rbd-mirror should use per-host user id keyring

The rbd-mirror daemon will be HA under luminous and new daemon health
features require a way to uniquely identify rbd-mirror instances.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>

roles/ceph-rbd-mirror/defaults/main.yml

@@ -3,24 +3,17 @@
 # SETUP #
 #########
 
+fetch_directory: fetch/
 
-# NOTE (leseb): the rbd-mirror daemon needs a user to start
+# Even though rbd-mirror nodes should not have the admin key
-# because it has to authenticate with the local cluster.
+# at their disposal, some people might want to have it
-# By default, using the admin user is fine, so you should not
+# distributed on rbd-mirror nodes. Setting 'copy_admin_key' to 'true'
-# need to change 'ceph_rbd_mirror_local_user' unless you have
+# will copy the admin key to the /etc/ceph/ directory. Only
-# a dedicated key available in /etc/ceph/.
+# valid for Luminous and later releases.
-# Generally Ansible will use the admin key and put it
+copy_admin_key: false
-# under /etc/ceph/. The same goes for 'ceph_rbd_mirror_remote_user'
-# there should not be any reason to change it.
-ceph_rbd_mirror_local_user: admin
-ceph_rbd_mirror_remote_user: admin
-
-# NOTE (leseb): the following variable needs the name of the remote cluster.
-# The name of this cluster must be different than your local cluster simply
-# because we need to have both keys and ceph.conf inside /etc/ceph.
-# Thus if cluster names are identical we can not have them under /etc/ceph
-ceph_rbd_mirror_remote_cluster: ""
 
+# NOTE: deprecated generic local user id for pre-Luminous releases
+ceph_rbd_mirror_local_user: "admin"
 
 #################
 # CONFIGURATION #
@@ -29,6 +22,16 @@ ceph_rbd_mirror_remote_cluster: ""
 ceph_rbd_mirror_configure: false
 ceph_rbd_mirror_pool: ""
 
+# NOTE (leseb): the following variable needs the name of the remote cluster.
+# The name of this cluster must be different than your local cluster simply
+# because we need to have both keys and ceph.conf inside /etc/ceph.
+# Thus if cluster names are identical we can not have them under /etc/ceph
+ceph_rbd_mirror_remote_cluster: ""
+
+# NOTE: the rbd-mirror daemon needs a user to authenticate with the
+# remote cluster. By default, this key should be available under
+# /etc/ceph/<remote_cluster>.client.<remote_user>.keyring
+ceph_rbd_mirror_remote_user: ""
 
 ##########
 # DOCKER #

roles/ceph-rbd-mirror/tasks/pre_requisite.yml

@@ -15,4 +15,37 @@
     owner: "ceph"
     group: "ceph"
     mode: "0600"
-  when: cephx
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} < ceph_release_num.luminous or copy_admin_key
+
+- name: copy rbd-mirror bootstrap key
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
+    dest: "/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
+    owner: "ceph"
+    group: "ceph"
+    mode: "0600"
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+
+- name: create rbd-mirror keyring
+  command: ceph --cluster {{ cluster }} --name client.bootstrap-rbd --keyring /var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring auth get-or-create client.rbd-mirror.{{ ansible_hostname }} mon 'profile rbd' osd 'profile rbd' -o /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}.keyring
+  args:
+    creates: /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}/keyring
+  changed_when: false
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+
+- name: set rbd-mirror key permissions
+  file:
+    path: /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}.keyring
+    owner: "ceph"
+    group: "ceph"
+    mode: "0600"
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+

roles/ceph-rbd-mirror/tasks/start_rbd_mirror.yml

@@ -23,3 +23,20 @@
     state: started
     enabled: yes
   changed_when: false
+  when: ceph_release_num.{{ ceph_release }} < ceph_release_num.luminous
+
+- name: stop and remove the generic rbd-mirror service instance
+  service:
+    name: "ceph-rbd-mirror@{{ ceph_rbd_mirror_local_user }}"
+    state: stopped
+    enabled: no
+  changed_when: false
+  when: ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+
+- name: start and add the rbd-mirror service instance
+  service:
+    name: "ceph-rbd-mirror@rbd-mirror.{{ ansible_hostname }}"
+    state: started
+    enabled: yes
+  changed_when: false
+  when: ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous