[pve-devel] [PATCH pve-manager, ceph master v1 0/6] Fix #6816: Prevent ceph-exporter Daemon from Crashing on Starting

From: "Max R. Carrara" <m.carrara@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-manager, ceph master v1 0/6] Fix #6816: Prevent ceph-exporter Daemon from Crashing on Starting
Date: Tue, 16 Sep 2025 19:20:01 +0200	[thread overview]
Message-ID: <20250916172012.739807-1-m.carrara@proxmox.com> (raw)

Fix #6816: Prevent ceph-exporter Daemon from Crashing on Starting
=================================================================

tl;dr: Stop ceph-exporter.service from ending up in a crash loop by
handing it a custom keyring file and setting its group to `www-data`,
similar to what we did for ceph-crash.service [0] before.

Currently, the `ceph-exporter` daemon ends up in a short startup crash
loop before ultimately failing to start at all, because it tries to
access the keyring file at `/etc/pve/priv/ceph.client.admin.keyring`,
for which it doesn't have the permissions to do so.

Instead of giving it access to the admin ring, give it its own keyring
located at `/etc/pve/ceph/ceph.client.exporter.keyring`. This file and
its corresponding section in `/etc/pve/ceph.conf` is created when the
first MON is created via the API. If the cluster has already been set
up, a postinst hook creates the keyring file and adapts
`/etc/pve/ceph.conf` instead.

The core logic of all of this was already added for `ceph-crash` a while
ago [0] and is reused throughout the series, with some alterations to
the original code in order to make it a little more generic.

NOTE
----

Patch #03 adds a call to the helper in debian/postinst. The version
check there should be adapted after / while applying the series.
Right now, the version in the check is set to `9.0.11`.

Regarding Tests
---------------

I tested this quite a bit on my end, but would be nice if somebody could
smoke-test this series, just in case I missed something. The postinst
hook should trigger automatically (if the version isn't bumped while
this series is still unmerged).

The new helper can be invoked manually like this for example:

/usr/share/pve-manager/helpers/pve-ceph-keyring --init client.exporter

References
----------

[0]: https://lore.proxmox.com/pve-devel/20240402145523.683008-11-m.carrara@proxmox.com/

Summary of Changes
------------------

pve-manager:

Max R. Carrara (5):
  ceph: tools: add helper sub for creating or updating keyring files
  fix #6816: api: ceph: create 'client.exporter' w/ keyring
  fix #6816: bin: add pve-ceph-keyring helper and call it in postinst
  ceph: tools: simplify helper sub for crash keyring file
  bin: make pve-init-ceph-crash call pve-ceph-keyring

 PVE/API2/Ceph/MON.pm    |   9 ++
 PVE/Ceph/Tools.pm       | 108 ++++++++++++---
 bin/Makefile            |   1 +
 bin/pve-ceph-keyring    | 286 ++++++++++++++++++++++++++++++++++++++++
 bin/pve-init-ceph-crash | 152 +--------------------
 debian/postinst         |  24 ++++
 6 files changed, 415 insertions(+), 165 deletions(-)
 create mode 100755 bin/pve-ceph-keyring

ceph:

Max R. Carrara (1):
  fix #6816: patches: make ceph-exporter use custom keyring

 ...orter-use-custom-keyring-and-set-gro.patch | 32 +++++++++++++++++++
 patches/series                                |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 patches/0056-systemd-ceph-exporter-use-custom-keyring-and-set-gro.patch

-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel