From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 690D09370B for ; Mon, 5 Feb 2024 18:55:02 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1048B1B455 for ; Mon, 5 Feb 2024 18:54:34 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 5 Feb 2024 18:54:32 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 70AED44477 for ; Mon, 5 Feb 2024 18:54:32 +0100 (CET) From: Max Carrara To: pve-devel@lists.proxmox.com Date: Mon, 5 Feb 2024 18:54:19 +0100 Message-Id: <20240205175419.1271680-12-m.carrara@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240205175419.1271680-1-m.carrara@proxmox.com> References: <20240205175419.1271680-1-m.carrara@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.178 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH v2 pve-manager 11/11] fix #4759: debian/postinst: configure ceph-crash.service and its key X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2024 17:55:02 -0000 This commit adds the `set_ceph_crash_conf` function, which dynamically adapts the host's Ceph configuration in order to allow the Ceph crash module's daemon to run without elevated privileges. This adaptation is only performed if: * Ceph is installed * Ceph is configured ('/etc/pve/ceph.conf' exists) * Connection to RADOS is successful If the above conditions are met, the function will ensure that: * Ceph possesses a key named 'client.crash' * The key is saved to '/etc/pve/ceph/ceph.client.crash.keyring' * A section for 'client.crash' exists in '/etc/pve/ceph.conf' * The 'client.crash' section has a key named 'keyring' which references '/etc/pve/ceph/ceph.client.crash.keyring' Furthermore, if a key named 'client.crash' already exists within the cluster, it shall be reused and not regenerated. Also, the configuration is not altered if the conditions above are already met. This way the keyring file is available as read-only in '/etc/pve/ceph/' for the `www-data` group (due to how pmxcfs works). Because the `ceph` user has been made part of said `www-data` group [0], it may access the file without requiring any additional privileges. Thus, the configuration for the Ceph crash daemon is safely adapted as expected by PVE tooling and also shared via pmxcfs across one's cluster. [0]: https://git.proxmox.com/?p=ceph.git;a=commitdiff;h=f72c698a55905d93e9a0b7b95674616547deba8a Signed-off-by: Max Carrara --- Changes v1 --> v2: * fix 'keyring' key being appended to 'client.crash' section even if it already exists and configured correctly debian/postinst | 113 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) diff --git a/debian/postinst b/debian/postinst index 6138ef6d..267a62ae 100755 --- a/debian/postinst +++ b/debian/postinst @@ -110,6 +110,118 @@ migrate_apt_auth_conf() { fi } +set_ceph_crash_conf() { + PVE_CEPH_CONFFILE='/etc/pve/ceph.conf' + PVE_CEPH_CONFDIR='/etc/pve/ceph' + PVE_CEPH_CRASH_KEY="${PVE_CEPH_CONFDIR}/ceph.client.crash.keyring" + PVE_CEPH_CRASH_KEY_REF="${PVE_CEPH_CONFDIR}/\$cluster.\$name.keyring" + + # ceph isn't installed -> nothing to do + if ! which ceph > /dev/null 2>&1; then + return 0 + fi + + # ceph isn't configured -> nothing to do + if test ! -f "${PVE_CEPH_CONFFILE}"; then + return 0 + fi + + CEPH_AUTH_RES="$(ceph auth get-or-create client.crash mon 'profile crash' mgr 'profile crash' 2>&1 || true)" + + # ceph is installed and possibly configured, but no connection to RADOS + # -> assume no monitor was created, nothing to do + if echo "${CEPH_AUTH_RES}" | grep -i -q 'RADOS object not found'; then + return 0 + fi + + SECTION_RE='^\[\S+\]$' + CRASH_SECTION_RE='^\[client\.crash\]$' + + if echo "${CEPH_AUTH_RES}" | grep -q -E "${CRASH_SECTION_RE}"; then + DO_RESTART_UNIT=0 + CRASH_KEY="$(echo "${CEPH_AUTH_RES}" | grep 'key' | sed -E 's/^\s+key\s+=\s+//')" + + if test ! -d "${PVE_CEPH_CONFDIR}"; then + mkdir -p "${PVE_CEPH_CONFDIR}" + fi + + # keyring file doesn't exist or contains wrong key + if test ! -f "${PVE_CEPH_CRASH_KEY}" || ! grep -q "${CRASH_KEY}" "${PVE_CEPH_CRASH_KEY}"; then + echo "Saving key for 'client.crash' as '${PVE_CEPH_CRASH_KEY}'" + echo "${CEPH_AUTH_RES}" > "${PVE_CEPH_CRASH_KEY}" + DO_RESTART_UNIT=1 + fi + + # 'client.crash' section is in conf file + if grep -q -E "${CRASH_SECTION_RE}" "${PVE_CEPH_CONFFILE}"; then + IFS='' + NEW_PVE_CEPH_CONFFILE='' + IN_CRASH_SECTION=0 + HAS_KEYRING=0 + REPLACED_KEYRING=0 + + # look for 'keyring' key in 'client.crash' section + # -> replace it if it points to the wrong location + while read -r LINE; do + if test "${IN_CRASH_SECTION}" = "1"; then + if echo "${LINE}" | grep -q -E "${SECTION_RE}"; then + IN_CRASH_SECTION=0 + elif echo "${LINE}" | grep -q -E '\s+keyring'; then + HAS_KEYRING=1 + + if ! echo "${LINE}" | grep -q "${PVE_CEPH_CRASH_KEY_REF}"; then + echo "Replacing keyring value in section 'client.crash' of '${PVE_CEPH_CONFFILE}'" + LINE="$(printf '\t keyring = %s' "${PVE_CEPH_CRASH_KEY_REF}")" + REPLACED_KEYRING=1 + fi + fi + elif echo "${LINE}" | grep -q -E "${CRASH_SECTION_RE}"; then + IN_CRASH_SECTION=1 + fi + + NEW_PVE_CEPH_CONFFILE="${NEW_PVE_CEPH_CONFFILE}${LINE}\n" + done < "${PVE_CEPH_CONFFILE}" + + unset IFS + + if test "${HAS_KEYRING}" = "1"; then + # 'keyring' key was replaced -> write to file + if test "${REPLACED_KEYRING}" = "1"; then + echo "${NEW_PVE_CEPH_CONFFILE}" > "${PVE_CEPH_CONFFILE}" + DO_RESTART_UNIT=1 + fi + + # client.crash section exists, but contained no 'keyring' key + # -> put 'keyring' key into 'client.crash' section + else + sed -i -E "s#(${CRASH_SECTION_RE})#\1\n\t keyring = ${PVE_CEPH_CRASH_KEY_REF}#" \ + "${PVE_CEPH_CONFFILE}" + DO_RESTART_UNIT=1 + fi + + # 'client.crash' section doesn't exist -> add it + else + echo "Adding section for key in '${PVE_CEPH_CONFFILE}'" + printf '[client.crash]\n\tkeyring = %s\n\n' "${PVE_CEPH_CRASH_KEY_REF}" \ + >> "${PVE_CEPH_CONFFILE}" + DO_RESTART_UNIT=1 + fi + + if test "${DO_RESTART_UNIT}" = "1"; then + UNIT='ceph-crash.service' + + if systemctl -q is-enabled "${UNIT}"; then + echo "Restarting ceph-crash.service" + deb-systemd-invoke restart "${UNIT}" + fi + fi + + else + echo "WARNING: Ceph: Unable to retrieve key for 'client.crash' - output:" + printf '%s\n\n' "${CEPH_AUTH_RES}" + fi +} + case "$1" in triggered) # We don't print a status message here, as dpkg already said @@ -189,6 +301,7 @@ case "$1" in fi set_lvm_conf + set_ceph_crash_conf if test ! -e /proxmox_install_mode; then # modeled after code generated by dh_start -- 2.39.2