rbd-mirror should use per-host user id keyring

The rbd-mirror daemon will be HA under luminous and new daemon health
features require a way to uniquely identify rbd-mirror instances.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
pull/1625/head
Jason Dillaman 2017-06-23 14:54:50 -04:00
parent 70c2b934ca
commit b70d54ac80
3 changed files with 73 additions and 20 deletions

View File

@ -3,24 +3,17 @@
# SETUP #
#########
fetch_directory: fetch/
# NOTE (leseb): the rbd-mirror daemon needs a user to start
# because it has to authenticate with the local cluster.
# By default, using the admin user is fine, so you should not
# need to change 'ceph_rbd_mirror_local_user' unless you have
# a dedicated key available in /etc/ceph/.
# Generally Ansible will use the admin key and put it
# under /etc/ceph/. The same goes for 'ceph_rbd_mirror_remote_user'
# there should not be any reason to change it.
ceph_rbd_mirror_local_user: admin
ceph_rbd_mirror_remote_user: admin
# NOTE (leseb): the following variable needs the name of the remote cluster.
# The name of this cluster must be different than your local cluster simply
# because we need to have both keys and ceph.conf inside /etc/ceph.
# Thus if cluster names are identical we can not have them under /etc/ceph
ceph_rbd_mirror_remote_cluster: ""
# Even though rbd-mirror nodes should not have the admin key
# at their disposal, some people might want to have it
# distributed on rbd-mirror nodes. Setting 'copy_admin_key' to 'true'
# will copy the admin key to the /etc/ceph/ directory. Only
# valid for Luminous and later releases.
copy_admin_key: false
# NOTE: deprecated generic local user id for pre-Luminous releases
ceph_rbd_mirror_local_user: "admin"
#################
# CONFIGURATION #
@ -29,6 +22,16 @@ ceph_rbd_mirror_remote_cluster: ""
ceph_rbd_mirror_configure: false
ceph_rbd_mirror_pool: ""
# NOTE (leseb): the following variable needs the name of the remote cluster.
# The name of this cluster must be different than your local cluster simply
# because we need to have both keys and ceph.conf inside /etc/ceph.
# Thus if cluster names are identical we can not have them under /etc/ceph
ceph_rbd_mirror_remote_cluster: ""
# NOTE: the rbd-mirror daemon needs a user to authenticate with the
# remote cluster. By default, this key should be available under
# /etc/ceph/<remote_cluster>.client.<remote_user>.keyring
ceph_rbd_mirror_remote_user: ""
##########
# DOCKER #

View File

@ -15,4 +15,37 @@
owner: "ceph"
group: "ceph"
mode: "0600"
when: cephx
when:
- cephx
- ceph_release_num.{{ ceph_release }} < ceph_release_num.luminous or copy_admin_key
- name: copy rbd-mirror bootstrap key
copy:
src: "{{ fetch_directory }}/{{ fsid }}/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
dest: "/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
owner: "ceph"
group: "ceph"
mode: "0600"
when:
- cephx
- ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
- name: create rbd-mirror keyring
command: ceph --cluster {{ cluster }} --name client.bootstrap-rbd --keyring /var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring auth get-or-create client.rbd-mirror.{{ ansible_hostname }} mon 'profile rbd' osd 'profile rbd' -o /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}.keyring
args:
creates: /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}/keyring
changed_when: false
when:
- cephx
- ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
- name: set rbd-mirror key permissions
file:
path: /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}.keyring
owner: "ceph"
group: "ceph"
mode: "0600"
when:
- cephx
- ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous

View File

@ -23,3 +23,20 @@
state: started
enabled: yes
changed_when: false
when: ceph_release_num.{{ ceph_release }} < ceph_release_num.luminous
- name: stop and remove the generic rbd-mirror service instance
service:
name: "ceph-rbd-mirror@{{ ceph_rbd_mirror_local_user }}"
state: stopped
enabled: no
changed_when: false
when: ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
- name: start and add the rbd-mirror service instance
service:
name: "ceph-rbd-mirror@rbd-mirror.{{ ansible_hostname }}"
state: started
enabled: yes
changed_when: false
when: ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous