Generate initial monitor key dynamically

Cool stuff :). We don't need to specify an initial monitor key anymore.
A key will automatically be generated.

The default key can always be overriden with the `monitor_secret`
variable.

Signed-off-by: leseb <seb@redhat.com>

diff --git a/group_vars/all b/group_vars/all
index 058e1e137c99cfdb105b689fdcd2437a6d713ca3..aaefe50523904319c0910a6a2c604664a40e5dd6 100644 (file)
--- a/group_vars/all
+++ b/group_vars/all
@@ -105,7 +105,7 @@ dummy:
 ## Monitor options
 #
 #monitor_interface: interface
-#monitor_secret:
+#monitor_secret: "{{ ceph_mon_key.stdout }}"
 #mon_osd_down_out_interval: 600
 #mon_osd_min_down_reporters: 7 # number of OSDs per host + 1
 #mon_clock_drift_allowed: .15

diff --git a/group_vars/mons b/group_vars/mons
index 86f71f59046bc657f9a8d77ac465d1189079e5a4..189242df79065bf94e5d027990988b5f1047803a 100644 (file)
--- a/group_vars/mons
+++ b/group_vars/mons
@@ -11,7 +11,7 @@ dummy:
 \r
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT\r
 #fsid: "{{ cluster_uuid.stdout }}"\r
-#monitor_secret:\r
+#monitor_secret: "{{ ceph_mon_key.stdout }}"\r
 #cephx: true\r
 \r
 # CephFS\r

diff --git a/roles/ceph-common/tasks/check_mandatory_vars.yml b/roles/ceph-common/tasks/check_mandatory_vars.yml
index 472796abe8fdbc00c20927ea176981af923ab176..100e8c2c808edb65524ebaf15a8fa3f69ed524ef 100644 (file)
--- a/roles/ceph-common/tasks/check_mandatory_vars.yml
+++ b/roles/ceph-common/tasks/check_mandatory_vars.yml
@@ -14,10 +14,6 @@
     not ceph_stable_rh_storage_cdn_install and
     not ceph_stable_rh_storage_iso_install
 
-- name: make sure a monitor secret is defined
-  fail: msg"monitor_secret must be defined. Go edit group_vars/all or read https://github.com/ceph/ceph-ansible/wiki"
-  when: monitor_secret is not defined
-
 - name: make sure journal_size configured
   fail: msg="journal_size must be configured. See http://ceph.com/docs/master/rados/configuration/osd-config-ref/"
   when: journal_size|int == 0

diff --git a/roles/ceph-mon/defaults/main.yml b/roles/ceph-mon/defaults/main.yml
index 57e45f1873430f303e4fd2d7f19d2e36831b7a96..8d3279b982bab29bf24fa2b947ddf680b5b703ca 100644 (file)
--- a/roles/ceph-mon/defaults/main.yml
+++ b/roles/ceph-mon/defaults/main.yml
@@ -9,7 +9,7 @@ rgw_group_name: rgws
 \r
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT\r
 fsid: "{{ cluster_uuid.stdout }}"\r
-#monitor_secret:\r
+monitor_secret: "{{ ceph_mon_key.stdout }}"\r
 cephx: true\r
 \r
 # CephFS\r

diff --git a/roles/ceph-mon/tasks/deploy_monitors.yml b/roles/ceph-mon/tasks/deploy_monitors.yml
index 0daa3ec018e38d97dd55afef69d1b5e23a2b741e..8aaac6619f80e62b6b9fa550c76773f730bf1cb3 100644 (file)
--- a/roles/ceph-mon/tasks/deploy_monitors.yml
+++ b/roles/ceph-mon/tasks/deploy_monitors.yml
@@ -1,7 +1,22 @@
 ---
+- name: generate monitor initial keyring
+  local_action: >
+    shell python -c "import os ; import struct ; import time; import base64 ; key = os.urandom(16) ; header = struct.pack('<hiih',1,int(time.time()),0,len(key)) ; print base64.b64encode(header + key)' > fetch/ceph_mon_key.con"
+    creates=fetch/ceph_mon_key.conf
+  register: ceph_mon_key
+  sudo: false
+
+- name: read monitor initial keyring if it already exists
+  local_action: >
+    command cat fetch/ceph_mon_key.conf
+    removes=fetch/ceph_mon_key.conf
+  changed_when: false
+  register: ceph_mon_key
+  sudo: false
+
 - name: create monitor initial keyring
   command: >
-    ceph-authtool /var/lib/ceph/tmp/keyring.mon.{{ ansible_hostname }} --create-keyring --name=mon. --add-key={{ monitor_secret | mandatory }} --cap mon 'allow *'
+    ceph-authtool /var/lib/ceph/tmp/keyring.mon.{{ ansible_hostname }} --create-keyring --name=mon. --add-key={{ monitor_secret }} --cap mon 'allow *'
     creates=/var/lib/ceph/tmp/keyring.mon.{{ ansible_hostname }}
 
 - name: set initial monitor key permissions