From: "Max R. Carrara" <m.carrara@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-manager master v1 2/6] fix #6816: api: ceph: create 'client.exporter' w/ keyring
Date: Tue, 16 Sep 2025 19:20:03 +0200 [thread overview]
Message-ID: <20250916172012.739807-3-m.carrara@proxmox.com> (raw)
In-Reply-To: <20250916172012.739807-1-m.carrara@proxmox.com>
... when creating the first MON.
Similar to `ceph-crash.service` [0], create or update the keyring for
the `ceph-exporter` daemon using a new Ceph auth entity called
`client.exporter` when creating the first MON.
Its keyring is placed at `/etc/pve/ceph/ceph.client.exporter.keyring`.
The `ceph-exporter` daemon only needs read access to MONs. Found this
out during testing; this isn't explicitly documented anywhere AFAIK.
In case the daemon requires more capabilities in the future, I
recommend updating them via a separate helper that wraps the `ceph
auth caps` command via `PVE::RADOS`. However, because all this daemon
does is expose a metrics endpoint `http://$HOST:9926/metrics`, I doubt
that it needs any additional capabilities any time soon.
[0]: https://lore.proxmox.com/pve-devel/20240402145523.683008-11-m.carrara@proxmox.com/
Fixes: #6816
Signed-off-by: Max R. Carrara <m.carrara@proxmox.com>
---
PVE/API2/Ceph/MON.pm | 9 +++++++++
PVE/Ceph/Tools.pm | 15 +++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/PVE/API2/Ceph/MON.pm b/PVE/API2/Ceph/MON.pm
index 70fc158d..422f107a 100644
--- a/PVE/API2/Ceph/MON.pm
+++ b/PVE/API2/Ceph/MON.pm
@@ -480,6 +480,15 @@ __PACKAGE__->register_method({
cfs_write_file('ceph.conf', $cfg);
};
warn "Unable to configure keyring for ceph-crash.service: $@" if $@;
+
+ print "Configuring keyring for ceph-exporter.service\n";
+ eval {
+ PVE::Ceph::Tools::create_or_update_exporter_keyring_file();
+ $cfg->{'client.exporter'}->{keyring} =
+ '/etc/pve/ceph/$cluster.$name.keyring';
+ cfs_write_file('ceph.conf', $cfg);
+ };
+ warn "Unable to configure keyring for ceph-exporter.service: $@" if $@;
}
eval { PVE::Ceph::Services::ceph_service_cmd('enable', $monsection) };
diff --git a/PVE/Ceph/Tools.pm b/PVE/Ceph/Tools.pm
index dce9156a..8ddce759 100644
--- a/PVE/Ceph/Tools.pm
+++ b/PVE/Ceph/Tools.pm
@@ -22,6 +22,7 @@ my $ceph_cfgpath = "$ceph_cfgdir/$ccname.conf";
my $pve_ceph_cfgdir = "/etc/pve/ceph";
my $pve_ceph_crash_key_path = "$pve_ceph_cfgdir/$ccname.client.crash.keyring";
+my $pve_ceph_exporter_key_path = "$pve_ceph_cfgdir/$ccname.client.exporter.keyring";
my $pve_mon_key_path = "/etc/pve/priv/$ccname.mon.keyring";
my $pve_ckeyring_path = "/etc/pve/priv/$ccname.client.admin.keyring";
my $ckeyring_path = "/etc/ceph/ceph.client.admin.keyring";
@@ -48,6 +49,7 @@ my $config_values = {
my $config_files = {
pve_ceph_cfgpath => $pve_ceph_cfgpath,
pve_ceph_crash_key_path => $pve_ceph_crash_key_path,
+ pve_ceph_exporter_key_path => $pve_ceph_exporter_key_path,
pve_mon_key_path => $pve_mon_key_path,
pve_ckeyring_path => $pve_ckeyring_path,
ceph_bootstrap_osd_keyring => $ceph_bootstrap_osd_keyring,
@@ -568,6 +570,19 @@ sub create_or_update_crash_keyring_file {
return 0;
}
+sub create_or_update_exporter_keyring_file {
+ my ($rados) = @_;
+
+ my $entity = 'client.exporter';
+ my $caps = [
+ mon => 'allow r',
+ ];
+
+ return create_or_update_keyring_file(
+ $pve_ceph_exporter_key_path, $entity, $caps, $rados,
+ );
+}
+
# get ceph-volume managed osds
sub ceph_volume_list {
my $result = {};
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-09-16 17:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-16 17:20 [pve-devel] [PATCH pve-manager, ceph master v1 0/6] Fix #6816: Prevent ceph-exporter Daemon from Crashing on Starting Max R. Carrara
2025-09-16 17:20 ` [pve-devel] [PATCH pve-manager master v1 1/6] ceph: tools: add helper sub for creating or updating keyring files Max R. Carrara
2025-09-16 17:20 ` Max R. Carrara [this message]
2025-09-16 17:20 ` [pve-devel] [PATCH pve-manager master v1 3/6] fix #6816: bin: add pve-ceph-keyring helper and call it in postinst Max R. Carrara
2025-09-16 17:20 ` [pve-devel] [PATCH pve-manager master v1 4/6] ceph: tools: simplify helper sub for crash keyring file Max R. Carrara
2025-09-16 17:20 ` [pve-devel] [PATCH pve-manager master v1 5/6] bin: make pve-init-ceph-crash call pve-ceph-keyring Max R. Carrara
2025-09-16 17:20 ` [pve-devel] [PATCH ceph master v1 6/6] fix #6816: patches: make ceph-exporter use custom keyring Max R. Carrara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250916172012.739807-3-m.carrara@proxmox.com \
--to=m.carrara@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.