Re: [pve-devel] [PATCH storage 2/2] Ceph: add keyring parameter for external clusters

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Aaron Lauterer <a.lauterer@proxmox.com>
Subject: Re: [pve-devel] [PATCH storage 2/2] Ceph: add keyring parameter for external clusters
Date: Fri, 30 Jul 2021 15:35:23 +0200	[thread overview]
Message-ID: <71228b54-f525-283b-a773-f90929643e5c@proxmox.com> (raw)
In-Reply-To: <20210721151326.391244-3-a.lauterer@proxmox.com>

On 21/07/2021 17:13, Aaron Lauterer wrote:
> By adding the keyring for RBD storage or the secret for CephFS ones, it
> is possible to add an external Ceph cluster with only one API call.
> 
> Previously the keyring / secret file needed to be placed in
> /etc/pve/priv/ceph/$storeID.{keyring,secret} manually.
> 
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
>  PVE/API2/Storage/Config.pm  |  2 +-
>  PVE/CLI/pvesm.pm            | 12 ++++++++++--
>  PVE/Storage/CephFSPlugin.pm | 20 ++++++++++++++------
>  PVE/Storage/RBDPlugin.pm    | 24 ++++++++++++++++++------
>  4 files changed, 43 insertions(+), 15 deletions(-)
> 

> diff --git a/PVE/Storage/CephFSPlugin.pm b/PVE/Storage/CephFSPlugin.pm
> index 2aaa450..ae02cb8 100644
> --- a/PVE/Storage/CephFSPlugin.pm
> +++ b/PVE/Storage/CephFSPlugin.pm

> @@ -163,20 +164,27 @@ sub check_config {
>  sub on_add_hook {
>      my ($class, $storeid, $scfg, %param) = @_;
>  
> -    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
> +    my $secret = $param{keyring} if defined $param{keyring} // undef;
> +    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
>  
> -    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
> +    return;
> +}
> +
> +sub on_update_hook {
> +    my ($class, $storeid, $scfg, %param) = @_;
> +
> +    if (defined($param{keyring})) {
> +	PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $param{keyring});
> +    } else {
> +	PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
> +    }

this is dangerous, you will always delete the key on any update that did not
provided a new one.

Please look in other plugins about how one must handle this, e.g., PBS

if (exists($param{password})) {
    if (defined($param{password})) {
        pbs_set_password($scfg, $storeid, $param{password});
    } else {
        pbs_delete_password($scfg, $storeid);
    }
}

iow, first check if the param is set and only then you can deduct that undefined
means "must be deleted".


> @@ -327,20 +332,27 @@ sub options {
>  sub on_add_hook {
>      my ($class, $storeid, $scfg, %param) = @_;
>  
> -    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
> +    my $secret = $param{keyring} if defined $param{keyring} // undef;
> +    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
> +
> +    return;
> +}
> +
> +sub on_update_hook {
> +    my ($class, $storeid, $scfg, %param) = @_;
>  
> -    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
> +    if (defined($param{keyring})) {
> +	PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $param{keyring});
> +    } else {
> +	PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
> +    }

same here.

     prev parent reply	other threads:[~2021-07-30 13:35 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-21 15:13 [pve-devel] [PATCH storage 0/2] RBD/Cephfs: new keyring parameter Aaron Lauterer
2021-07-21 15:13 ` [pve-devel] [PATCH storage 1/2] CephConfig: add optional $secret parameter Aaron Lauterer
2021-07-21 15:13 ` [pve-devel] [PATCH storage 2/2] Ceph: add keyring parameter for external clusters Aaron Lauterer
2021-07-30 13:35   ` Thomas Lamprecht [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=71228b54-f525-283b-a773-f90929643e5c@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=a.lauterer@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal