To get the dashboard up and running quickly, you can generate and install a
self-signed certificate:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard create-self-signed-cert
For example, a key pair can be generated with a command similar to:
-.. prompt:: bash $
+.. prompt:: bash #
openssl req -new -nodes -x509 \
-subj "/O=IT/CN=ceph-mgr-dashboard" -days 3650 \
The ``dashboard.crt`` file should then be signed by a CA. Once that is done, you
can enable it for Ceph manager instances by running the following commands:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-ssl-certificate -i dashboard.crt
ceph dashboard set-ssl-certificate-key -i dashboard.key
the name of the instance can be included as follows (where ``$name`` is the name
of the ``ceph-mgr`` instance, usually the hostname):
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-ssl-certificate $name -i dashboard.crt
ceph dashboard set-ssl-certificate-key $name -i dashboard.key
SSL can also be disabled by setting this configuration value:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/ssl false
fail mgr`` or by disabling and re-enabling the dashboard module (which also
triggers the manager to respawn itself):
- .. prompt:: bash $
+ .. prompt:: bash #
ceph mgr module disable dashboard
ceph mgr module enable dashboard
These defaults can be changed via the configuration key facility on a
cluster-wide level (so they apply to all manager instances) as follows:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/server_addr $IP
ceph config set mgr mgr/dashboard/server_port $PORT
necessary to configure them separately. The IP address and port for a specific
manager instance can be changed with the following commands:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/$name/server_addr $IP
ceph config set mgr mgr/dashboard/$name/server_port $PORT
To create a user with the administrator role you can use the following
commands:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard ac-user-create <username> -i <file-containing-password> administrator
attacks. The user can get or set the default number of lock-out attempts using
these commands respectively:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard get-account-lockout-attempts
ceph dashboard set-account-lockout-attempts <value:int>
However, by disabling this feature, the account is more vulnerable to brute-force or
dictionary based attacks. This can be disabled by:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard set-account-lockout-attempts 0
it needs to be manually enabled by the administrator. This can be done by the following
command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard ac-user-enable <username>
dashboard will be automatically configured. You can also manually force the
credentials to be set up with:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-rgw-credentials
If you've configured a custom 'admin' resource in your RGW admin API, you should set it here also:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-rgw-api-admin-resource <admin_resource>
connections, e.g. caused by certificates signed by unknown CA or not matching
the host name:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-rgw-api-ssl-verify False
+To set a custom hostname or address for an RGW gateway, set the value of ``RGW_HOSTNAME_PER_DAEMON``
+accordingly:
+
+.. prompt:: bash #
+
+ ceph dashboard set-rgw-hostname <gateway_name> <hostname>
+
+The setting can be unset using:
+
+.. prompt:: bash #
+
+ ceph dashboard unset-rgw-hostname <gateway_name>
+
If the Object Gateway takes too long to process requests and the dashboard runs
into timeouts, you can set the timeout value to your needs:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-rest-requests-timeout <seconds>
To disable API SSL verification run the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-iscsi-api-ssl-verification false
The available iSCSI gateways must be defined using the following commands:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard iscsi-gateway-list
# Gateway URL format for a new gateway: <scheme>://<username>:<password>@<host>[:port]
#. Enable the Ceph Exporter which comes as Ceph Manager module by running:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph mgr module enable prometheus
#. Install the `vonage-status-panel and grafana-piechart-panel` plugins using:
- .. prompt:: bash $
+ .. prompt:: bash #
grafana-cli plugins install vonage-status-panel
grafana-cli plugins install grafana-piechart-panel
Dashboards can be added to Grafana by importing dashboard JSON files.
Use the following command to download the JSON files:
- .. prompt:: bash $
+ .. prompt:: bash #
wget https://raw.githubusercontent.com/ceph/ceph/main/monitoring/ceph-mixin/dashboards_out/<Dashboard-name>.json
For Example, for ceph-cluster overview you can use:
- .. prompt:: bash $
+ .. prompt:: bash #
wget https://raw.githubusercontent.com/ceph/ceph/main/monitoring/ceph-mixin/dashboards_out/ceph-cluster.json
You need to tell the dashboard on which URL the Grafana instance is
running/deployed:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-grafana-api-url <grafana-server-url> # default: ''
which can be a result of certificates signed by an unknown CA or that do not
match the host name:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-grafana-api-ssl-verify False
Ceph Dashboard configuration information can also be unset. For example, to
clear the Grafana API URL we configured above:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard reset-grafana-api-url
To change the URL that is returned to the frontend issue the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-grafana-frontend-api-url <grafana-server-url>
To configure SSO on Ceph Dashboard, you should use the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard sso setup saml2 <ceph_dashboard_base_url> <idp_metadata> {<idp_username_attribute>} {<idp_entity_id>} {<sp_x_509_cert>} {<sp_private_key>}
To display the current SAML 2.0 configuration, use the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard sso show saml2
To disable SSO:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard sso disable
To check if SSO is enabled:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard sso status
To enable SSO:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard sso enable saml2
To use it, specify the host and port of the Alertmanager server:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard set-alertmanager-api-host <alertmanager-host:port> # default: ''
For example:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard set-alertmanager-api-host 'http://localhost:9093'
that a new silence will match a corresponding alert.
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard set-prometheus-api-host <prometheus-host:port> # default: ''
For example:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard set-prometheus-api-host 'http://localhost:9090'
- For Prometheus:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-prometheus-api-ssl-verify False
- For Alertmanager:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-alertmanager-api-ssl-verify False
The password policy feature can be switched on or off completely:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-pwd-policy-enabled <true|false>
The following individual checks can also be switched on or off:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-pwd-policy-check-length-enabled <true|false>
ceph dashboard set-pwd-policy-check-oldpwd-enabled <true|false>
- Minimum password length (defaults to 8):
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-pwd-policy-min-length <N>
- Minimum password complexity (defaults to 10):
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard set-pwd-policy-min-complexity <N>
- A list of comma separated words that are not allowed to be used in a
password:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard set-pwd-policy-exclusion-list <word>[,...]
- *Show User(s)*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-show [<username>]
- *Create User*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-create [--enabled] [--force-password] [--pwd_update_required] <username> -i <file-containing-password> [<rolename>] [<name>] [<email>] [<pwd_expiration_date>]
- *Delete User*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-delete <username>
- *Change Password*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-set-password [--force-password] <username> -i <file-containing-password>
- *Change Password Hash*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-set-password-hash <username> -i <file-containing-password-hash>
- *Modify User (name, and email)*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-set-info <username> <name> <email>
- *Disable User*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-disable <username>
- *Enable User*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-enable <username>
The list of available roles can be retrieved with the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard ac-role-show [<rolename>]
- *Create Role*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-role-create <rolename> [<description>]
- *Delete Role*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-role-delete <rolename>
- *Add Scope Permissions to Role*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-role-add-scope-perms <rolename> <scopename> <permission> [<permission>...]
- *Delete Scope Permission from Role*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-role-del-scope-perms <rolename> <scopename>
- *Set User Roles*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-set-roles <username> <rolename> [<rolename>...]
- *Add Roles To User*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-add-roles <username> <rolename> [<rolename>...]
- *Delete Roles from User*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-del-roles <username> <rolename> [<rolename>...]
1. *Create the user*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-create bob -i <file-containing-password>
2. *Create role and specify scope permissions*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-role-create rbd/pool-manager
ceph dashboard ac-role-add-scope-perms rbd/pool-manager rbd-image read create update delete
3. *Associate roles to user*:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-set-roles bob rbd/pool-manager read-only
to use hyperlinks that include your prefix, you can set the
``url_prefix`` setting:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/url_prefix $PREFIX
following command to get the dashboard to respond with an HTTP error (500 by default)
instead of redirecting to the active dashboard:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/standby_behaviour "error"
To reset the setting to default redirection, use the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/standby_behaviour "redirect"
When redirection is disabled, you may want to customize the HTTP status
code of standby dashboards. To do so you need to run the command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/standby_error_status_code 503
To activate redirection from standby dashboards to active dashboards via the
manager's hostname, run the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph config set mgr mgr/dashboard/redirect_resolve_ip_addr True
audit log. This feature is disabled by default, but can be enabled with the
following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-audit-api-enabled <true|false>
The logging of the request payload (the arguments and their values) is enabled
by default. Execute the following command to disable this behaviour:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard set-audit-api-log-payload <true|false>
If you are unsure of the location of the Ceph Dashboard, run the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph mgr services | jq .dashboard
#. Verify the Ceph Dashboard module is enabled:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph mgr module ls | jq .enabled_modules
#. If it is not listed, activate the module with the following command:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph mgr module enable dashboard
* Check if ``ceph-mgr`` log messages are written to a file by:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config get mgr log_to_file
* Get the location of the log file (it's ``/var/log/ceph/<cluster-name>-<daemon-name>.log``
by default):
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config get mgr log_file
* Check if the SSL/TLS support is enabled:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config get mgr mgr/dashboard/ssl
* If the command returns ``true``, verify a certificate exists by:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config-key get mgr/dashboard/crt
and:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config-key get mgr/dashboard/key
certificate or follow the instructions outlined in
:ref:`dashboard-ssl-tls-support`:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard create-self-signed-cert
#. If your user credentials are correct, but you are experiencing the same
error, check that the user account exists:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-show <username>
#. Check if the user is enabled:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-show <username> | jq .enabled
Check if ``enabled`` is set to ``true`` for your user. If not the user is
not enabled, run:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph dashboard ac-user-enable <username>
To enable it via the CLI, run the following command:
-.. prompt:: bash $
+.. prompt:: bash #
ceph dashboard debug enable
#. Increase the logging level of manager daemons:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph tell mgr config set debug_mgr 20
and click the edit button. Modify the ``log_level`` configuration.
* To adjust it via the CLI, run the following command:
- .. prompt:: bash $
+ .. prompt:: bash #
bin/ceph config set mgr mgr/dashboard/log_level debug
or a week in the future to revert this temporary logging increase. This looks
something like this:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config log
--- 11 --- 2020-11-07 11:11:11.960659 --- mgr.x/dashboard/log_level = debug ---
...
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config reset 11
3. To see debug-level messages as well as info-level events, run the following command via CLI:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config set mgr mgr/cephadm/log_to_cluster_level debug
4. To enable logging to files, run the following commands via CLI:
- .. prompt:: bash $
+ .. prompt:: bash #
ceph config set global log_to_file true
ceph config set global mon_cluster_log_to_file true
the user can see their API access key. This key is used for authentication
when creating a new issue. To store the Ceph API access key, in the CLI run:
-.. prompt:: bash $
+.. prompt:: bash #
``ceph dashboard set-issue-tracker-api-key -i <file-containing-key>``
Then on successful update, you can create an issue using:
-.. prompt:: bash $
+.. prompt:: bash #
``ceph dashboard create issue <project> <tracker_type> <subject> <description>``
projects / ceph.git / commitdiff