From aca86f3a64272c6f5d42aa42d41fc882d806b134 Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Mon, 7 Jul 2025 15:10:31 -0400 Subject: [PATCH] qa: check health warnings in cephx upgrade Signed-off-by: Patrick Donnelly --- qa/suites/rados/upgrade/cephx/X/conf.yaml | 1 + .../tasks/{0-install.yaml => 00-install.yaml} | 0 .../rados/upgrade/cephx/X/tasks/01-ceph.yaml | 32 ++++++++++++++ .../1-debug.yaml => X/tasks/02-debug.yaml} | 2 + .../X/tasks/{3-workload => 03-workload}/.qa | 0 .../cephx/X/tasks/03-workload/none.yaml | 3 ++ .../radosbench.yaml | 6 ++- .../cephx/X/tasks/04-allow-aes256k.yaml | 10 +++++ ...upgrade.yaml => 05-service-auth-keys.yaml} | 12 +++-- .../cephx/X/tasks/06-insecure-create.yaml | 25 +++++++++++ .../X/tasks/07-client-auth-keys/admin.yaml | 34 ++++++++++++++ .../X/tasks/07-client-auth-keys/all.yaml | 28 ++++++++++++ .../X/tasks/08-allowed-ciphers/aes256k.yaml | 19 ++++++++ .../X/tasks/08-allowed-ciphers/insecure.yaml | 19 ++++++++ .../X/tasks/09-cephx-service-upgrade.yaml | 10 +++++ .../rados/upgrade/cephx/X/tasks/1-ceph.yaml | 9 ---- .../.qa | 0 .../no.yaml | 0 .../X/tasks/10-wipe-service-keys/sleep.yaml | 11 +++++ .../X/tasks/10-wipe-service-keys/yes.yaml | 14 ++++++ .../.qa | 0 .../no.yaml | 0 .../yes.yaml | 0 .../.qa | 0 .../radosbench.yaml | 0 .../upgrade/cephx/X/tasks/13-healthy.yaml | 5 +++ .../X/tasks/5-wipe-service-keys/yes.yaml | 6 --- .../cephx/X/tasks/6-daemon-restart/sleep.yaml | 4 -- .../rados/upgrade/cephx/release-X/conf.yaml | 1 + .../rados/upgrade/cephx/release-X/roles.yaml | 3 +- .../release-X/tasks/{0-from => 00-from}/.qa | 0 .../tasks/{0-from => 00-from}/v18.2.7.yaml | 21 ++++----- .../tasks/{0-from => 00-from}/v19.2.2.yaml | 21 ++++----- .../tasks/01-debug.yaml} | 2 +- .../tasks/{2-workload => 02-workload}/.qa | 0 .../release-X/tasks/02-workload/none.yaml | 3 ++ .../tasks/02-workload/radosbench.yaml | 15 +++++++ .../cephx/release-X/tasks/03-upgrade.yaml | 44 +++++++++++++++++++ .../release-X/tasks/04-allow-aes256k.yaml | 10 +++++ .../release-X/tasks/05-service-auth-keys.yaml | 20 +++++++++ .../release-X/tasks/06-insecure-create.yaml | 25 +++++++++++ .../tasks/07-client-auth-keys/admin.yaml | 34 ++++++++++++++ .../tasks/07-client-auth-keys/all.yaml | 28 ++++++++++++ .../tasks/08-allowed-ciphers/aes256k.yaml | 19 ++++++++ .../tasks/08-allowed-ciphers/insecure.yaml | 19 ++++++++ .../tasks/09-cephx-service-upgrade.yaml | 10 +++++ .../.qa | 0 .../no.yaml | 0 .../tasks/10-wipe-service-keys/sleep.yaml | 11 +++++ .../tasks/10-wipe-service-keys/yes.yaml | 14 ++++++ .../.qa | 0 .../no.yaml | 0 .../yes.yaml | 0 .../.qa | 0 .../12-workload-after-rotate/radosbench.yaml | 6 +++ .../cephx/release-X/tasks/13-healthy.yaml | 5 +++ .../tasks/2-workload/radosbench.yaml | 23 ---------- .../cephx/release-X/tasks/3-upgrade.yaml | 32 -------------- .../tasks/4-cephx-service-upgrade.yaml | 14 ------ .../tasks/5-wipe-service-keys/yes.yaml | 12 ----- .../7-workload-after-rotate/radosbench.yaml | 6 --- 61 files changed, 510 insertions(+), 138 deletions(-) rename qa/suites/rados/upgrade/cephx/X/tasks/{0-install.yaml => 00-install.yaml} (100%) create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/01-ceph.yaml rename qa/suites/rados/upgrade/cephx/{release-X/tasks/1-debug.yaml => X/tasks/02-debug.yaml} (73%) rename qa/suites/rados/upgrade/cephx/X/tasks/{3-workload => 03-workload}/.qa (100%) create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/03-workload/none.yaml rename qa/suites/rados/upgrade/cephx/X/tasks/{3-workload => 03-workload}/radosbench.yaml (80%) create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/04-allow-aes256k.yaml rename qa/suites/rados/upgrade/cephx/X/tasks/{4-cephx-service-upgrade.yaml => 05-service-auth-keys.yaml} (57%) create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/06-insecure-create.yaml create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/admin.yaml create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/all.yaml create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/aes256k.yaml create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/insecure.yaml create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/09-cephx-service-upgrade.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/1-ceph.yaml rename qa/suites/rados/upgrade/cephx/X/tasks/{5-wipe-service-keys => 10-wipe-service-keys}/.qa (100%) rename qa/suites/rados/upgrade/cephx/X/tasks/{5-wipe-service-keys => 10-wipe-service-keys}/no.yaml (100%) create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/sleep.yaml create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/yes.yaml rename qa/suites/rados/upgrade/cephx/X/tasks/{6-daemon-restart => 11-daemon-restart}/.qa (100%) rename qa/suites/rados/upgrade/cephx/X/tasks/{6-daemon-restart => 11-daemon-restart}/no.yaml (100%) rename qa/suites/rados/upgrade/cephx/X/tasks/{6-daemon-restart => 11-daemon-restart}/yes.yaml (100%) rename qa/suites/rados/upgrade/cephx/X/tasks/{7-workload-after-rotate => 12-workload-after-rotate}/.qa (100%) rename qa/suites/rados/upgrade/cephx/X/tasks/{7-workload-after-rotate => 12-workload-after-rotate}/radosbench.yaml (100%) create mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/13-healthy.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/yes.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/sleep.yaml rename qa/suites/rados/upgrade/cephx/release-X/tasks/{0-from => 00-from}/.qa (100%) rename qa/suites/rados/upgrade/cephx/release-X/tasks/{0-from => 00-from}/v18.2.7.yaml (65%) rename qa/suites/rados/upgrade/cephx/release-X/tasks/{0-from => 00-from}/v19.2.2.yaml (65%) rename qa/suites/rados/upgrade/cephx/{X/tasks/2-debug.yaml => release-X/tasks/01-debug.yaml} (92%) rename qa/suites/rados/upgrade/cephx/release-X/tasks/{2-workload => 02-workload}/.qa (100%) create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/none.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/radosbench.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/03-upgrade.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/04-allow-aes256k.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/05-service-auth-keys.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/06-insecure-create.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/admin.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/all.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/aes256k.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/insecure.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/09-cephx-service-upgrade.yaml rename qa/suites/rados/upgrade/cephx/release-X/tasks/{5-wipe-service-keys => 10-wipe-service-keys}/.qa (100%) rename qa/suites/rados/upgrade/cephx/release-X/tasks/{5-wipe-service-keys => 10-wipe-service-keys}/no.yaml (100%) create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/sleep.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/yes.yaml rename qa/suites/rados/upgrade/cephx/release-X/tasks/{6-daemon-restart => 11-daemon-restart}/.qa (100%) rename qa/suites/rados/upgrade/cephx/release-X/tasks/{6-daemon-restart => 11-daemon-restart}/no.yaml (100%) rename qa/suites/rados/upgrade/cephx/release-X/tasks/{6-daemon-restart => 11-daemon-restart}/yes.yaml (100%) rename qa/suites/rados/upgrade/cephx/release-X/tasks/{7-workload-after-rotate => 12-workload-after-rotate}/.qa (100%) create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/12-workload-after-rotate/radosbench.yaml create mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/13-healthy.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/2-workload/radosbench.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/3-upgrade.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/4-cephx-service-upgrade.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/yes.yaml delete mode 100644 qa/suites/rados/upgrade/cephx/release-X/tasks/7-workload-after-rotate/radosbench.yaml diff --git a/qa/suites/rados/upgrade/cephx/X/conf.yaml b/qa/suites/rados/upgrade/cephx/X/conf.yaml index cdae1643007..895c6b1ee91 100644 --- a/qa/suites/rados/upgrade/cephx/X/conf.yaml +++ b/qa/suites/rados/upgrade/cephx/X/conf.yaml @@ -10,4 +10,5 @@ overrides: auth service ticket ttl: 120 mon: debug mon: 30 + debug paxos: 30 debug ms: 5 diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/0-install.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/00-install.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/0-install.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/00-install.yaml diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/01-ceph.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/01-ceph.yaml new file mode 100644 index 00000000000..8ba1c32583e --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/01-ceph.yaml @@ -0,0 +1,32 @@ +tasks: +- ceph: + log-ignorelist: + - AUTH_INSECURE_KEYS_ALLOWED + - AUTH_INSECURE_KEYS_CREATABLE + - AUTH_INSECURE_SERVICE_TICKETS + - AUTH_INSECURE_CLIENT_KEY_TYPE + - AUTH_INSECURE_SERVICE_KEY_TYPE + - AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE + conf: + mon: + mon_health_to_clog: false + cluster-conf: + mon: + mon auth allow insecure key: true + monmaptool_extra_args: + - '--auth-service-cipher=aes' + - '--auth-allowed-ciphers=aes' + - '--auth-preferred-cipher=aes' + cephx: + key_type: aes + wait-for-healthy: false +- ceph.key_prune: ["client.bootstrap-*"] +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_CREATABLE --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_TICKETS --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_KEY_TYPE --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE --sticky +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/1-debug.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/02-debug.yaml similarity index 73% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/1-debug.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/02-debug.yaml index 233edca93e3..bc8afd83766 100644 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/1-debug.yaml +++ b/qa/suites/rados/upgrade/cephx/X/tasks/02-debug.yaml @@ -8,5 +8,7 @@ tasks: - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config dump - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/3-workload/.qa b/qa/suites/rados/upgrade/cephx/X/tasks/03-workload/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/3-workload/.qa rename to qa/suites/rados/upgrade/cephx/X/tasks/03-workload/.qa diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/03-workload/none.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/03-workload/none.yaml new file mode 100644 index 00000000000..a4cbcfefe39 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/03-workload/none.yaml @@ -0,0 +1,3 @@ +teuthology: + variables: + workload: none diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/3-workload/radosbench.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/03-workload/radosbench.yaml similarity index 80% rename from qa/suites/rados/upgrade/cephx/X/tasks/3-workload/radosbench.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/03-workload/radosbench.yaml index cc18fab3789..f75bc0979e4 100644 --- a/qa/suites/rados/upgrade/cephx/X/tasks/3-workload/radosbench.yaml +++ b/qa/suites/rados/upgrade/cephx/X/tasks/03-workload/radosbench.yaml @@ -1,9 +1,13 @@ +teuthology: + variables: + workload: radosbench + radosbench: sequential_yield: - radosbench: extra_args: --log-to-stderr=false --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0 clients: [client.0] - time: 300 + time: 900 unique_pool: true tasks: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/04-allow-aes256k.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/04-allow-aes256k.yaml new file mode 100644 index 00000000000..fe4f9a7c91e --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/04-allow-aes256k.yaml @@ -0,0 +1,10 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 1)' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes,aes256k + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_preferred_cipher aes256k + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/4-cephx-service-upgrade.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/05-service-auth-keys.yaml similarity index 57% rename from qa/suites/rados/upgrade/cephx/X/tasks/4-cephx-service-upgrade.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/05-service-auth-keys.yaml index c193a55f628..94e5bb5364e 100644 --- a/qa/suites/rados/upgrade/cephx/X/tasks/4-cephx-service-upgrade.yaml +++ b/qa/suites/rados/upgrade/cephx/X/tasks/05-service-auth-keys.yaml @@ -1,4 +1,10 @@ tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_SERVICE_KEY_TYPE] - ceph.key_rotate: daemons: [mon.*] key_type: aes256k @@ -7,8 +13,8 @@ tasks: key_type: aes256k - exec: mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys - - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.key.type == 1 or .key.type == 2 or .key.type == 4 or .key.type == 16); .val.key.type != 2)' - - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .val.secrets | all(.val.key.type == 1) )' - - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set global auth_service_cipher aes256k + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 2)' +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/06-insecure-create.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/06-insecure-create.yaml new file mode 100644 index 00000000000..48386c2c65f --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/06-insecure-create.yaml @@ -0,0 +1,25 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_CREATABLE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_CREATABLE] +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config rm mon 'mon auth allow insecure key' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff +# The default when auth_allow_ciphers inclues aes, retain default mon_auth_allow_insecure_key=true +- ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_CREATABLE] +# Now setting it overrides: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set mon 'mon auth allow insecure key' false + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/admin.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/admin.yaml new file mode 100644 index 00000000000..2372afc59cb --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/admin.yaml @@ -0,0 +1,34 @@ +teuthology: + variables: + clients_all_rotated: false + postmerge: + - | + if yaml.teuthology.variables.workload == 'none' then + reject() + end + + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE] + - ceph.key_rotate: + daemons: [] + clients: [client.admin] + key_type: aes256k + - exec: + mon.a: + - | + ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys | \ + jq ' + .data.secrets[] | + select( + .entity.type_str == "client" and .entity.id == "admin" + ) | .auth.key.type == 2 + ' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/all.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/all.yaml new file mode 100644 index 00000000000..91a450afb03 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/07-client-auth-keys/all.yaml @@ -0,0 +1,28 @@ +# N.B. we can only rotate all keys if we do not have an existing workload. + +teuthology: + variables: + clients_all_rotated: true + postmerge: + - | + if yaml.teuthology.variables.workload ~= 'none' then + reject() + end + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE] + - ceph.key_rotate: + daemons: [] + clients: [all] + key_type: aes256k + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 8); .auth.key.type == 2)' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/aes256k.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/aes256k.yaml new file mode 100644 index 00000000000..fb24438a9cc --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/aes256k.yaml @@ -0,0 +1,19 @@ +teuthology: + postmerge: + - | + if not yaml.teuthology.variables.clients_all_rotated then + reject() + end + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_ALLOWED] + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes256k + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/insecure.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/insecure.yaml new file mode 100644 index 00000000000..05bc48f0945 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/08-allowed-ciphers/insecure.yaml @@ -0,0 +1,19 @@ +teuthology: + postmerge: + - | + if yaml.teuthology.variables.clients_all_rotated then + reject() + end + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_ALLOWED] + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump --format=json | jq '.auth_allowed_ciphers | (map(.name) | sort) == ["aes", "aes256k"]' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/09-cephx-service-upgrade.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/09-cephx-service-upgrade.yaml new file mode 100644 index 00000000000..dafc6d78522 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/09-cephx-service-upgrade.yaml @@ -0,0 +1,10 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .secrets.keys | all(.expiring_key.key.type == 1) )' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_service_cipher aes256k + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/1-ceph.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/1-ceph.yaml deleted file mode 100644 index da3d0fc0f55..00000000000 --- a/qa/suites/rados/upgrade/cephx/X/tasks/1-ceph.yaml +++ /dev/null @@ -1,9 +0,0 @@ -tasks: -- ceph: - cluster-conf: - global: - auth service cipher: aes - mon: - mon auth allow insecure key: true - cephx: - key_type: aes diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/.qa b/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/.qa rename to qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/.qa diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/no.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/no.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/no.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/no.yaml diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/sleep.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/sleep.yaml new file mode 100644 index 00000000000..d6956ca670f --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/sleep.yaml @@ -0,0 +1,11 @@ +# Sleep for ticket refresh. +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE] +- sleep: + duration: 720 +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/yes.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/yes.yaml new file mode 100644 index 00000000000..001a6d17840 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/10-wipe-service-keys/yes.yaml @@ -0,0 +1,14 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE] +- exec: + mon.a: + - ceph auth wipe-rotating-service-keys + - ceph auth --format=json-pretty dump-keys + - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .entity.type == 32 then (.secrets.keys | all(.expiring_key.key.type == 1)) else (.secrets.keys | all(.expiring_key.key.type == 2)) end )' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_TICKETS +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/.qa b/qa/suites/rados/upgrade/cephx/X/tasks/11-daemon-restart/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/.qa rename to qa/suites/rados/upgrade/cephx/X/tasks/11-daemon-restart/.qa diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/no.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/11-daemon-restart/no.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/no.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/11-daemon-restart/no.yaml diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/yes.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/11-daemon-restart/yes.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/yes.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/11-daemon-restart/yes.yaml diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/7-workload-after-rotate/.qa b/qa/suites/rados/upgrade/cephx/X/tasks/12-workload-after-rotate/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/7-workload-after-rotate/.qa rename to qa/suites/rados/upgrade/cephx/X/tasks/12-workload-after-rotate/.qa diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/7-workload-after-rotate/radosbench.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/12-workload-after-rotate/radosbench.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/X/tasks/7-workload-after-rotate/radosbench.yaml rename to qa/suites/rados/upgrade/cephx/X/tasks/12-workload-after-rotate/radosbench.yaml diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/13-healthy.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/13-healthy.yaml new file mode 100644 index 00000000000..bc386049c14 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/X/tasks/13-healthy.yaml @@ -0,0 +1,5 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/yes.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/yes.yaml deleted file mode 100644 index b7660744d10..00000000000 --- a/qa/suites/rados/upgrade/cephx/X/tasks/5-wipe-service-keys/yes.yaml +++ /dev/null @@ -1,6 +0,0 @@ -tasks: -- exec: - mon.a: - - ceph auth wipe-rotating-service-keys - - ceph auth --format=json-pretty dump-keys - - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .key == 32 then (.val.secrets | all(.val.key.type == 1)) else (.val.secrets | all(.val.key.type == 2)) end )' diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/sleep.yaml b/qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/sleep.yaml deleted file mode 100644 index 398439f1ced..00000000000 --- a/qa/suites/rados/upgrade/cephx/X/tasks/6-daemon-restart/sleep.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# Sleep for ticket refresh. -tasks: -- sleep: - duration: 500 diff --git a/qa/suites/rados/upgrade/cephx/release-X/conf.yaml b/qa/suites/rados/upgrade/cephx/release-X/conf.yaml index cdae1643007..895c6b1ee91 100644 --- a/qa/suites/rados/upgrade/cephx/release-X/conf.yaml +++ b/qa/suites/rados/upgrade/cephx/release-X/conf.yaml @@ -10,4 +10,5 @@ overrides: auth service ticket ttl: 120 mon: debug mon: 30 + debug paxos: 30 debug ms: 5 diff --git a/qa/suites/rados/upgrade/cephx/release-X/roles.yaml b/qa/suites/rados/upgrade/cephx/release-X/roles.yaml index 5baa2657abc..428a9b54253 100644 --- a/qa/suites/rados/upgrade/cephx/release-X/roles.yaml +++ b/qa/suites/rados/upgrade/cephx/release-X/roles.yaml @@ -2,4 +2,5 @@ roles: - [mon.a, mds.a, mgr.x, osd.0, osd.1] - [mon.b, mon.c, mds.b, mgr.y, osd.2, osd.3] - [client.0] -- [client.1] +# need to handle pruning if we want a client with older binaries +#- [client.1] diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/.qa b/qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/.qa rename to qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/.qa diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/v18.2.7.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/v18.2.7.yaml similarity index 65% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/v18.2.7.yaml rename to qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/v18.2.7.yaml index dac4fb18e7f..40d798a3fe8 100644 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/v18.2.7.yaml +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/v18.2.7.yaml @@ -16,20 +16,15 @@ tasks: - print: "**** done installing v18.2.7" - ceph: log-ignorelist: - - overall HEALTH_ - - \(FS_ - - \(MDS_ - - \(OSD_ - - \(MON_DOWN\) - - \(CACHE_POOL_ - - \(POOL_ - - \(MGR_DOWN\) - - \(PG_ - - \(SMALLER_PGP_NUM\) - - Monitor daemon marked osd - - Behind on trimming - - Manager daemon + - AUTH_INSECURE_KEYS_ALLOWED + - AUTH_INSECURE_KEYS_CREATABLE + - AUTH_INSECURE_SERVICE_TICKETS + - AUTH_INSECURE_CLIENT_KEY_TYPE + - AUTH_INSECURE_SERVICE_KEY_TYPE + - AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE conf: + mon: + mon_health_to_clog: false global: mon warn on pool no app: false - exec: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/v19.2.2.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/v19.2.2.yaml similarity index 65% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/v19.2.2.yaml rename to qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/v19.2.2.yaml index 651f8d3ccde..1757d1b77ce 100644 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/0-from/v19.2.2.yaml +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/00-from/v19.2.2.yaml @@ -16,20 +16,15 @@ tasks: - print: "**** done installing squid v19.2.2" - ceph: log-ignorelist: - - overall HEALTH_ - - \(FS_ - - \(MDS_ - - \(OSD_ - - \(MON_DOWN\) - - \(CACHE_POOL_ - - \(POOL_ - - \(MGR_DOWN\) - - \(PG_ - - \(SMALLER_PGP_NUM\) - - Monitor daemon marked osd - - Behind on trimming - - Manager daemon + - AUTH_INSECURE_KEYS_ALLOWED + - AUTH_INSECURE_KEYS_CREATABLE + - AUTH_INSECURE_SERVICE_TICKETS + - AUTH_INSECURE_CLIENT_KEY_TYPE + - AUTH_INSECURE_SERVICE_KEY_TYPE + - AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE conf: + mon: + mon_health_to_clog: false global: mon warn on pool no app: false - exec: diff --git a/qa/suites/rados/upgrade/cephx/X/tasks/2-debug.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/01-debug.yaml similarity index 92% rename from qa/suites/rados/upgrade/cephx/X/tasks/2-debug.yaml rename to qa/suites/rados/upgrade/cephx/release-X/tasks/01-debug.yaml index f0352e61805..17811fdaf05 100644 --- a/qa/suites/rados/upgrade/cephx/X/tasks/2-debug.yaml +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/01-debug.yaml @@ -8,6 +8,6 @@ tasks: - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config dump - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls - - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/2-workload/.qa b/qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/2-workload/.qa rename to qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/.qa diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/none.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/none.yaml new file mode 100644 index 00000000000..a4cbcfefe39 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/none.yaml @@ -0,0 +1,3 @@ +teuthology: + variables: + workload: none diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/radosbench.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/radosbench.yaml new file mode 100644 index 00000000000..f75bc0979e4 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/02-workload/radosbench.yaml @@ -0,0 +1,15 @@ +teuthology: + variables: + workload: radosbench + +radosbench: + sequential_yield: + - radosbench: + extra_args: --log-to-stderr=false --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0 + clients: [client.0] + time: 900 + unique_pool: true + +tasks: + - sequential_yield: + - radosbench diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/03-upgrade.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/03-upgrade.yaml new file mode 100644 index 00000000000..9d886875785 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/03-upgrade.yaml @@ -0,0 +1,44 @@ +tasks: +- install.upgrade: + mon.a: + mon.b: + client.0: +- ceph.restart: + daemons: [mgr.*] + mon-health-to-clog: false + wait-for-healthy: true +- ceph.restart: + daemons: [mon.*] + mon-health-to-clog: false + wait-for-healthy: false +- ceph.key_prune: ["client.bootstrap-*"] +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set mon mon_auth_allow_insecure_key true + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_CREATABLE --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_TICKETS --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_SERVICE_KEY_TYPE --sticky + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE --sticky +- ceph.healthy: +- ceph.restart: + daemons: [osd.*] + mon-health-to-clog: false + wait-for-osds-up: true + wait-for-healthy: false +- exec: + mon.a: + - ceph versions + - ceph osd dump -f json-pretty + - ceph osd require-osd-release tentacle + - for f in `ceph osd pool ls` ; do ceph osd pool set $f pg_autoscale_mode off ; done +- ceph.healthy: +- ceph.restart: + daemons: [mds.*] + mon-health-to-clog: false + wait-for-healthy: true +- exec: + mon.a: + - ceph versions + - ceph fs dump diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/04-allow-aes256k.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/04-allow-aes256k.yaml new file mode 100644 index 00000000000..fe4f9a7c91e --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/04-allow-aes256k.yaml @@ -0,0 +1,10 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 1)' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes,aes256k + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_preferred_cipher aes256k + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/05-service-auth-keys.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/05-service-auth-keys.yaml new file mode 100644 index 00000000000..94e5bb5364e --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/05-service-auth-keys.yaml @@ -0,0 +1,20 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_SERVICE_KEY_TYPE] +- ceph.key_rotate: + daemons: [mon.*] + key_type: aes256k +- ceph.key_rotate: + daemons: [mgr.*, osd.*, mds.*] + key_type: aes256k +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 1 or .entity.type == 2 or .entity.type == 4 or .entity.type == 16); .auth.key.type == 2)' +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/06-insecure-create.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/06-insecure-create.yaml new file mode 100644 index 00000000000..48386c2c65f --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/06-insecure-create.yaml @@ -0,0 +1,25 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_CREATABLE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_CREATABLE] +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config rm mon 'mon auth allow insecure key' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff +# The default when auth_allow_ciphers inclues aes, retain default mon_auth_allow_insecure_key=true +- ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_CREATABLE] +# Now setting it overrides: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 config set mon 'mon auth allow insecure key' false + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.a config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.b config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 tell mon.c config diff + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/admin.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/admin.yaml new file mode 100644 index 00000000000..2372afc59cb --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/admin.yaml @@ -0,0 +1,34 @@ +teuthology: + variables: + clients_all_rotated: false + postmerge: + - | + if yaml.teuthology.variables.workload == 'none' then + reject() + end + + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE] + - ceph.key_rotate: + daemons: [] + clients: [client.admin] + key_type: aes256k + - exec: + mon.a: + - | + ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys | \ + jq ' + .data.secrets[] | + select( + .entity.type_str == "client" and .entity.id == "admin" + ) | .auth.key.type == 2 + ' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_CLIENT_KEY_TYPE --sticky + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/all.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/all.yaml new file mode 100644 index 00000000000..91a450afb03 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/07-client-auth-keys/all.yaml @@ -0,0 +1,28 @@ +# N.B. we can only rotate all keys if we do not have an existing workload. + +teuthology: + variables: + clients_all_rotated: true + postmerge: + - | + if yaml.teuthology.variables.workload ~= 'none' then + reject() + end + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_CLIENT_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_CLIENT_KEY_TYPE] + - ceph.key_rotate: + daemons: [] + clients: [all] + key_type: aes256k + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.entity.type == 8); .auth.key.type == 2)' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/aes256k.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/aes256k.yaml new file mode 100644 index 00000000000..fb24438a9cc --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/aes256k.yaml @@ -0,0 +1,19 @@ +teuthology: + postmerge: + - | + if not yaml.teuthology.variables.clients_all_rotated then + reject() + end + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_ALLOWED] + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_allowed_ciphers aes256k + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/insecure.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/insecure.yaml new file mode 100644 index 00000000000..05bc48f0945 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/08-allowed-ciphers/insecure.yaml @@ -0,0 +1,19 @@ +teuthology: + postmerge: + - | + if yaml.teuthology.variables.clients_all_rotated then + reject() + end + +tasks: + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_KEYS_ALLOWED + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail + - ceph.healthy: + expected_checks: [AUTH_INSECURE_KEYS_ALLOWED] + - exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump --format=json | jq '.auth_allowed_ciphers | (map(.name) | sort) == ["aes", "aes256k"]' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health mute AUTH_INSECURE_KEYS_ALLOWED --sticky + - ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/09-cephx-service-upgrade.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/09-cephx-service-upgrade.yaml new file mode 100644 index 00000000000..dafc6d78522 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/09-cephx-service-upgrade.yaml @@ -0,0 +1,10 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .secrets.keys | all(.expiring_key.key.type == 1) )' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon set auth_service_cipher aes256k + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 mon dump + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/.qa b/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/.qa rename to qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/.qa diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/no.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/no.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/no.yaml rename to qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/no.yaml diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/sleep.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/sleep.yaml new file mode 100644 index 00000000000..d6956ca670f --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/sleep.yaml @@ -0,0 +1,11 @@ +# Sleep for ticket refresh. +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE] +- sleep: + duration: 720 +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/yes.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/yes.yaml new file mode 100644 index 00000000000..001a6d17840 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/10-wipe-service-keys/yes.yaml @@ -0,0 +1,14 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: + expected_checks: [AUTH_INSECURE_ROTATING_SERVICE_KEY_TYPE] +- exec: + mon.a: + - ceph auth wipe-rotating-service-keys + - ceph auth --format=json-pretty dump-keys + - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .entity.type == 32 then (.secrets.keys | all(.expiring_key.key.type == 1)) else (.secrets.keys | all(.expiring_key.key.type == 2)) end )' + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health unmute AUTH_INSECURE_SERVICE_TICKETS +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/6-daemon-restart/.qa b/qa/suites/rados/upgrade/cephx/release-X/tasks/11-daemon-restart/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/6-daemon-restart/.qa rename to qa/suites/rados/upgrade/cephx/release-X/tasks/11-daemon-restart/.qa diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/6-daemon-restart/no.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/11-daemon-restart/no.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/6-daemon-restart/no.yaml rename to qa/suites/rados/upgrade/cephx/release-X/tasks/11-daemon-restart/no.yaml diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/6-daemon-restart/yes.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/11-daemon-restart/yes.yaml similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/6-daemon-restart/yes.yaml rename to qa/suites/rados/upgrade/cephx/release-X/tasks/11-daemon-restart/yes.yaml diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/7-workload-after-rotate/.qa b/qa/suites/rados/upgrade/cephx/release-X/tasks/12-workload-after-rotate/.qa similarity index 100% rename from qa/suites/rados/upgrade/cephx/release-X/tasks/7-workload-after-rotate/.qa rename to qa/suites/rados/upgrade/cephx/release-X/tasks/12-workload-after-rotate/.qa diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/12-workload-after-rotate/radosbench.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/12-workload-after-rotate/radosbench.yaml new file mode 100644 index 00000000000..55bd3780f5f --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/12-workload-after-rotate/radosbench.yaml @@ -0,0 +1,6 @@ +tasks: + - radosbench: + extra_args: --log-to-stderr=false --log-to-file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0 + clients: [client.0] + time: 10 + unique_pool: true diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/13-healthy.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/13-healthy.yaml new file mode 100644 index 00000000000..bc386049c14 --- /dev/null +++ b/qa/suites/rados/upgrade/cephx/release-X/tasks/13-healthy.yaml @@ -0,0 +1,5 @@ +tasks: +- exec: + mon.a: + - ceph --log-to-stderr=true --log_to_file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 health detail +- ceph.healthy: diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/2-workload/radosbench.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/2-workload/radosbench.yaml deleted file mode 100644 index 4320ec624e4..00000000000 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/2-workload/radosbench.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# We can't set auth_exit_on_failure here because squid/reef do not understand that switch. -#teuthology: -# postmerge: -# - | -# if false and yaml.teuthology.variables.wipe_service_keys then -# yaml.radosbench.sequential_yield[0].radosbench.auth_exit_on_failure = 99 -# yaml.radosbench.sequential_yield[0].radosbench.expected_rc = 99 -# end - -# N.B. because `rados bench` has sessions open with the OSDs, we do not expect -# it to fail any auth after upgrade / rotation / session key wipe. It will only -# fail new connections with OSDs. -radosbench: - sequential_yield: - - radosbench: - extra_args: --log-to-stderr=false --log-to-file=true --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0 - clients: [client.0] - time: 300 - unique_pool: true - -tasks: - - sequential_yield: - - radosbench diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/3-upgrade.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/3-upgrade.yaml deleted file mode 100644 index a327fd1d8cf..00000000000 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/3-upgrade.yaml +++ /dev/null @@ -1,32 +0,0 @@ -tasks: -- install.upgrade: - mon.a: - mon.b: - client.0: -- ceph.restart: - daemons: [mgr.*] - mon-health-to-clog: false - wait-for-healthy: true -- ceph.restart: - daemons: [mon.*] - mon-health-to-clog: false - wait-for-healthy: true -- ceph.restart: - daemons: [osd.*] - mon-health-to-clog: false - wait-for-osds-up: true - wait-for-healthy: false -- exec: - mon.a: - - ceph versions - - ceph osd dump -f json-pretty - - ceph osd require-osd-release tentacle - - for f in `ceph osd pool ls` ; do ceph osd pool set $f pg_autoscale_mode off ; done -- ceph.restart: - daemons: [mds.*] - mon-health-to-clog: false - wait-for-healthy: true -- exec: - mon.a: - - ceph versions - - ceph fs dump diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/4-cephx-service-upgrade.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/4-cephx-service-upgrade.yaml deleted file mode 100644 index 44f1ab2877b..00000000000 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/4-cephx-service-upgrade.yaml +++ /dev/null @@ -1,14 +0,0 @@ -tasks: -- ceph.key_rotate: - daemons: [mon.*] - key_type: aes256k -- ceph.key_rotate: - daemons: [mgr.*, osd.*, mds.*] - key_type: aes256k -- exec: - mon.a: - - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth ls - - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json-pretty dump-keys - - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq 'any(.data.secrets[] | select(.key.type == 1 or .key.type == 2 or .key.type == 4 or .key.type == 16); .val.key.type != 2)' - - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 auth --format=json dump-keys | jq '.data.rotating_secrets | all( .val.secrets | all(.val.key.type == 1) )' - - ceph --debug_ms=5 --debug_auth=30 --debug_monc=30 config set global auth_service_cipher aes256k diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/yes.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/yes.yaml deleted file mode 100644 index e4ee1a4ec58..00000000000 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/5-wipe-service-keys/yes.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# N.B. in order to effect a service key wipe, the service daemons must be -# restarted next. During this time, service daemons will be inaccessible to new -# clients. -teuthology: - variables: - wipe_service_keys: true -tasks: -- exec: - mon.a: - - ceph auth wipe-rotating-service-keys - - ceph auth --format=json-pretty dump-keys - - ceph auth --format=json dump-keys | jq '.data.rotating_secrets | all( if .key == 32 then (.val.secrets | all(.val.key.type == 1)) else (.val.secrets | all(.val.key.type == 2)) end )' diff --git a/qa/suites/rados/upgrade/cephx/release-X/tasks/7-workload-after-rotate/radosbench.yaml b/qa/suites/rados/upgrade/cephx/release-X/tasks/7-workload-after-rotate/radosbench.yaml deleted file mode 100644 index 1678f632d79..00000000000 --- a/qa/suites/rados/upgrade/cephx/release-X/tasks/7-workload-after-rotate/radosbench.yaml +++ /dev/null @@ -1,6 +0,0 @@ -tasks: - - radosbench: - extra_args: --debug_ms=5 --debug_auth=30 --debug_monc=30 --mon_client_target_rank=0 - clients: [client.0] - time: 10 - unique_pool: true -- 2.47.3