auth service ticket ttl: 120
mon:
debug mon: 30
+ debug paxos: 30
debug ms: 5
+++ /dev/null
-tasks:
-- install:
--- /dev/null
+tasks:
+- install:
--- /dev/null
+tasks:
+- ceph:
+ log-ignorelist:
+ - AUTH_INSECURE_KEYS_ALLOWED
+ - AUTH_INSECURE_KEYS_CREATABLE
+ - AUTH_INSECURE_SERVICE_TICKETS
+ - AUTH_INSECURE_CLIENT_KEY_TYPE
+ - AUTH_INSECURE_SERVICE_KEY_TYPE
+ - AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE
+ conf:
+ mon:
+ mon_health_to_clog: false
+ cluster-conf:
+ mon:
+ mon auth allow insecure key: true
+ monmaptool_extra_args:
+ - '--auth-service-cipher=aes'
+ - '--auth-allowed-ciphers=aes'
+ - '--auth-preferred-cipher=aes'
+ cephx:
+ key_type: aes
+ wait-for-healthy: false
+- ceph.key_prune: ["client.bootstrap-*"]
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_CREATABLE --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_TICKETS --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_KEY_TYPE --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE --sticky
+- ceph.healthy:
--- /dev/null
+tasks:
+- full_sequential_finally:
+ - exec:
+ mon.a:
+ - sleep 1m
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+teuthology:
+ variables:
+ workload: none
--- /dev/null
+teuthology:
+ variables:
+ workload: radosbench
+
+radosbench:
+ sequential_yield:
+ - radosbench:
+ extra_args: --log-to-stderr=false --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
+ clients: [client.0]
+ time: 900
+ unique_pool: true
+
+tasks:
+ - sequential_yield:
+ - radosbench
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 1)'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes,aes256k
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_preferred_cipher aes256k
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_SERVICE_KEY_TYPE]
+- ceph.key_rotate:
+ daemons: [mon.*]
+ key_type: aes256k
+- ceph.key_rotate:
+ daemons: [mgr.*, osd.*, mds.*]
+ key_type: aes256k
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 2)'
+- ceph.healthy:
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_CREATABLE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_CREATABLE]
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config rm mon 'mon auth allow insecure key'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
+# The default when auth_allow_ciphers inclues aes, retain default mon_auth_allow_insecure_key=true
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_CREATABLE]
+# Now setting it overrides:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set mon 'mon auth allow insecure key' false
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
--- /dev/null
+teuthology:
+ variables:
+ clients_all_rotated: false
+ postmerge:
+ - |
+ if yaml.teuthology.variables.workload == 'none' then
+ reject()
+ end
+
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE]
+ - ceph.key_rotate:
+ daemons: []
+ clients: [client.admin]
+ key_type: aes256k
+ - exec:
+ mon.a:
+ - |
+ ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys | \
+ jq '
+ .data.secrets[] |
+ select(
+ .entity.type_str == "client" and .entity.id == "admin"
+ ) | .auth.key.type == 2
+ '
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky
+ - ceph.healthy:
--- /dev/null
+# N.B. we can only rotate all keys if we do not have an existing workload.
+
+teuthology:
+ variables:
+ clients_all_rotated: true
+ postmerge:
+ - |
+ if yaml.teuthology.variables.workload ~= 'none' then
+ reject()
+ end
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE]
+ - ceph.key_rotate:
+ daemons: []
+ clients: [all]
+ key_type: aes256k
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 8); .auth.key.type == 2)'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
--- /dev/null
+teuthology:
+ postmerge:
+ - |
+ if not yaml.teuthology.variables.clients_all_rotated then
+ reject()
+ end
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_ALLOWED]
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes256k
+ - ceph.healthy:
--- /dev/null
+teuthology:
+ postmerge:
+ - |
+ if yaml.teuthology.variables.clients_all_rotated then
+ reject()
+ end
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_ALLOWED]
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump --format=json | jq '.auth_allowed_ciphers | (map(.name) | sort) == ["aes", "aes256k"]'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky
+ - ceph.healthy:
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .secrets.keys | all(.expiring_key.key.type == 1) )'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_service_cipher aes256k
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+++ /dev/null
-tasks:
-- ceph:
- cluster-conf:
- global:
- auth service cipher: aes
- mon:
- mon auth allow insecure key: true
- cephx:
- key_type: aes
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+teuthology:
+ variables:
+ wipe_service_keys: false
--- /dev/null
+# Sleep for ticket refresh.
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE]
+- sleep:
+ duration: 720
+- ceph.healthy:
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE]
+- exec:
+ mon.a:
+ - ceph auth wipe-rotating-service-keys
+ - ceph auth --format=json-pretty dump-keys
+ - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .entity.type == 32 then (.secrets.keys | all(.expiring_key.key.type == 1)) else (.secrets.keys | all(.expiring_key.key.type == 2)) end )'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_TICKETS
+- ceph.healthy:
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+overrides:
+ ceph:
+ log-ignorelist:
+ - OSD_DOWN
+ - OSD_ROOT_DOWN
+tasks:
+- sleep:
+ duration: 10
+- ceph.restart:
+ daemons: [mon.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+- ceph.restart:
+ daemons: [mgr.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+- ceph.restart:
+ daemons: [osd.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+ wait-for-osds-up: true
+- ceph.restart:
+ daemons: [mds.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+tasks:
+ - radosbench:
+ extra_args: --log-to-stderr=false --log-to-file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
+ clients: [client.0]
+ time: 10
+ unique_pool: true
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+++ /dev/null
-tasks:
-- full_sequential_finally:
- - exec:
- mon.a:
- - sleep 1m
-- exec:
- mon.a:
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config dump
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-radosbench:
- sequential_yield:
- - radosbench:
- extra_args: --log-to-stderr=false --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
- clients: [client.0]
- time: 300
- unique_pool: true
-
-tasks:
- - sequential_yield:
- - radosbench
+++ /dev/null
-tasks:
-- ceph.key_rotate:
- daemons: [mon.*]
- key_type: aes256k
-- ceph.key_rotate:
- daemons: [mgr.*, osd.*, mds.*]
- key_type: aes256k
-- exec:
- mon.a:
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.key.type == 1 or .key.type == 2 or .key.type == 4 or .key.type == 16); .val.key.type != 2)'
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .val.secrets | all(.val.key.type == 1) )'
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set global auth_service_cipher aes256k
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-teuthology:
- variables:
- wipe_service_keys: false
+++ /dev/null
-tasks:
-- exec:
- mon.a:
- - ceph auth wipe-rotating-service-keys
- - ceph auth --format=json-pretty dump-keys
- - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .key == 32 then (.val.secrets | all(.val.key.type == 1)) else (.val.secrets | all(.val.key.type == 2)) end )'
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-# Sleep for ticket refresh.
-tasks:
-- sleep:
- duration: 500
+++ /dev/null
-overrides:
- ceph:
- log-ignorelist:
- - OSD_DOWN
- - OSD_ROOT_DOWN
-tasks:
-- sleep:
- duration: 10
-- ceph.restart:
- daemons: [mon.*]
- mon-health-to-clog: false
- wait-for-healthy: true
-- ceph.restart:
- daemons: [mgr.*]
- mon-health-to-clog: false
- wait-for-healthy: true
-- ceph.restart:
- daemons: [osd.*]
- mon-health-to-clog: false
- wait-for-healthy: true
- wait-for-osds-up: true
-- ceph.restart:
- daemons: [mds.*]
- mon-health-to-clog: false
- wait-for-healthy: true
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-tasks:
- - radosbench:
- extra_args: --log-to-stderr=false --log-to-file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
- clients: [client.0]
- time: 10
- unique_pool: true
auth service ticket ttl: 120
mon:
debug mon: 30
+ debug paxos: 30
debug ms: 5
- [mon.a, mds.a, mgr.x, osd.0, osd.1]
- [mon.b, mon.c, mds.b, mgr.y, osd.2, osd.3]
- [client.0]
-- [client.1]
+# need to handle pruning if we want a client with older binaries
+#- [client.1]
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-meta:
-- desc: |
- install ceph/reef v18.2.7
-tasks:
-- install:
- tag: v18.2.7
- exclude_packages:
- - librados3
- - ceph-mgr-dashboard
- - ceph-mgr-diskprediction-local
- - ceph-mgr-rook
- - ceph-mgr-cephadm
- - cephadm
- - ceph-volume
- extra_packages: ['librados2']
-- print: "**** done installing v18.2.7"
-- ceph:
- log-ignorelist:
- - overall HEALTH_
- - \(FS_
- - \(MDS_
- - \(OSD_
- - \(MON_DOWN\)
- - \(CACHE_POOL_
- - \(POOL_
- - \(MGR_DOWN\)
- - \(PG_
- - \(SMALLER_PGP_NUM\)
- - Monitor daemon marked osd
- - Behind on trimming
- - Manager daemon
- conf:
- global:
- mon warn on pool no app: false
-- exec:
- osd.0:
- - ceph osd set-require-min-compat-client reef
-- print: "**** done ceph"
+++ /dev/null
-meta:
-- desc: |
- install ceph/squid v19.2.2
-tasks:
-- install:
- tag: v19.2.2
- exclude_packages:
- - librados3
- - ceph-mgr-dashboard
- - ceph-mgr-diskprediction-local
- - ceph-mgr-rook
- - ceph-mgr-cephadm
- - cephadm
- - ceph-volume
- extra_packages: ['librados2']
-- print: "**** done installing squid v19.2.2"
-- ceph:
- log-ignorelist:
- - overall HEALTH_
- - \(FS_
- - \(MDS_
- - \(OSD_
- - \(MON_DOWN\)
- - \(CACHE_POOL_
- - \(POOL_
- - \(MGR_DOWN\)
- - \(PG_
- - \(SMALLER_PGP_NUM\)
- - Monitor daemon marked osd
- - Behind on trimming
- - Manager daemon
- conf:
- global:
- mon warn on pool no app: false
-- exec:
- osd.0:
- - ceph osd set-require-min-compat-client squid
-- print: "**** done ceph"
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+meta:
+- desc: |
+ install ceph/reef v18.2.7
+tasks:
+- install:
+ tag: v18.2.7
+ exclude_packages:
+ - librados3
+ - ceph-mgr-dashboard
+ - ceph-mgr-diskprediction-local
+ - ceph-mgr-rook
+ - ceph-mgr-cephadm
+ - cephadm
+ - ceph-volume
+ extra_packages: ['librados2']
+- print: "**** done installing v18.2.7"
+- ceph:
+ log-ignorelist:
+ - AUTH_INSECURE_KEYS_ALLOWED
+ - AUTH_INSECURE_KEYS_CREATABLE
+ - AUTH_INSECURE_SERVICE_TICKETS
+ - AUTH_INSECURE_CLIENT_KEY_TYPE
+ - AUTH_INSECURE_SERVICE_KEY_TYPE
+ - AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE
+ conf:
+ mon:
+ mon_health_to_clog: false
+ global:
+ mon warn on pool no app: false
+- exec:
+ osd.0:
+ - ceph osd set-require-min-compat-client reef
+- print: "**** done ceph"
--- /dev/null
+meta:
+- desc: |
+ install ceph/squid v19.2.2
+tasks:
+- install:
+ tag: v19.2.2
+ exclude_packages:
+ - librados3
+ - ceph-mgr-dashboard
+ - ceph-mgr-diskprediction-local
+ - ceph-mgr-rook
+ - ceph-mgr-cephadm
+ - cephadm
+ - ceph-volume
+ extra_packages: ['librados2']
+- print: "**** done installing squid v19.2.2"
+- ceph:
+ log-ignorelist:
+ - AUTH_INSECURE_KEYS_ALLOWED
+ - AUTH_INSECURE_KEYS_CREATABLE
+ - AUTH_INSECURE_SERVICE_TICKETS
+ - AUTH_INSECURE_CLIENT_KEY_TYPE
+ - AUTH_INSECURE_SERVICE_KEY_TYPE
+ - AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE
+ conf:
+ mon:
+ mon_health_to_clog: false
+ global:
+ mon warn on pool no app: false
+- exec:
+ osd.0:
+ - ceph osd set-require-min-compat-client squid
+- print: "**** done ceph"
--- /dev/null
+tasks:
+- full_sequential_finally:
+ - exec:
+ mon.a:
+ - sleep 1m
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+teuthology:
+ variables:
+ workload: none
--- /dev/null
+teuthology:
+ variables:
+ workload: radosbench
+
+radosbench:
+ sequential_yield:
+ - radosbench:
+ extra_args: --log-to-stderr=false --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
+ clients: [client.0]
+ time: 900
+ unique_pool: true
+
+tasks:
+ - sequential_yield:
+ - radosbench
--- /dev/null
+tasks:
+- install.upgrade:
+ mon.a:
+ mon.b:
+ client.0:
+- ceph.restart:
+ daemons: [mgr.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+- ceph.restart:
+ daemons: [mon.*]
+ mon-health-to-clog: false
+ wait-for-healthy: false
+- ceph.key_prune: ["client.bootstrap-*"]
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set mon mon_auth_allow_insecure_key true
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_CREATABLE --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_TICKETS --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_KEY_TYPE --sticky
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE --sticky
+- ceph.healthy:
+- ceph.restart:
+ daemons: [osd.*]
+ mon-health-to-clog: false
+ wait-for-osds-up: true
+ wait-for-healthy: false
+- exec:
+ mon.a:
+ - ceph versions
+ - ceph osd dump -f json-pretty
+ - ceph osd require-osd-release tentacle
+ - for f in `ceph osd pool ls` ; do ceph osd pool set $f pg_autoscale_mode off ; done
+- ceph.healthy:
+- ceph.restart:
+ daemons: [mds.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+- exec:
+ mon.a:
+ - ceph versions
+ - ceph fs dump
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 1)'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes,aes256k
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_preferred_cipher aes256k
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_SERVICE_KEY_TYPE]
+- ceph.key_rotate:
+ daemons: [mon.*]
+ key_type: aes256k
+- ceph.key_rotate:
+ daemons: [mgr.*, osd.*, mds.*]
+ key_type: aes256k
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 2)'
+- ceph.healthy:
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_CREATABLE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_CREATABLE]
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config rm mon 'mon auth allow insecure key'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
+# The default when auth_allow_ciphers inclues aes, retain default mon_auth_allow_insecure_key=true
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_CREATABLE]
+# Now setting it overrides:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set mon 'mon auth allow insecure key' false
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
--- /dev/null
+teuthology:
+ variables:
+ clients_all_rotated: false
+ postmerge:
+ - |
+ if yaml.teuthology.variables.workload == 'none' then
+ reject()
+ end
+
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE]
+ - ceph.key_rotate:
+ daemons: []
+ clients: [client.admin]
+ key_type: aes256k
+ - exec:
+ mon.a:
+ - |
+ ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys | \
+ jq '
+ .data.secrets[] |
+ select(
+ .entity.type_str == "client" and .entity.id == "admin"
+ ) | .auth.key.type == 2
+ '
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky
+ - ceph.healthy:
--- /dev/null
+# N.B. we can only rotate all keys if we do not have an existing workload.
+
+teuthology:
+ variables:
+ clients_all_rotated: true
+ postmerge:
+ - |
+ if yaml.teuthology.variables.workload ~= 'none' then
+ reject()
+ end
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE]
+ - ceph.key_rotate:
+ daemons: []
+ clients: [all]
+ key_type: aes256k
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 8); .auth.key.type == 2)'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
--- /dev/null
+teuthology:
+ postmerge:
+ - |
+ if not yaml.teuthology.variables.clients_all_rotated then
+ reject()
+ end
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_ALLOWED]
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes256k
+ - ceph.healthy:
--- /dev/null
+teuthology:
+ postmerge:
+ - |
+ if yaml.teuthology.variables.clients_all_rotated then
+ reject()
+ end
+
+tasks:
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+ - ceph.healthy:
+ expected_checks: [AUTH_INSECURE_KEYS_ALLOWED]
+ - exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump --format=json | jq '.auth_allowed_ciphers | (map(.name) | sort) == ["aes", "aes256k"]'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky
+ - ceph.healthy:
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .secrets.keys | all(.expiring_key.key.type == 1) )'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_service_cipher aes256k
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+++ /dev/null
-tasks:
-- full_sequential_finally:
- - exec:
- mon.a:
- - sleep 1m
-- exec:
- mon.a:
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config dump
- - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+teuthology:
+ variables:
+ wipe_service_keys: false
--- /dev/null
+# Sleep for ticket refresh.
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE]
+- sleep:
+ duration: 720
+- ceph.healthy:
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+ expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE]
+- exec:
+ mon.a:
+ - ceph auth wipe-rotating-service-keys
+ - ceph auth --format=json-pretty dump-keys
+ - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .entity.type == 32 then (.secrets.keys | all(.expiring_key.key.type == 1)) else (.secrets.keys | all(.expiring_key.key.type == 2)) end )'
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_TICKETS
+- ceph.healthy:
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+overrides:
+ ceph:
+ log-ignorelist:
+ - OSD_DOWN
+ - OSD_ROOT_DOWN
+tasks:
+- sleep:
+ duration: 10
+- ceph.restart:
+ daemons: [mon.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+- ceph.restart:
+ daemons: [mgr.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+- ceph.restart:
+ daemons: [osd.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
+ wait-for-osds-up: true
+- ceph.restart:
+ daemons: [mds.*]
+ mon-health-to-clog: false
+ wait-for-healthy: true
--- /dev/null
+../.qa/
\ No newline at end of file
--- /dev/null
+tasks:
+ - radosbench:
+ extra_args: --log-to-stderr=false --log-to-file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
+ clients: [client.0]
+ time: 10
+ unique_pool: true
--- /dev/null
+tasks:
+- exec:
+ mon.a:
+ - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail
+- ceph.healthy:
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-# We can't set auth_exit_on_failure here because squid/reef do not understand that switch.
-#teuthology:
-# postmerge:
-# - |
-# if false and yaml.teuthology.variables.wipe_service_keys then
-# yaml.radosbench.sequential_yield[0].radosbench.auth_exit_on_failure = 99
-# yaml.radosbench.sequential_yield[0].radosbench.expected_rc = 99
-# end
-
-# N.B. because `rados bench` has sessions open with the OSDs, we do not expect
-# it to fail any auth after upgrade / rotation / session key wipe. It will only
-# fail new connections with OSDs.
-radosbench:
- sequential_yield:
- - radosbench:
- extra_args: --log-to-stderr=false --log-to-file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
- clients: [client.0]
- time: 300
- unique_pool: true
-
-tasks:
- - sequential_yield:
- - radosbench
+++ /dev/null
-tasks:
-- install.upgrade:
- mon.a:
- mon.b:
- client.0:
-- ceph.restart:
- daemons: [mgr.*]
- mon-health-to-clog: false
- wait-for-healthy: true
-- ceph.restart:
- daemons: [mon.*]
- mon-health-to-clog: false
- wait-for-healthy: true
-- ceph.restart:
- daemons: [osd.*]
- mon-health-to-clog: false
- wait-for-osds-up: true
- wait-for-healthy: false
-- exec:
- mon.a:
- - ceph versions
- - ceph osd dump -f json-pretty
- - ceph osd require-osd-release tentacle
- - for f in `ceph osd pool ls` ; do ceph osd pool set $f pg_autoscale_mode off ; done
-- ceph.restart:
- daemons: [mds.*]
- mon-health-to-clog: false
- wait-for-healthy: true
-- exec:
- mon.a:
- - ceph versions
- - ceph fs dump
+++ /dev/null
-tasks:
-- ceph.key_rotate:
- daemons: [mon.*]
- key_type: aes256k
-- ceph.key_rotate:
- daemons: [mgr.*, osd.*, mds.*]
- key_type: aes256k
-- exec:
- mon.a:
- - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls
- - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys
- - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.key.type == 1 or .key.type == 2 or .key.type == 4 or .key.type == 16); .val.key.type != 2)'
- - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .val.secrets | all(.val.key.type == 1) )'
- - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 config set global auth_service_cipher aes256k
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-teuthology:
- variables:
- wipe_service_keys: false
+++ /dev/null
-# N.B. in order to effect a service key wipe, the service daemons must be
-# restarted next. During this time, service daemons will be inaccessible to new
-# clients.
-teuthology:
- variables:
- wipe_service_keys: true
-tasks:
-- exec:
- mon.a:
- - ceph auth wipe-rotating-service-keys
- - ceph auth --format=json-pretty dump-keys
- - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .key == 32 then (.val.secrets | all(.val.key.type == 1)) else (.val.secrets | all(.val.key.type == 2)) end )'
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-overrides:
- ceph:
- log-ignorelist:
- - OSD_DOWN
- - OSD_ROOT_DOWN
-tasks:
-- sleep:
- duration: 10
-- ceph.restart:
- daemons: [mon.*]
- mon-health-to-clog: false
- wait-for-healthy: true
-- ceph.restart:
- daemons: [mgr.*]
- mon-health-to-clog: false
- wait-for-healthy: true
-- ceph.restart:
- daemons: [osd.*]
- mon-health-to-clog: false
- wait-for-healthy: true
- wait-for-osds-up: true
-- ceph.restart:
- daemons: [mds.*]
- mon-health-to-clog: false
- wait-for-healthy: true
+++ /dev/null
-../.qa/
\ No newline at end of file
+++ /dev/null
-tasks:
- - radosbench:
- extra_args: --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0
- clients: [client.0]
- time: 10
- unique_pool: true
projects / ceph-ci.git / commitdiff