Fix 25 criticals, errors, and warnings from Sphinx.
Some of the changes did not change rendering but most fixed unintended
rendering, broken link etc.
Change Mon to Monitor in ceph-secrets.rst.
Signed-off-by: Ville Ojamo <git2233+ceph@ojamo.eu>
``ceph orch host add <bare-name>``.
Sudo Hardening
-=============
+==============
Cephadm supports sudo hardening to enhance security by restricting sudo privilege
escalation for non-root SSH users. When sudo hardening is enabled, cephadm uses the
privilege escalation.
Enabling Sudo Hardening
-----------------------
+-----------------------
To enable sudo hardening for the entire cluster, use the following command:
access will be used for ongoing operations.
Sudo Hardening Workflow
-----------------------
+-----------------------
When sudo hardening is enabled, the following workflow is used:
Disabling Sudo Hardening
------------------------
+------------------------
To disable sudo hardening:
(same shape as ``ceph_version_short`` in ``ceph osd metadata``).
* If the Monitors indicate to cephadm that no OSDs in the selected CRUSH bucket
are okay to upgrade, cephadm will log details and then retry the operation.
-* If the bucket parameters for a ceph ``osd ok-to-upgrade`` upgrade are not provided,
+* If the bucket parameters for a ceph ``osd ok-to-upgrade`` upgrade are not provided,
cephadm will fall back to the default ceph osd ok-to-stop gate for OSD upgrades.
* Bucket-scope upgrades apply only to OSDs. CRUSH buckets do not influence upgrades
of other daemon types, for example Monitors, Managers, and MDSes.
TODO: fsck/tooling must support scanning and migrating all mappings
between upgrades.
- //create tracker after PR merged/ready.
+
+//create tracker after PR merged/ready.
Multi-push Recovery
-------------------
compatibility with existing applications.
Read Operation Flow
-~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~
Read operations follow a simple flow:
To enable the new features, the following OSDMap pool settings are required:
-- ``allows_ec_overwrites = true`
+- ``allows_ec_overwrites = true``
- ``allows_ec_optimizations = true``
- ``supports_omap = true``
Notify the "Build Lead" that the release branch is ready.
2a. Starting the build
-=====================
+======================
We'll use a stable/regular 19.2.2 release of Squid as an example throughout this document.
prepare-host-sudo-hardening
---------------------------
+---------------------------
Prepare a host for sudo hardening by authorizing SSH keys, installing/upgrading
the cephadm package, and setting up restricted sudoers permissions::
resolve the URI at deploy time and write the token only into the daemon files
that need it.
-Secrets are stored in the Mon KV store under the ``secret_store/v1/`` prefix
+Secrets are stored in the Monitor KV store under the ``secret_store/v1/`` prefix
and are organised by namespace, scope, and name. Each secret is versioned and
carries ``created``/``updated`` timestamps. A per-namespace epoch counter
is incremented on every ``set`` and on any ``rm`` that actually removes a
.. note::
- The ``mon`` backend stores secrets in the Mon KV store, which is not an
+ The ``mon`` backend stores secrets in the Monitor KV store, which is not an
external KMS or vault. Users and MGR modules with sufficient Ceph
permissions can still reveal or resolve stored secret values. Namespaces
provide logical and storage isolation, not an authorisation boundary.
.. mgr_module:: ceph_secrets
.. confval:: secrets_backend
- :type: str
- :default: ``mon``
-
- The storage backend used for secrets. Currently only the Mon KV store
+ The storage backend used for secrets. Currently only the Monitor KV store
(``mon``) is supported. This option is reserved for future backends
(e.g. HashiCorp Vault).
them.
Restoring a multi-monitor cluster
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Each monitor has its own Paxos state (rank, accepted proposal numbers,
``last_committed``), so backups are per-monitor: a backup taken from
To view dedup status, the user must have ``dedup=read`` capability. To
control dedup operations, the user must have ``dedup=write`` capability.
-See the `Admin Guide`_ for details.
+See the :ref:`radosgw-admin-guide` for details.
Get Dedup Stats
~~~~~~~~~~~~~~~
the RGW processes' process keyring. This is subject to a global quota
and must be set in accordance with the configured cache size.
Depending on whether RGW runs as root, these quotas can be managed by adjusting:
+
- ``/proc/sys/kernel/keys/root_maxkeys`` and ``/proc/sys/kernel/keys/root_maxbytes``
- ``/proc/sys/kernel/keys/maxkeys`` and ``/proc/sys/kernel/keys/maxbytes``
internal error, and log a failure message.
Three different Cache Time-to-Live (TTL) values can be set:
+
- **Positive TTL**: How long a successfully retrieved secret remains
in the cache.
- **Negative TTL**: How long to remember that a key does not exist,
---------
The cache exports metrics under the ``kms-cache`` collection.
+
- ``hit``: Hit counter
- ``miss``: Miss counter
- ``expired``: Number of TTL expired entries
``miss``, ``expired``
In addition the ``rgw`` collection has:
+
- ``kms_fetch_lat``: Average KMS fetch latency. Also includes a
successful request counter. Each event results in a positive cache
entry.