ceph
/
ceph-ansible
mirror of https://github.com/ceph/ceph-ansible.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Set tighter permissions on keyrings when containerized 

During a containerized deployment, set the permissions
of ceph.client.admin.keyring and other keyrings to
chmod 600 and chown it to ceph.
pull/2211/head
John Fulton 2017-11-22 16:38:30 -05:00
parent 29d21303d7
commit ffae294288
3 changed files with 48 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
roles/ceph-defaults/tasks/facts.yml
View File

@ -151,3 +151,17 @@
- inventory_hostname in groups.get(osd_group_name, []) - inventory_hostname in groups.get(osd_group_name, [])
- not osd_auto_discovery|default(False) - not osd_auto_discovery|default(False)
- osd_scenario != 'lvm' - osd_scenario != 'lvm'
- name: set_fact ceph_uid for Debian based system
set_fact:
ceph_uid: 64045
when:
- containerized_deployment
- ceph_docker_image_tag | match("latest") or ceph_docker_image_tag | search("ubuntu")
- name: set_fact ceph_uid for Red Hat based system
set_fact:
ceph_uid: 167
when:
- containerized_deployment
- ceph_docker_image_tag | search("centos") or ceph_docker_image | search("rhceph") or ceph_docker_image_tag | search("fedora")

20
roles/ceph-mgr/tasks/docker/copy_configs.yml
View File

@ -14,7 +14,21 @@
check_mode: no check_mode: no
register: statconfig register: statconfig
- name: try to fetch ceph config and keys - name: try to fetch ceph keys
copy:
src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
dest: "{{ item.0 }}"
owner: "{{ ceph_uid }}"
mode: 0600
changed_when: false
with_together:
- "{{ ceph_config_keys }}"
- "{{ statconfig.results }}"
when:
- item.1.stat.exists == true
- item.0 | search("keyring")
- name: try to fetch ceph config
copy: copy:
src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
dest: "{{ item.0 }}" dest: "{{ item.0 }}"
@ -25,7 +39,9 @@
with_together: with_together:
- "{{ ceph_config_keys }}" - "{{ ceph_config_keys }}"
- "{{ statconfig.results }}" - "{{ statconfig.results }}"
when: item.1.stat.exists == true when:
- item.1.stat.exists == true
- not (item.0 | search("keyring"))
- name: "copy mgr key to /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring" - name: "copy mgr key to /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring"
command: cp /etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring command: cp /etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring

17
roles/ceph-mon/tasks/docker/copy_configs.yml
View File

@ -49,7 +49,21 @@
register: statconfig register: statconfig
check_mode: no check_mode: no
- name: try to copy ceph config and keys - name: try to copy ceph keys
copy:
src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
dest: "{{ item.0 }}"
owner: "{{ ceph_uid }}"
mode: 0600
changed_when: false
with_together:
- "{{ ceph_config_keys }}"
- "{{ statconfig.results }}"
when:
- item.1.stat.exists == true
- item.0 | search("keyring")
- name: try to copy ceph config
copy: copy:
src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
dest: "{{ item.0 }}" dest: "{{ item.0 }}"
@ -62,6 +76,7 @@
- "{{ statconfig.results }}" - "{{ statconfig.results }}"
when: when:
- item.1.stat.exists == true - item.1.stat.exists == true
- not (item.0 | search("keyring"))
- name: set selinux permissions - name: set selinux permissions
shell: | shell: |