rbd-mirror should use per-host user id keyring

The rbd-mirror daemon will be HA under luminous and new daemon health
features require a way to uniquely identify rbd-mirror instances.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>

diff --git a/roles/ceph-rbd-mirror/defaults/main.yml b/roles/ceph-rbd-mirror/defaults/main.yml
index 59bc05d29bc5ef105d828f9a59d09acf89ee1da5..b343a205856f2fa419a4f2890a92c43ea8df35a7 100644 (file)
--- a/roles/ceph-rbd-mirror/defaults/main.yml
+++ b/roles/ceph-rbd-mirror/defaults/main.yml
@@ -3,24 +3,17 @@
 # SETUP #
 #########
 
+fetch_directory: fetch/
 
-# NOTE (leseb): the rbd-mirror daemon needs a user to start
-# because it has to authenticate with the local cluster.
-# By default, using the admin user is fine, so you should not
-# need to change 'ceph_rbd_mirror_local_user' unless you have
-# a dedicated key available in /etc/ceph/.
-# Generally Ansible will use the admin key and put it
-# under /etc/ceph/. The same goes for 'ceph_rbd_mirror_remote_user'
-# there should not be any reason to change it.
-ceph_rbd_mirror_local_user: admin
-ceph_rbd_mirror_remote_user: admin
-
-# NOTE (leseb): the following variable needs the name of the remote cluster.
-# The name of this cluster must be different than your local cluster simply
-# because we need to have both keys and ceph.conf inside /etc/ceph.
-# Thus if cluster names are identical we can not have them under /etc/ceph
-ceph_rbd_mirror_remote_cluster: ""
+# Even though rbd-mirror nodes should not have the admin key
+# at their disposal, some people might want to have it
+# distributed on rbd-mirror nodes. Setting 'copy_admin_key' to 'true'
+# will copy the admin key to the /etc/ceph/ directory. Only
+# valid for Luminous and later releases.
+copy_admin_key: false
 
+# NOTE: deprecated generic local user id for pre-Luminous releases
+ceph_rbd_mirror_local_user: "admin"
 
 #################
 # CONFIGURATION #
@@ -29,6 +22,16 @@ ceph_rbd_mirror_remote_cluster: ""
 ceph_rbd_mirror_configure: false
 ceph_rbd_mirror_pool: ""
 
+# NOTE (leseb): the following variable needs the name of the remote cluster.
+# The name of this cluster must be different than your local cluster simply
+# because we need to have both keys and ceph.conf inside /etc/ceph.
+# Thus if cluster names are identical we can not have them under /etc/ceph
+ceph_rbd_mirror_remote_cluster: ""
+
+# NOTE: the rbd-mirror daemon needs a user to authenticate with the
+# remote cluster. By default, this key should be available under
+# /etc/ceph/<remote_cluster>.client.<remote_user>.keyring
+ceph_rbd_mirror_remote_user: ""
 
 ##########
 # DOCKER #

diff --git a/roles/ceph-rbd-mirror/tasks/pre_requisite.yml b/roles/ceph-rbd-mirror/tasks/pre_requisite.yml
index 378c1c8f7e270d7cf86022f9ee9bf047ad38a344..0d960c557d08689b809311ebc61d7f040311d140 100644 (file)
--- a/roles/ceph-rbd-mirror/tasks/pre_requisite.yml
+++ b/roles/ceph-rbd-mirror/tasks/pre_requisite.yml
@@ -15,4 +15,37 @@
     owner: "ceph"
     group: "ceph"
     mode: "0600"
-  when: cephx
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} < ceph_release_num.luminous or copy_admin_key
+
+- name: copy rbd-mirror bootstrap key
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
+    dest: "/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
+    owner: "ceph"
+    group: "ceph"
+    mode: "0600"
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+
+- name: create rbd-mirror keyring
+  command: ceph --cluster {{ cluster }} --name client.bootstrap-rbd --keyring /var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring auth get-or-create client.rbd-mirror.{{ ansible_hostname }} mon 'profile rbd' osd 'profile rbd' -o /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}.keyring
+  args:
+    creates: /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}/keyring
+  changed_when: false
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+
+- name: set rbd-mirror key permissions
+  file:
+    path: /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}.keyring
+    owner: "ceph"
+    group: "ceph"
+    mode: "0600"
+  when:
+    - cephx
+    - ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+

diff --git a/roles/ceph-rbd-mirror/tasks/start_rbd_mirror.yml b/roles/ceph-rbd-mirror/tasks/start_rbd_mirror.yml
index e48149b4699c734cda5570e72cc7ce65f427c07f..a6fdbdb9dfe7a0152249f5f89c6322257b7c0d2c 100644 (file)
--- a/roles/ceph-rbd-mirror/tasks/start_rbd_mirror.yml
+++ b/roles/ceph-rbd-mirror/tasks/start_rbd_mirror.yml
@@ -19,7 +19,24 @@
 
 - name: start and add that the rbd mirror service to the init sequence
   service:
-      name: "ceph-rbd-mirror@{{ ceph_rbd_mirror_local_user }}"
-      state: started
-      enabled: yes
+    name: "ceph-rbd-mirror@{{ ceph_rbd_mirror_local_user }}"
+    state: started
+    enabled: yes
   changed_when: false
+  when: ceph_release_num.{{ ceph_release }} < ceph_release_num.luminous
+
+- name: stop and remove the generic rbd-mirror service instance
+  service:
+    name: "ceph-rbd-mirror@{{ ceph_rbd_mirror_local_user }}"
+    state: stopped
+    enabled: no
+  changed_when: false
+  when: ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+
+- name: start and add the rbd-mirror service instance
+  service:
+    name: "ceph-rbd-mirror@rbd-mirror.{{ ansible_hostname }}"
+    state: started
+    enabled: yes
+  changed_when: false
+  when: ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous