From: Max Carrara <m.carrara@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v2 pve-manager 11/11] fix #4759: debian/postinst: configure ceph-crash.service and its key
Date: Mon, 5 Feb 2024 18:54:19 +0100 [thread overview]
Message-ID: <20240205175419.1271680-12-m.carrara@proxmox.com> (raw)
In-Reply-To: <20240205175419.1271680-1-m.carrara@proxmox.com>
This commit adds the `set_ceph_crash_conf` function, which dynamically
adapts the host's Ceph configuration in order to allow the Ceph crash
module's daemon to run without elevated privileges.
This adaptation is only performed if:
* Ceph is installed
* Ceph is configured ('/etc/pve/ceph.conf' exists)
* Connection to RADOS is successful
If the above conditions are met, the function will ensure that:
* Ceph possesses a key named 'client.crash'
* The key is saved to '/etc/pve/ceph/ceph.client.crash.keyring'
* A section for 'client.crash' exists in '/etc/pve/ceph.conf'
* The 'client.crash' section has a key named 'keyring' which
references '/etc/pve/ceph/ceph.client.crash.keyring'
Furthermore, if a key named 'client.crash' already exists within the
cluster, it shall be reused and not regenerated. Also, the
configuration is not altered if the conditions above are already met.
This way the keyring file is available as read-only in
'/etc/pve/ceph/' for the `www-data` group (due to how pmxcfs works).
Because the `ceph` user has been made part of said `www-data` group
[0], it may access the file without requiring any additional
privileges.
Thus, the configuration for the Ceph crash daemon is safely adapted as
expected by PVE tooling and also shared via pmxcfs across one's
cluster.
[0]: https://git.proxmox.com/?p=ceph.git;a=commitdiff;h=f72c698a55905d93e9a0b7b95674616547deba8a
Signed-off-by: Max Carrara <m.carrara@proxmox.com>
---
Changes v1 --> v2:
* fix 'keyring' key being appended to 'client.crash' section even
if it already exists and configured correctly
debian/postinst | 113 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 113 insertions(+)
diff --git a/debian/postinst b/debian/postinst
index 6138ef6d..267a62ae 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -110,6 +110,118 @@ migrate_apt_auth_conf() {
fi
}
+set_ceph_crash_conf() {
+ PVE_CEPH_CONFFILE='/etc/pve/ceph.conf'
+ PVE_CEPH_CONFDIR='/etc/pve/ceph'
+ PVE_CEPH_CRASH_KEY="${PVE_CEPH_CONFDIR}/ceph.client.crash.keyring"
+ PVE_CEPH_CRASH_KEY_REF="${PVE_CEPH_CONFDIR}/\$cluster.\$name.keyring"
+
+ # ceph isn't installed -> nothing to do
+ if ! which ceph > /dev/null 2>&1; then
+ return 0
+ fi
+
+ # ceph isn't configured -> nothing to do
+ if test ! -f "${PVE_CEPH_CONFFILE}"; then
+ return 0
+ fi
+
+ CEPH_AUTH_RES="$(ceph auth get-or-create client.crash mon 'profile crash' mgr 'profile crash' 2>&1 || true)"
+
+ # ceph is installed and possibly configured, but no connection to RADOS
+ # -> assume no monitor was created, nothing to do
+ if echo "${CEPH_AUTH_RES}" | grep -i -q 'RADOS object not found'; then
+ return 0
+ fi
+
+ SECTION_RE='^\[\S+\]$'
+ CRASH_SECTION_RE='^\[client\.crash\]$'
+
+ if echo "${CEPH_AUTH_RES}" | grep -q -E "${CRASH_SECTION_RE}"; then
+ DO_RESTART_UNIT=0
+ CRASH_KEY="$(echo "${CEPH_AUTH_RES}" | grep 'key' | sed -E 's/^\s+key\s+=\s+//')"
+
+ if test ! -d "${PVE_CEPH_CONFDIR}"; then
+ mkdir -p "${PVE_CEPH_CONFDIR}"
+ fi
+
+ # keyring file doesn't exist or contains wrong key
+ if test ! -f "${PVE_CEPH_CRASH_KEY}" || ! grep -q "${CRASH_KEY}" "${PVE_CEPH_CRASH_KEY}"; then
+ echo "Saving key for 'client.crash' as '${PVE_CEPH_CRASH_KEY}'"
+ echo "${CEPH_AUTH_RES}" > "${PVE_CEPH_CRASH_KEY}"
+ DO_RESTART_UNIT=1
+ fi
+
+ # 'client.crash' section is in conf file
+ if grep -q -E "${CRASH_SECTION_RE}" "${PVE_CEPH_CONFFILE}"; then
+ IFS=''
+ NEW_PVE_CEPH_CONFFILE=''
+ IN_CRASH_SECTION=0
+ HAS_KEYRING=0
+ REPLACED_KEYRING=0
+
+ # look for 'keyring' key in 'client.crash' section
+ # -> replace it if it points to the wrong location
+ while read -r LINE; do
+ if test "${IN_CRASH_SECTION}" = "1"; then
+ if echo "${LINE}" | grep -q -E "${SECTION_RE}"; then
+ IN_CRASH_SECTION=0
+ elif echo "${LINE}" | grep -q -E '\s+keyring'; then
+ HAS_KEYRING=1
+
+ if ! echo "${LINE}" | grep -q "${PVE_CEPH_CRASH_KEY_REF}"; then
+ echo "Replacing keyring value in section 'client.crash' of '${PVE_CEPH_CONFFILE}'"
+ LINE="$(printf '\t keyring = %s' "${PVE_CEPH_CRASH_KEY_REF}")"
+ REPLACED_KEYRING=1
+ fi
+ fi
+ elif echo "${LINE}" | grep -q -E "${CRASH_SECTION_RE}"; then
+ IN_CRASH_SECTION=1
+ fi
+
+ NEW_PVE_CEPH_CONFFILE="${NEW_PVE_CEPH_CONFFILE}${LINE}\n"
+ done < "${PVE_CEPH_CONFFILE}"
+
+ unset IFS
+
+ if test "${HAS_KEYRING}" = "1"; then
+ # 'keyring' key was replaced -> write to file
+ if test "${REPLACED_KEYRING}" = "1"; then
+ echo "${NEW_PVE_CEPH_CONFFILE}" > "${PVE_CEPH_CONFFILE}"
+ DO_RESTART_UNIT=1
+ fi
+
+ # client.crash section exists, but contained no 'keyring' key
+ # -> put 'keyring' key into 'client.crash' section
+ else
+ sed -i -E "s#(${CRASH_SECTION_RE})#\1\n\t keyring = ${PVE_CEPH_CRASH_KEY_REF}#" \
+ "${PVE_CEPH_CONFFILE}"
+ DO_RESTART_UNIT=1
+ fi
+
+ # 'client.crash' section doesn't exist -> add it
+ else
+ echo "Adding section for key in '${PVE_CEPH_CONFFILE}'"
+ printf '[client.crash]\n\tkeyring = %s\n\n' "${PVE_CEPH_CRASH_KEY_REF}" \
+ >> "${PVE_CEPH_CONFFILE}"
+ DO_RESTART_UNIT=1
+ fi
+
+ if test "${DO_RESTART_UNIT}" = "1"; then
+ UNIT='ceph-crash.service'
+
+ if systemctl -q is-enabled "${UNIT}"; then
+ echo "Restarting ceph-crash.service"
+ deb-systemd-invoke restart "${UNIT}"
+ fi
+ fi
+
+ else
+ echo "WARNING: Ceph: Unable to retrieve key for 'client.crash' - output:"
+ printf '%s\n\n' "${CEPH_AUTH_RES}"
+ fi
+}
+
case "$1" in
triggered)
# We don't print a status message here, as dpkg already said
@@ -189,6 +301,7 @@ case "$1" in
fi
set_lvm_conf
+ set_ceph_crash_conf
if test ! -e /proxmox_install_mode; then
# modeled after code generated by dh_start
--
2.39.2
next prev parent reply other threads:[~2024-02-05 17:55 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-05 17:54 [pve-devel] [PATCH v2 master ceph, quincy-stable 8 ceph, pve-storage, pve-manager 00/11] Fix #4759: Configure Permissions for ceph-crash.service Max Carrara
2024-02-05 17:54 ` [pve-devel] [PATCH v2 master ceph 01/11] debian: add patch to fix ceph crash dir permissions in postinst hook Max Carrara
2024-02-12 13:32 ` Fabian Grünbichler
2024-02-13 8:25 ` Max Carrara
2024-02-05 17:54 ` [pve-devel] [PATCH v2 master ceph 02/11] patches: add patch that reorders clients used by ceph-crash Max Carrara
2024-02-12 13:33 ` Fabian Grünbichler
2024-02-05 17:54 ` [pve-devel] [PATCH v2 quincy-stable-8 ceph 03/11] debian: add patch to fix ceph crash dir permissions in postinst hook Max Carrara
2024-02-12 13:32 ` Fabian Grünbichler
2024-02-05 17:54 ` [pve-devel] [PATCH v2 quincy-stable-8 ceph 04/11] patches: add patch that reorders clients used by ceph-crash Max Carrara
2024-02-12 13:33 ` Fabian Grünbichler
2024-02-05 17:54 ` [pve-devel] [PATCH v2 pve-storage 05/11] cephconfig: align our parser more with Ceph's parser Max Carrara
2024-02-12 13:33 ` Fabian Grünbichler
2024-02-13 8:34 ` Max Carrara
2024-02-05 17:54 ` [pve-devel] [PATCH v2 pve-storage 06/11] cephconfig: allow writing arbitrary sections Max Carrara
2024-02-12 13:33 ` Fabian Grünbichler
2024-02-13 8:46 ` Max Carrara
2024-02-05 17:54 ` [pve-devel] [PATCH v2 pve-storage 07/11] amend! " Max Carrara
2024-02-12 13:33 ` Fabian Grünbichler
2024-02-13 8:50 ` Max Carrara
2024-02-05 17:54 ` [pve-devel] [PATCH v2 pve-manager 08/11] ceph: fix edge case of wrong files being deleted on purge Max Carrara
2024-02-12 13:33 ` [pve-devel] applied: " Fabian Grünbichler
2024-02-05 17:54 ` [pve-devel] [PATCH v2 pve-manager 09/11] fix #4759: ceph: configure keyring for ceph-crash.service Max Carrara
2024-02-12 13:34 ` Fabian Grünbichler
2024-02-13 9:09 ` Max Carrara
2024-02-14 12:43 ` Max Carrara
2024-02-05 17:54 ` [pve-devel] [PATCH v2 pve-manager 10/11] ceph: create '/etc/pve/ceph' during `pveceph init` Max Carrara
2024-02-05 17:54 ` Max Carrara [this message]
2024-02-12 13:34 ` [pve-devel] [PATCH v2 pve-manager 11/11] fix #4759: debian/postinst: configure ceph-crash.service and its key Fabian Grünbichler
2024-02-13 9:25 ` Max Carrara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240205175419.1271680-12-m.carrara@proxmox.com \
--to=m.carrara@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox