Re: [pve-devel] [PATCH master ceph, quincy-stable-8 ceph, pve-storage, pve-manager 0/8] Fix #4759: Configure Permissions for ceph-crash.service

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

On January 30, 2024 7:40 pm, Max Carrara wrote:
> Introduction
> ------------
> 
> This series fixes #4759 [0], an issue where Ceph's crash daemon is
> unable to post crash logs due to insufficient permissions, through an
> adaptation of our `pveceph` CLI as well as an accompanying Debian
> postinst hook.
> 
> In essence, this series ensures that the crash daemon can authenticate
> with its Ceph cluster without requiring elevated privileges. 
> 
> For this to work, the following conditions required:
>   1.  A key named 'client.crash' must be stored in the Ceph cluster
>       itself
>   2.  The key must be saved to a '.keyring' file which can be read by
>       the `ceph` user (in order to authenticate with the cluster)
>   3.  A reference to the '.keyring' file's location must be provided in
>       a 'client.crash' section within the '/etc/pve/ceph.conf' file

I like the general direction, it seems sensible. some comments on
individual patches as replies, and some general questions here:

- do we need to store the key on pmxcfs? would it also work to generate
  one on each host and store it locally?
- is there some way to get away without modifying the config? e.g., a
  fallback path for keyrings if there is no "client.XXX" section in the
  config?

  https://docs.ceph.com/en/reef/rados/configuration/auth-config-ref/#keys

  would seem to indicate that the answer to those questions is
  no/yes/yes, but I haven't tested it ;)

  IMHO that would simplify the handling a lot..