From 4f98499bfa66bb168aa40873dea5151d1c2c3851 Mon Sep 17 00:00:00 2001 From: Jonas Jelten Date: Tue, 9 Mar 2021 14:10:52 +0100 Subject: [PATCH] doc/mgr/crash: explain needed crash upload permissions Signed-off-by: Jonas Jelten --- doc/mgr/crash.rst | 34 +++++++++++++++++++----- doc/rados/operations/user-management.rst | 6 ++--- 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/doc/mgr/crash.rst b/doc/mgr/crash.rst index e12a8c6f83e9a..656c7a2d4ef31 100644 --- a/doc/mgr/crash.rst +++ b/doc/mgr/crash.rst @@ -3,13 +3,6 @@ Crash Module The crash module collects information about daemon crashdumps and stores it in the Ceph cluster for later analysis. -Daemon crashdumps are dumped in /var/lib/ceph/crash by default; this can -be configured with the option 'crash dir'. Crash directories are named by -time and date and a randomly-generated UUID, and contain a metadata file -'meta' and a recent log file, with a "crash_id" that is the same. -This module allows the metadata about those dumps to be persisted in -the monitors' storage. - Enabling -------- @@ -17,6 +10,33 @@ The *crash* module is enabled with:: ceph mgr module enable crash +The *crash* upload key is generated with:: + + ceph auth get-or-create client.crash mon 'profile crash' mgr 'profile crash' + +On each node, you should store this key in +``/etc/ceph/ceph.client.crash.keyring``. + + +Automated collection +-------------------- + +Daemon crashdumps are dumped in ``/var/lib/ceph/crash`` by default; this can +be configured with the option 'crash dir'. Crash directories are named by +time and date and a randomly-generated UUID, and contain a metadata file +'meta' and a recent log file, with a "crash_id" that is the same. + +These crashes can be automatically submitted and persisted in the monitors' +storage by using ``ceph-crash.service``. +It watches the crashdump directory and uploads them with ``ceph crash post``. + +``ceph-crash`` tries some authentication names: ``client.crash.$hostname``, +``client.crash`` and ``client.admin``. +In order to successfully upload with ``ceph crash post``, these need +the suitable permissions: ``mon profile crash`` and ``mgr profile crash`` +and a keyring needs to be in ``/etc/ceph``. + + Commands -------- :: diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index d8695effbfbc5..2ea49a88c5358 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -308,11 +308,11 @@ The following entries describe valid capability profiles: you're doing as the security ramifications are substantial and pervasive. -``profile crash`` (Monitor only) +``profile crash`` (Monitor and MGR) :Description: Gives a user read-only access to monitors, used in conjunction - with the manager ``crash`` module when collecting daemon crash - dumps for later analysis. + with the manager ``crash`` module to upload daemon crash + dumps into monitor storage for later analysis. Pool ---- -- 2.39.5