{ groups[mon_group_name] }}"
Allow user to define ACLs for OpenStack keys The keys and openstack_keys structure now supports an optional key called acls whose value is a list of strings one could pass to setfacl. The ansible ACL module applies the ACLs to all openstack keys with this property. Fixes: #1688
2017-07-20 06:20:18 +08:00
- "{{ openstack_keys }}"
Set permissions and ACLs of OpenStack keys on all ceph-mons If ceph-ansible deploys a Ceph cluster with "openstack_config: true" and sets the openstack_keys map to have certain ACLs or permissions, the requested ACLs or permissions are only set on one of the monitor nodes [2] when they should be set on all of them. This patch solves [3] the above issue by having the chmod and setfacl tasks iterate the list of mon nodes (including the mon node that the task was delegated to) to apply the chmod of setfacl to the keys in openstack_keys. [1] ``` openstack_keys: - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups", mode: "0600", acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"] } ``` [2] ``` $ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.26 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names 192.168.1.23 | SUCCESS | rc=0 >> -rw-r--r--. 1 root root 253 Nov 3 20:30 /etc/ceph/ceph.client.openstack.keyring user::rw- group::r-- other::r--getfacl: Removing leading '/' from absolute path names $ ``` [3] ``` (undercloud) [stack@hci-director ceph-ansible]$ ansible mons -m shell -b -a "ls -l /etc/ceph/ceph.client.openstack.keyring ; getfacl /etc/ceph/ceph.client.openstack.keyring" 192.168.1.25 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.29 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names 192.168.1.27 | SUCCESS | rc=0 >> -rw-r-----+ 1 root root 253 Nov 14 01:12 /etc/ceph/ceph.client.openstack.keyring user::rw- user:glance:r-- user:nova:r-- user:cinder:r-- user:gnocchi:r-- group::--- mask::r-- other::---getfacl: Removing leading '/' from absolute path names (undercloud) [stack@hci-director ceph-ansible]$ ```
2017-11-07 06:24:48 +08:00
delegate_to: "{{ item.0 }}"
Allow user to define ACLs for OpenStack keys The keys and openstack_keys structure now supports an optional key called acls whose value is a list of strings one could pass to setfacl. The ansible ACL module applies the ACLs to all openstack keys with this property. Fixes: #1688
2017-07-20 06:20:18 +08:00
when:
Make openstack_keys param support no acls list A recent change [1] required that the openstack_keys param always containe an acls list. However, it's possible it might not contain that list. Thus, this param sets a default for that list to be empty if it is not in the structure as defined by the user. [1] d65cbaa53952269ec9a2e76fca8203ce7ad22c2b
2017-11-17 00:29:59 +08:00
- item.1.get('acls', []) | length > 0
Allow user to define ACLs for OpenStack keys The keys and openstack_keys structure now supports an optional key called acls whose value is a list of strings one could pass to setfacl. The ansible ACL module applies the ACLs to all openstack keys with this property. Fixes: #1688
2017-07-20 06:20:18 +08:00
- openstack_config
- cephx