Enable granular distribution of Ceph keys

Enable granular distribution of Ceph keys¶

Note

This feature is available starting from the MCP 2019.2.14 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.

This section describes how to enable granular distribution of Ceph keys on an existing deployment to avoid keeping the Ceph keys for the services that do not belong to a particular node.

To enable granular distribution of Ceph keys:

Open your Git project repository with the Reclass model on the cluster level.
Create a new ceph/keyrings folder.
Open the ceph/common.yml file for editing.

Move the configuration for each component from the parameters:ceph:common:keyrings section to a corresponding file in the newly created folder. For example, the following configuration must be split to four different files.

ceph:
 common:
   keyring:
     glance:
       name: ${_param:glance_storage_user}
       caps:
         mon: 'allow r, allow command "osd blacklist"'
         osd: "profile rbd pool=images"
     cinder:
       name: ${_param:cinder_storage_user}
       caps:
         mon: 'allow r, allow command "osd blacklist"'
         osd: "profile rbd pool=volumes, profile rbd-read-only pool=images, profile rbd pool=${_param:cinder_ceph_backup_pool}"
     nova:
       name: ${_param:nova_storage_user}
       caps:
         mon: 'allow r, allow command "osd blacklist"'
         osd: "profile rbd pool=vms, profile rbd-read-only pool=images"
     gnocchi:
       name: ${_param:gnocchi_storage_user}
       caps:
         mon: 'allow r, allow command "osd blacklist"'
         osd: "profile rbd pool=${_param:gnocchi_storage_pool}"

In this case, each file must have its own component keyring. For example:

In ceph/keyrings/nova.yml, add:

parameters:
  ceph:
    common:
      keyring:
        nova:
          name: ${_param:nova_storage_user}
          caps:
            mon: 'allow r, allow command "osd blacklist"'
            osd: "profile rbd pool=vms, profile rbd-read-only pool=images"

In ceph/keyrings/cinder.yml, add:

parameters:
  ceph:
    common:
      keyring:
        cinder:
          name: ${_param:cinder_storage_user}
          caps:
            mon: 'allow r, allow command "osd blacklist"'
            osd: "profile rbd pool=volumes, profile rbd-read-only pool=images, profile rbd pool=${_param:cinder_ceph_backup_pool}"

In ceph/keyrings/glance.yml, add:

parameters:
  ceph:
    common:
      keyring:
        glance:
          name: ${_param:glance_storage_user}
          caps:
            mon: 'allow r, allow command "osd blacklist"'
            osd: "profile rbd pool=images"

In ceph/keyrings/gnocchi.yml, add:

parameters:
  ceph:
    common:
      keyring:
        gnocchi:
          name: ${_param:gnocchi_storage_user}
          caps:
            mon: 'allow r, allow command "osd blacklist"'
            osd: "profile rbd pool=${_param:gnocchi_storage_pool}"

In the same ceph/keyrings folder, create an init.yml file and add the newly created keyrings:

classes:
- cluster.<cluster_name>.ceph.keyrings.glance
- cluster.<cluster_name>.ceph.keyrings.cinder
- cluster.<cluster_name>.ceph.keyrings.nova
- cluster.<cluster_name>.ceph.keyrings.gnocchi

Note

If Telemetry is disabled, Gnocchi may not be present in your deployment.

In openstack/compute/init.yml, add the Cinder and Nova keyrings after class cluster.<cluster_name>.ceph.common:
```
- cluster.<cluster_name>.ceph.keyrings.cinder
- cluster.<cluster_name>.ceph.keyrings.nova
```
In openstack/control.yml, add the following line after cluster.<cluster_name>.ceph.common:
```
- cluster.<cluster_name>.ceph.keyrings
```
In openstack/telemetry.yml add the Gnocchi keyring after class cluster.<cluster_name>.ceph.common:
```
- cluster.<cluster_name>.ceph.keyrings.gnocchi
```
Log in to the Salt Master node.

Synchronize the Salt modules and update mines:

salt "*" saltutil.sync_all
salt "*" mine.update

Drop the redundant keyrings from the corresponding nodes and verify that the keyrings will not change with the new Salt run:

Note

If ceph:common:manage_keyring is enabled, modify the last state for each component using the following template:

salt "<target>" state.sls ceph.common,ceph.setup.keyring,ceph.setup.managed_keyring test=true

For the OpenStack compute nodes, run:

salt "cmp*" cmd.run "rm /etc/ceph/ceph.client.glance.keyring"
salt "cmp*" cmd.run "rm /etc/ceph/ceph.client.gnocchi.keyring"
salt "cmp*" state.sls ceph.common,ceph.setup.keyring test=true

For the Ceph Monitor nodes, run:

salt "cmn*" cmd.run "rm /etc/ceph/ceph.client.glance.keyring"
salt "cmn*" cmd.run "rm /etc/ceph/ceph.client.gnocchi.keyring"
salt "cmn*" cmd.run "rm /etc/ceph/ceph.client.nova.keyring"
salt "cmn*" cmd.run "rm /etc/ceph/ceph.client.cinder.keyring"
salt "cmn*" state.sls ceph.common,ceph.setup.keyring test=true

For the RADOS Gateway nodes, run:

salt "rgw*" cmd.run "rm /etc/ceph/ceph.client.glance.keyring"
salt "rgw*" cmd.run "rm /etc/ceph/ceph.client.gnocchi.keyring"
salt "rgw*" cmd.run "rm /etc/ceph/ceph.client.nova.keyring"
salt "rgw*" cmd.run "rm /etc/ceph/ceph.client.cinder.keyring"
salt "rgw*" state.sls ceph.common,ceph.setup.keyring test=true

For the Telemetry nodes, run:

salt "mdb*" cmd.run "rm /etc/ceph/ceph.client.glance.keyring"
salt "mdb*" cmd.run "rm /etc/ceph/ceph.client.nova.keyring"
salt "mdb*" cmd.run "rm /etc/ceph/ceph.client.cinder.keyring"
salt "mdb*" state.sls ceph.common,ceph.setup.keyring test=true

Apply the changes for all components one by one:

If ceph:common:manage_keyring is disabled:

salt "<target>" state.sls ceph.common,ceph.setup.keyring

If ceph:common:manage_keyring is enabled:

salt "<target>" state.sls ceph.common,ceph.setup.keyring,ceph.setup.managed_keyring

updated: 2024-01-04 11:47

Enable RBD monitoring

View Previous Section

Glance operations