From e1d06f498cbd239dbe415ffa26824eaf9116161f Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Mon, 23 Sep 2019 13:30:05 +0200 Subject: [PATCH] global: remove fetch_directory dependency This commit drops the fetch_directory dependency. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1622688 Signed-off-by: Guillaume Abrioux (cherry picked from commit ab370b6ad823e551cfc324fd9c264633a34b72b5) --- group_vars/iscsigws.yml.sample | 2 + group_vars/rbdmirrors.yml.sample | 2 - roles/ceph-iscsi-gw/defaults/main.yml | 2 + roles/ceph-iscsi-gw/tasks/common.yml | 25 +++-- roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml | 102 +++++++++++------- roles/ceph-mds/tasks/common.yml | 25 +++-- roles/ceph-mds/tasks/containerized.yml | 40 ------- roles/ceph-mgr/tasks/common.yml | 43 ++++---- roles/ceph-mon/tasks/ceph_keys.yml | 41 +++---- .../tasks/pre_requisite_container.yml | 57 ++++------ .../tasks/pre_requisite_non_container.yml | 31 ++++-- roles/ceph-osd/tasks/common.yml | 27 +++-- roles/ceph-osd/tasks/openstack_config.yml | 62 ++++++----- roles/ceph-rbd-mirror/defaults/main.yml | 2 - roles/ceph-rbd-mirror/tasks/common.yml | 28 +++-- roles/ceph-rgw/tasks/common.yml | 27 +++-- 16 files changed, 263 insertions(+), 253 deletions(-) diff --git a/group_vars/iscsigws.yml.sample b/group_vars/iscsigws.yml.sample index 3f2814d27..8fcfdfbb0 100644 --- a/group_vars/iscsigws.yml.sample +++ b/group_vars/iscsigws.yml.sample @@ -19,6 +19,8 @@ dummy: #iscsi_pool_name: rbd #iscsi_pool_size: "{{ osd_pool_default_size }}" +#copy_admin_key: True + ################## # RBD-TARGET-API # ################## diff --git a/group_vars/rbdmirrors.yml.sample b/group_vars/rbdmirrors.yml.sample index 862574b77..2c565fe01 100644 --- a/group_vars/rbdmirrors.yml.sample +++ b/group_vars/rbdmirrors.yml.sample @@ -11,8 +11,6 @@ dummy: # SETUP # ######### -#fetch_directory: fetch/ - # Even though rbd-mirror nodes should not have the admin key # at their disposal, some people might want to have it # distributed on rbd-mirror nodes. Setting 'copy_admin_key' to 'true' diff --git a/roles/ceph-iscsi-gw/defaults/main.yml b/roles/ceph-iscsi-gw/defaults/main.yml index 3d5432483..50d8c9766 100644 --- a/roles/ceph-iscsi-gw/defaults/main.yml +++ b/roles/ceph-iscsi-gw/defaults/main.yml @@ -11,6 +11,8 @@ iscsi_conf_overrides: {} iscsi_pool_name: rbd iscsi_pool_size: "{{ osd_pool_default_size }}" +copy_admin_key: True + ################## # RBD-TARGET-API # ################## diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml index c21ccb66b..d792ed902 100644 --- a/roles/ceph-iscsi-gw/tasks/common.yml +++ b/roles/ceph-iscsi-gw/tasks/common.yml @@ -1,12 +1,25 @@ --- -- name: copy admin key +- name: get keys from monitors + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _iscsi_keys + with_items: + - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + delegate_to: "{{ groups.get(mon_group_name)[0] }}" + when: + - cephx | bool + - item.copy_key | bool + +- name: copy ceph key(s) if needed copy: - src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring" - dest: "/etc/ceph/{{ cluster }}.client.admin.keyring" - owner: "root" - group: "root" + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - when: cephx | bool + with_items: "{{ _iscsi_keys.results }}" + when: + - cephx | bool + - item.item.copy_key | bool - name: deploy gateway settings, used by the ceph_iscsi_config modules config_template: diff --git a/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml b/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml index f4ebd1bc5..cd98ff13a 100644 --- a/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml +++ b/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml @@ -1,4 +1,11 @@ --- +- name: create a temporary directory + tempfile: + state: directory + register: iscsi_ssl_tmp_dir + delegate_to: localhost + run_once: true + - name: set_fact crt_files set_fact: crt_files: @@ -7,54 +14,75 @@ - "iscsi-gateway.pem" - "iscsi-gateway-pub.key" -- name: stat for crt file(s) - stat: - path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" - delegate_to: localhost +- name: check for existing crt file(s) in monitor key/value store + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config get iscsi/ssl/{{ item }}" with_items: "{{ crt_files }}" changed_when: false failed_when: false - check_mode: no + run_once: true + delegate_to: "{{ groups.get(mon_group_name)[0] }}" register: crt_files_exist -- name: create ssl crt/key files - command: > - openssl req -newkey rsa:2048 -nodes -keyout {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key - -x509 -days 365 -out {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt - -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}" - delegate_to: localhost - become: False - run_once: True - with_items: "{{ crt_files_exist.results }}" - when: not item.stat.exists +- name: set_fact crt_files_missing + set_fact: + crt_files_missing: "{{ crt_files_exist.results | selectattr('rc', 'equalto', 0) | map(attribute='rc') | list | length != crt_files | length }}" -- name: create pem - shell: > - cat {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt - {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem - delegate_to: localhost - become: False - run_once: True - register: pem - with_items: "{{ crt_files_exist.results }}" - when: not item.stat.exists +- name: generate ssl crt/key files + block: + - name: create ssl crt/key files + command: > + openssl req -newkey rsa:2048 -nodes -keyout {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.key + -x509 -days 365 -out {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.crt + -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}" + delegate_to: localhost + run_once: True + with_items: "{{ crt_files_exist.results }}" -- name: create public key from pem - shell: > - openssl x509 -inform pem -in {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem - -pubkey -noout > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway-pub.key - delegate_to: localhost - become: False - run_once: True - when: pem.changed - tags: skip_ansible_lint + - name: create pem + shell: > + cat {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.crt + {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.key > {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.pem + delegate_to: localhost + run_once: True + register: pem + with_items: "{{ crt_files_exist.results }}" + + - name: create public key from pem + shell: > + openssl x509 -inform pem -in {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.pem + -pubkey -noout > {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway-pub.key + delegate_to: localhost + run_once: True + when: pem.changed + tags: skip_ansible_lint + + - name: slurp ssl crt/key files + slurp: + src: "{{ iscsi_ssl_tmp_dir.path }}/{{ item }}" + register: iscsi_ssl_files_content + with_items: "{{ crt_files }}" + run_once: true + delegate_to: localhost + + - name: store ssl crt/key files + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config-key put iscsi/ssl/{{ item.item }} {{ item.content }}" + run_once: true + delegate_to: "{{ groups.get(mon_group_name)[0] }}" + with_items: "{{ iscsi_ssl_files_content.results }}" + when: crt_files_missing - name: copy crt file(s) to gateway nodes copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" - dest: "/etc/ceph/{{ item }}" + content: "{{ item.stdout | b64decode }}" + dest: "/etc/ceph/{{ item.item }}" owner: root group: root mode: 0400 changed_when: false - with_items: "{{ crt_files }}" + with_items: "{{ crt_files_exist.results if not crt_files_missing else iscsi_ssl_files_content.results }}" + when: not crt_files_missing + +- name: clean temporary directory + file: + path: "{{ iscsi_ssl_tmp_dir.path }}" + state: absent \ No newline at end of file diff --git a/roles/ceph-mds/tasks/common.yml b/roles/ceph-mds/tasks/common.yml index e32595d8d..af30d59b9 100644 --- a/roles/ceph-mds/tasks/common.yml +++ b/roles/ceph-mds/tasks/common.yml @@ -10,16 +10,25 @@ - /var/lib/ceph/bootstrap-mds/ - /var/lib/ceph/mds/{{ cluster }}-{{ mds_name }} -- name: copy ceph keyring(s) if needed +- name: get keys from monitors + command: "{{ hostvars[groups.get(mon_group_name)[0]]['container_exec_cmd'] | default('') }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _mds_keys + with_items: + - { name: "client.bootstrap-mds", path: "/var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring", copy_key: true } + - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + delegate_to: "{{ groups.get(mon_group_name)[0] }}" + when: + - cephx | bool + - item.copy_key | bool + +- name: copy ceph key(s) if needed copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}" - dest: "{{ item.name }}" + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - with_items: - - { name: "/var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring", copy_key: true } - - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + with_items: "{{ _mds_keys.results }}" when: - - cephx - - item.copy_key|bool + - cephx | bool + - item.item.copy_key | bool \ No newline at end of file diff --git a/roles/ceph-mds/tasks/containerized.yml b/roles/ceph-mds/tasks/containerized.yml index 2b22bc3f3..c4e64402f 100644 --- a/roles/ceph-mds/tasks/containerized.yml +++ b/roles/ceph-mds/tasks/containerized.yml @@ -3,46 +3,6 @@ set_fact: container_exec_cmd: "{{ container_binary }} exec ceph-mds-{{ ansible_hostname }}" -- name: set_fact admin_keyring - set_fact: - admin_keyring: - - "/etc/ceph/{{ cluster }}.client.admin.keyring" - when: copy_admin_key - -- name: set_fact ceph_config_keys - set_fact: - ceph_config_keys: - - /var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring - -- name: merge ceph_config_keys and admin_keyring - set_fact: - ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}" - when: copy_admin_key - -- name: stat for ceph config and keys - stat: - path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" - delegate_to: localhost - with_items: "{{ ceph_config_keys }}" - changed_when: false - become: false - failed_when: false - check_mode: no - register: statconfig - -- name: try to fetch ceph config and keys - copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" - dest: "{{ item.0 }}" - owner: root - group: root - mode: 0644 - changed_when: false - with_together: - - "{{ ceph_config_keys }}" - - "{{ statconfig.results }}" - when: item.1.stat.exists - - name: generate systemd unit file become: true template: diff --git a/roles/ceph-mgr/tasks/common.yml b/roles/ceph-mgr/tasks/common.yml index 068caf509..717a33297 100644 --- a/roles/ceph-mgr/tasks/common.yml +++ b/roles/ceph-mgr/tasks/common.yml @@ -49,34 +49,33 @@ run_once: True delegate_to: "{{ groups[mon_group_name][0] }}" - - name: copy ceph mgr key(s) from mon node to the ansible server - fetch: - src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring" - dest: "{{ fetch_directory }}/{{ fsid }}/{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring" - flat: yes + - name: set_fact _mgr_keys + set_fact: + _mgr_keys: "{{ _mgr_keys | default([{ 'name': 'client.admin', 'path': '/etc/ceph/' + cluster + '.client.admin.keyring', 'copy_key': copy_admin_key, 'hostname': hostvars[item]['ansible_hostname'] }]) + [{ 'name': 'mgr.' + hostvars[item]['ansible_hostname'], 'path': '/var/lib/ceph/mgr/' + cluster + '-' + hostvars[item]['ansible_hostname'] + '/keyring', 'copy_key': true, 'hostname': hostvars[item]['ansible_hostname'] }] }}" with_items: "{{ groups.get(mgr_group_name, []) }}" - delegate_to: "{{ groups[mon_group_name][0] }}" - - name: copy ceph keyring(s) to mgr node + - name: get keys from monitors + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _mgr_keys + with_items: "{{ _mgr_keys }}" + delegate_to: "{{ groups.get(mon_group_name)[0] }}" + when: + - cephx | bool + - item.copy_key | bool + + - name: copy ceph key(s) if needed copy: - src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring" - dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring" + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - when: cephx | bool - -- name: copy ceph keyring(s) if needed - copy: - src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring" - dest: "/etc/ceph/{{ cluster }}.client.admin.keyring" - owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - mode: "{{ ceph_keyring_permissions }}" - when: - - cephx | bool - - groups.get(mgr_group_name, []) | length > 0 - - copy_admin_key | bool + with_items: "{{ _mgr_keys.results }}" + delegate_to: "{{ item.item.hostname }}" + run_once: true + when: + - cephx | bool + - item.item.copy_key | bool - name: set mgr key permissions file: diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml index eaa5dd95e..e78df7320 100644 --- a/roles/ceph-mon/tasks/ceph_keys.yml +++ b/roles/ceph-mon/tasks/ceph_keys.yml @@ -16,31 +16,16 @@ delay: "{{ handler_health_mon_check_delay }}" changed_when: false -- name: tasks for MONs when cephx is enabled - when: cephx | bool - block: - - name: fetch ceph initial keys - ceph_key: - state: fetch_initial_keys - cluster: "{{ cluster }}" - owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - mode: "0400" - environment: - CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" - CEPH_CONTAINER_BINARY: "{{ container_binary }}" - CEPH_ROLLING_UPDATE: "{{ rolling_update }}" - - - name: copy keys to the ansible server - fetch: - src: "{{ item }}" - dest: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" - flat: yes - with_items: - - /var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring - - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring - - /var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring - - /var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring - - /var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring - - /etc/ceph/{{ cluster }}.client.admin.keyring - when: inventory_hostname == groups[mon_group_name] | last +- name: fetch ceph initial keys + ceph_key: + state: fetch_initial_keys + cluster: "{{ cluster }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "0400" + environment: + CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" + CEPH_CONTAINER_BINARY: "{{ container_binary }}" + CEPH_ROLLING_UPDATE: "{{ rolling_update }}" + when: + - cephx | bool diff --git a/roles/ceph-nfs/tasks/pre_requisite_container.yml b/roles/ceph-nfs/tasks/pre_requisite_container.yml index 0aa1ed75c..15d3f421c 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_container.yml @@ -1,45 +1,28 @@ --- - name: keyring related tasks block: - - name: set_fact admin_keyring - set_fact: - admin_keyring: - - "/etc/ceph/{{ cluster }}.client.admin.keyring" - when: copy_admin_key | bool + - name: get keys from monitors + command: "{{ hostvars[groups.get(mon_group_name)[0]]['container_exec_cmd'] | default('') }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _rgw_keys + with_items: + - { name: "client.bootstrap-rgw", path: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true } + - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + delegate_to: "{{ groups.get(mon_group_name)[0] }}" + when: + - cephx | bool + - item.copy_key | bool - - name: set_fact ceph_config_keys - set_fact: - ceph_config_keys: - - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring - - - name: merge ceph_config_keys and admin_keyring - set_fact: - ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}" - when: copy_admin_key | bool - - - name: stat for config and keys - stat: - path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" - delegate_to: localhost - with_items: "{{ ceph_config_keys }}" - changed_when: false - become: false - failed_when: false - check_mode: no - register: statconfig - - - name: try to fetch config and keys + - name: copy ceph key(s) if needed copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" - dest: "{{ item.0 }}" - owner: "64045" - group: "64045" - mode: 0644 - changed_when: false - with_together: - - "{{ ceph_config_keys }}" - - "{{ statconfig.results }}" - when: item.1.stat.exists + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "{{ ceph_keyring_permissions }}" + with_items: "{{ _rgw_keys.results }}" + when: + - cephx | bool + - item.item.copy_key | bool when: groups.get(mon_group_name, []) | length > 0 - name: dbus related tasks diff --git a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml index ae7e9129f..b0c86392a 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml @@ -46,17 +46,28 @@ - cephx | bool - groups.get(mon_group_name, []) | length > 0 block: - - name: copy bootstrap cephx keys - copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}" - dest: "{{ item.name }}" - owner: "ceph" - group: "ceph" - mode: "0600" + - name: get keys from monitors + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _rgw_keys with_items: - - { name: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: "{{ nfs_obj_gw }}" } - - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } - when: item.copy_key | bool + - { name: "client.bootstrap-rgw", path: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true } + - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + delegate_to: "{{ groups.get(mon_group_name)[0] }}" + when: + - cephx | bool + - item.copy_key | bool + + - name: copy ceph key(s) if needed + copy: + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "{{ ceph_keyring_permissions }}" + with_items: "{{ _rgw_keys.results }}" + when: + - cephx | bool + - item.item.copy_key | bool - name: nfs object gateway related tasks when: nfs_obj_gw | bool diff --git a/roles/ceph-osd/tasks/common.yml b/roles/ceph-osd/tasks/common.yml index 644c60ccc..c5d86736d 100644 --- a/roles/ceph-osd/tasks/common.yml +++ b/roles/ceph-osd/tasks/common.yml @@ -11,16 +11,25 @@ - /var/lib/ceph/bootstrap-osd/ - /var/lib/ceph/osd/ -- name: copy ceph key(s) if needed - copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}" - dest: "{{ item.name }}" - owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - mode: "{{ ceph_keyring_permissions }}" +- name: get keys from monitors + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _osd_keys with_items: - - { name: "/var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring", copy_key: true } - - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + - { name: "client.bootstrap-osd", path: "/var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring", copy_key: true } + - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + delegate_to: "{{ groups.get(mon_group_name)[0] }}" when: - cephx | bool - item.copy_key | bool + +- name: copy ceph key(s) if needed + copy: + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "{{ ceph_keyring_permissions }}" + with_items: "{{ _osd_keys.results }}" + when: + - cephx | bool + - item.item.copy_key | bool diff --git a/roles/ceph-osd/tasks/openstack_config.yml b/roles/ceph-osd/tasks/openstack_config.yml index 205e723bc..2fcc8349b 100644 --- a/roles/ceph-osd/tasks/openstack_config.yml +++ b/roles/ceph-osd/tasks/openstack_config.yml @@ -67,40 +67,38 @@ when: item.application is defined - name: create openstack cephx key(s) - ceph_key: - state: present - name: "{{ item.name }}" - caps: "{{ item.caps }}" - secret: "{{ item.key | default('') }}" - cluster: "{{ cluster }}" - mode: "{{ item.mode|default(omit) }}" - environment: - CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" - CEPH_CONTAINER_BINARY: "{{ container_binary }}" - with_items: "{{ openstack_keys }}" - delegate_to: "{{ groups[mon_group_name][0] }}" - when: cephx | bool + block: + - name: generate keys + ceph_key: + state: present + name: "{{ item.name }}" + caps: "{{ item.caps }}" + secret: "{{ item.key | default('') }}" + cluster: "{{ cluster }}" + mode: "{{ item.mode|default(omit) }}" + environment: + CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" + CEPH_CONTAINER_BINARY: "{{ container_binary }}" + with_items: "{{ openstack_keys }}" + delegate_to: "{{ groups[mon_group_name][0] }}" -- name: fetch openstack cephx key(s) - fetch: - src: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring" - dest: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.{{ item.name }}.keyring" - flat: yes - delegate_to: "{{ groups[mon_group_name][0] }}" - with_items: "{{ openstack_keys }}" + - name: get keys from monitors + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _osp_keys + with_items: "{{ openstack_keys }}" + delegate_to: "{{ groups.get(mon_group_name)[0] }}" -- name: copy to other mons the openstack cephx key(s) - copy: - src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring" - dest: "/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring" - owner: "{{ ceph_uid }}" - group: "{{ ceph_uid }}" - mode: "{{ item.1.mode|default(omit) }}" - with_nested: - - "{{ groups[mon_group_name] }}" - - "{{ openstack_keys }}" - delegate_to: "{{ item.0 }}" + - name: copy ceph key(s) if needed + copy: + dest: "/etc/ceph/{{ cluster }}.{{ item.0.item.name }}.keyring" + content: "{{ item.0.stdout + '\n' }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "{{ item.0.item.mode }}" + with_nested: + - "{{ _osp_keys.results }}" + - "{{ groups[mon_group_name] }}" + delegate_to: "{{ item.1 }}" when: - cephx | bool - openstack_config | bool - - item.0 != groups[mon_group_name] diff --git a/roles/ceph-rbd-mirror/defaults/main.yml b/roles/ceph-rbd-mirror/defaults/main.yml index 0fbec1276..75af947ff 100644 --- a/roles/ceph-rbd-mirror/defaults/main.yml +++ b/roles/ceph-rbd-mirror/defaults/main.yml @@ -3,8 +3,6 @@ # SETUP # ######### -fetch_directory: fetch/ - # Even though rbd-mirror nodes should not have the admin key # at their disposal, some people might want to have it # distributed on rbd-mirror nodes. Setting 'copy_admin_key' to 'true' diff --git a/roles/ceph-rbd-mirror/tasks/common.yml b/roles/ceph-rbd-mirror/tasks/common.yml index ccbbd8180..f2ba0e7ff 100644 --- a/roles/ceph-rbd-mirror/tasks/common.yml +++ b/roles/ceph-rbd-mirror/tasks/common.yml @@ -1,20 +1,26 @@ --- -- name: copy rbd-mirror bootstrap key - copy: - src: "{{ fetch_directory }}/{{ fsid }}/var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring" - dest: "/var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring" - owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - mode: "{{ ceph_keyring_permissions }}" +- name: get keys from monitors + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _rbd_mirror_keys + with_items: + - { name: "client.bootstrap-rbd-mirror", path: "/var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring", copy_key: true } + - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + delegate_to: "{{ groups.get(mon_group_name)[0] }}" + when: + - cephx | bool + - item.copy_key | bool -- name: copy ceph admin keyring if needed +- name: copy ceph key(s) if needed copy: - src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring" - dest: "/etc/ceph/{{ cluster }}.client.admin.keyring" + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - when: copy_admin_key | bool + with_items: "{{ _rbd_mirror_keys.results }}" + when: + - cephx | bool + - item.item.copy_key | bool - name: create rbd-mirror keyring command: > diff --git a/roles/ceph-rgw/tasks/common.yml b/roles/ceph-rgw/tasks/common.yml index 33dc14448..105b89189 100644 --- a/roles/ceph-rgw/tasks/common.yml +++ b/roles/ceph-rgw/tasks/common.yml @@ -18,16 +18,25 @@ with_items: "{{ rgw_instances }}" when: rgw_instances is defined -- name: copy ceph keyring(s) if needed - copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}" - dest: "{{ item.name }}" - owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - mode: "{{ ceph_keyring_permissions }}" +- name: get keys from monitors + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + register: _rgw_keys with_items: - - { name: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true } - - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + - { name: "client.bootstrap-rgw", path: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true } + - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } + delegate_to: "{{ groups.get(mon_group_name)[0] }}" when: - cephx | bool - item.copy_key | bool + +- name: copy ceph key(s) if needed + copy: + dest: "{{ item.item.path }}" + content: "{{ item.stdout + '\n' }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "{{ ceph_keyring_permissions }}" + with_items: "{{ _rgw_keys.results }}" + when: + - cephx | bool + - item.item.copy_key | bool