From: Sébastien Han Date: Tue, 12 May 2015 09:18:12 +0000 (+0200) Subject: Ability to secure cluster pools X-Git-Tag: v1.0.0~220^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F259%2Fhead;p=ceph-ansible.git Ability to secure cluster pools We set several flags to keep the cluster secure: * nodelete * nopgchange * nosizechange Signed-off-by: Sébastien Han --- diff --git a/group_vars/mons b/group_vars/mons index a2c003468..9f956de6a 100644 --- a/group_vars/mons +++ b/group_vars/mons @@ -1,12 +1,67 @@ ---- -# Variables here are applicable to all host groups NOT roles - -# Dummy variable to avoid error because ansible does not recognize the file as a good configuration file when no variable in it. -dummy: - -# Monitor options -#monitor_secret: # /!\ GENERATE ONE WITH 'ceph-authtool --gen-print-key' /!\ -#cephx: true - -# Rados Gateway options -#radosgw: false +--- +# You can override vars by using host or group vars +# Variables here are applicable to all host groups NOT roles + +# Dummy variable to avoid error because ansible does not recognize the file as a good configuration file when no variable in it. +dummy: + +########### +# GENERAL # +########### + +# ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT +#fsid: "{{ cluster_uuid.stdout }}" +# monitor_secret: +#cephx: true + +# Rados Gateway options +# referenced in common role too. +#radosgw: false + +# CephFS +#pool_default_pg_num: 128 +#cephfs_data: cephfs_data +#cephfs_metadata: cephfs_metadata +#cephfs: cephfs + +# Ceph REST API +# referenced in common role too. +#restapi: false + +# Secure your cluster +# This will set the following flags on all the pools: +# * nosizechange +# * nopgchange +# * nodelete + +#secure_cluster: false +#secure_cluster_flags: +# - nopgchange +# - nodelete +# - nosizechange +# + +############# +# OPENSTACK # +############# + +#openstack_config: false +#openstack_glance_pool: images +#openstack_cinder_pool: volumes +#openstack_nova_pool: vms +#openstack_cinder_backup_pool: backups +# +#openstack_keys: +# - { name: client.glance, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool }}'" } +# - { name: client.cinder, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool }}, allow rwx pool={{ openstack_nova_pool }}, allow rx pool={{ openstack_glance_pool }}'" } +# - { name: client.cinder-backup, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool }}'" } + + +########## +# DOCKER # +########## + +#ceph_containerized_deployment: false +#ceph_mon_docker_interface: eth0 +#ceph_mon_docker_username: ceph +#ceph_mon_docker_imagename: "mon:latest" diff --git a/roles/ceph-mon/defaults/main.yml b/roles/ceph-mon/defaults/main.yml index d4fc7e83d..ad48166fe 100644 --- a/roles/ceph-mon/defaults/main.yml +++ b/roles/ceph-mon/defaults/main.yml @@ -24,6 +24,18 @@ cephfs: cephfs # referenced in common role too. restapi: false +# Secure your cluster +# This will set the following flags on all the pools: +# * nosizechange +# * nopgchange +# * nodelete + +secure_cluster: false +secure_cluster_flags: + - nopgchange + - nodelete + - nosizechange + ############# # OPENSTACK # diff --git a/roles/ceph-mon/tasks/main.yml b/roles/ceph-mon/tasks/main.yml index 0f544efd1..576f3fb51 100644 --- a/roles/ceph-mon/tasks/main.yml +++ b/roles/ceph-mon/tasks/main.yml @@ -11,5 +11,9 @@ - include: create_mds_filesystems.yml when: not ceph_containerized_deployment and not {{ ceph_version.stdout | version_compare('0.84', '<') }} and mds +- include: secure_cluster.yml + when: secure_cluster and {{ ceph_version.stdout | version_compare('0.94', '>=') }} + tags: secure_cluster + - include: docker.yml when: ceph_containerized_deployment diff --git a/roles/ceph-mon/tasks/secure_cluster.yml b/roles/ceph-mon/tasks/secure_cluster.yml new file mode 100644 index 000000000..4ce5ec2b8 --- /dev/null +++ b/roles/ceph-mon/tasks/secure_cluster.yml @@ -0,0 +1,10 @@ +--- +- name: collect all the pool + command: rados lspools + register: ceph_pools + +- name: secure the cluster + command: ceph osd pool set {{ item[0] }} {{ item[1] }} true + with_nested: + - ceph_pools.stdout_lines + - secure_cluster_flags