From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BD20391E69 for ; Wed, 31 Jan 2024 14:25:11 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9BC643AF98 for ; Wed, 31 Jan 2024 14:25:11 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 31 Jan 2024 14:25:10 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id AF61F4937F for ; Wed, 31 Jan 2024 14:25:10 +0100 (CET) Date: Wed, 31 Jan 2024 14:25:04 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20240130184041.1125674-1-m.carrara@proxmox.com> In-Reply-To: <20240130184041.1125674-1-m.carrara@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1706707145.wnmi8cojjo.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.065 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [client.xxx, ceph.com] Subject: Re: [pve-devel] [PATCH master ceph, quincy-stable-8 ceph, pve-storage, pve-manager 0/8] Fix #4759: Configure Permissions for ceph-crash.service X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jan 2024 13:25:11 -0000 On January 30, 2024 7:40 pm, Max Carrara wrote: > Introduction > ------------ >=20 > This series fixes #4759 [0], an issue where Ceph's crash daemon is > unable to post crash logs due to insufficient permissions, through an > adaptation of our `pveceph` CLI as well as an accompanying Debian > postinst hook. >=20 > In essence, this series ensures that the crash daemon can authenticate > with its Ceph cluster without requiring elevated privileges.=20 >=20 > For this to work, the following conditions required: > 1. A key named 'client.crash' must be stored in the Ceph cluster > itself > 2. The key must be saved to a '.keyring' file which can be read by > the `ceph` user (in order to authenticate with the cluster) > 3. A reference to the '.keyring' file's location must be provided in > a 'client.crash' section within the '/etc/pve/ceph.conf' file I like the general direction, it seems sensible. some comments on individual patches as replies, and some general questions here: - do we need to store the key on pmxcfs? would it also work to generate one on each host and store it locally? - is there some way to get away without modifying the config? e.g., a fallback path for keyrings if there is no "client.XXX" section in the config? https://docs.ceph.com/en/reef/rados/configuration/auth-config-ref/#keys would seem to indicate that the answer to those questions is no/yes/yes, but I haven't tested it ;) IMHO that would simplify the handling a lot..