doc/mgr/crash: explain needed crash upload permissions

Signed-off-by: Jonas Jelten <jj@sft.lol>

diff --git a/doc/mgr/crash.rst b/doc/mgr/crash.rst
index e12a8c6f83e9aa1d5bdc37b84486fe35bb38d7c5..656c7a2d4ef31c5d59d5b056170ea661dd92fcab 100644 (file)
--- a/doc/mgr/crash.rst
+++ b/doc/mgr/crash.rst
@@ -3,13 +3,6 @@ Crash Module
 The crash module collects information about daemon crashdumps and stores
 it in the Ceph cluster for later analysis.
 
-Daemon crashdumps are dumped in /var/lib/ceph/crash by default; this can
-be configured with the option 'crash dir'.  Crash directories are named by
-time and date and a randomly-generated UUID, and contain a metadata file
-'meta' and a recent log file, with a "crash_id" that is the same.
-This module allows the metadata about those dumps to be persisted in
-the monitors' storage.
-
 Enabling
 --------
 
@@ -17,6 +10,33 @@ The *crash* module is enabled with::
 
   ceph mgr module enable crash
 
+The *crash* upload key is generated with::
+
+  ceph auth get-or-create client.crash mon 'profile crash' mgr 'profile crash'
+
+On each node, you should store this key in
+``/etc/ceph/ceph.client.crash.keyring``.
+
+
+Automated collection
+--------------------
+
+Daemon crashdumps are dumped in ``/var/lib/ceph/crash`` by default; this can
+be configured with the option 'crash dir'.  Crash directories are named by
+time and date and a randomly-generated UUID, and contain a metadata file
+'meta' and a recent log file, with a "crash_id" that is the same.
+
+These crashes can be automatically submitted and persisted in the monitors'
+storage by using ``ceph-crash.service``.
+It watches the crashdump directory and uploads them with ``ceph crash post``.
+
+``ceph-crash`` tries some authentication names: ``client.crash.$hostname``,
+``client.crash`` and ``client.admin``.
+In order to successfully upload with ``ceph crash post``, these need
+the suitable permissions: ``mon profile crash`` and ``mgr profile crash``
+and a keyring needs to be in ``/etc/ceph``.
+
+
 Commands
 --------
 ::

diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst
index d8695effbfbc583728624164662896cc429ab8af..2ea49a88c5358ff115af2d7cba45b8f7ab7a2692 100644 (file)
--- a/doc/rados/operations/user-management.rst
+++ b/doc/rados/operations/user-management.rst
@@ -308,11 +308,11 @@ The following entries describe valid capability profiles:
               you're doing as the security ramifications are substantial and
               pervasive.
 
-``profile crash`` (Monitor only)
+``profile crash`` (Monitor and MGR)
 
 :Description: Gives a user read-only access to monitors, used in conjunction
-              with the manager ``crash`` module when collecting daemon crash
-              dumps for later analysis.
+              with the manager ``crash`` module to upload daemon crash
+              dumps into monitor storage for later analysis.
 
 Pool
 ----