[pve-devel] [PATCH v2 storage 0/2] RBD/Cephfs: new keyring parameter

[pve-devel] [PATCH v2 storage 0/2] RBD/Cephfs: new keyring parameter

[Aaron Lauterer]

This new parameter allows to set the RBD keyring or CephFS secret for an
external Ceph Cluster right when creating the storage.
Up until now, they had to be manually placed in
/etc/pve/priv/ceph/$file.

In order to reuse as much code as possible, I had to adjust the
PVE::CephConfig::ceph_create_keyfile method to be able to pass the
secret in as parameter.

changes since v1: fixed checks to avoid accidentially deleting the
keyring/secret file

Aaron Lauterer (2):
  CephConfig: add optional $secret parameter
  Ceph: add keyring parameter for external clusters

 PVE/API2/Storage/Config.pm  |  2 +-
 PVE/CLI/pvesm.pm            | 12 ++++++++++--
 PVE/CephConfig.pm           | 15 +++++++++------
 PVE/Storage/CephFSPlugin.pm | 22 ++++++++++++++++------
 PVE/Storage/RBDPlugin.pm    | 26 ++++++++++++++++++++------
 5 files changed, 56 insertions(+), 21 deletions(-)

-- 
2.30.2

[pve-devel] [PATCH v2 storage 1/2] CephConfig: add optional $secret parameter

[Aaron Lauterer]

This allows us to manually pass the used RBD keyring or CephFS secret.
Useful mostly when adding external Ceph clusters where we have no other
means to fetch them.

I renamed the previous $secret to $cephfs_secret to be able to use
$secret as parameter.

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
 PVE/CephConfig.pm | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/PVE/CephConfig.pm b/PVE/CephConfig.pm
index 83d72fc..5c94a04 100644
--- a/PVE/CephConfig.pm
+++ b/PVE/CephConfig.pm
@@ -212,7 +212,7 @@ sub ceph_connect_option {
 }
 
 sub ceph_create_keyfile {
-    my ($type, $storeid) = @_;
+    my ($type, $storeid, $secret) = @_;
 
     my $extension = 'keyring';
     $extension = 'secret' if ($type eq 'cephfs');
@@ -221,17 +221,20 @@ sub ceph_create_keyfile {
     my $ceph_storage_keyring = "/etc/pve/priv/ceph/${storeid}.$extension";
 
     die "ceph authx keyring file for storage '$storeid' already exists!\n"
-	if -e $ceph_storage_keyring;
+	if -e $ceph_storage_keyring && !defined($secret);
 
-    if (-e $ceph_admin_keyring) {
+    if (-e $ceph_admin_keyring || defined($secret)) {
 	eval {
-	    if ($type eq 'rbd') {
+	    if (defined($secret)) {
+		mkdir '/etc/pve/priv/ceph';
+		PVE::Tools::file_set_contents($ceph_storage_keyring, $secret, 0400);
+	    } elsif ($type eq 'rbd') {
 		mkdir '/etc/pve/priv/ceph';
 		PVE::Tools::file_copy($ceph_admin_keyring, $ceph_storage_keyring);
 	    } elsif ($type eq 'cephfs') {
-		my $secret = $ceph_get_key->($ceph_admin_keyring, 'admin');
+		my $cephfs_secret = $ceph_get_key->($ceph_admin_keyring, 'admin');
 		mkdir '/etc/pve/priv/ceph';
-		PVE::Tools::file_set_contents($ceph_storage_keyring, $secret, 0400);
+		PVE::Tools::file_set_contents($ceph_storage_keyring, $cephfs_secret, 0400);
 	   }
 	};
 	if (my $err = $@) {
-- 
2.30.2

[pve-devel] [PATCH v2 storage 2/2] Ceph: add keyring parameter for external clusters

[Aaron Lauterer]

By adding the keyring for RBD storage or the secret for CephFS ones, it
is possible to add an external Ceph cluster with only one API call.

Previously the keyring / secret file needed to be placed in
/etc/pve/priv/ceph/$storeID.{keyring,secret} manually.

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
changes since v1: add check if the keyring parameter exists before
deciding on whether to store or remove the file.

thx @thomas for catching that

 PVE/API2/Storage/Config.pm  |  2 +-
 PVE/CLI/pvesm.pm            | 12 ++++++++++--
 PVE/Storage/CephFSPlugin.pm | 22 ++++++++++++++++------
 PVE/Storage/RBDPlugin.pm    | 26 ++++++++++++++++++++------
 4 files changed, 47 insertions(+), 15 deletions(-)

diff --git a/PVE/API2/Storage/Config.pm b/PVE/API2/Storage/Config.pm
index ea655c5..bf38df3 100755
--- a/PVE/API2/Storage/Config.pm
+++ b/PVE/API2/Storage/Config.pm
@@ -112,7 +112,7 @@ __PACKAGE__->register_method ({
 	return &$api_storage_config($cfg, $param->{storage});
     }});
 
-my $sensitive_params = [qw(password encryption-key master-pubkey)];
+my $sensitive_params = [qw(password encryption-key master-pubkey keyring)];
 
 __PACKAGE__->register_method ({
     name => 'create',
diff --git a/PVE/CLI/pvesm.pm b/PVE/CLI/pvesm.pm
index 668170a..190de91 100755
--- a/PVE/CLI/pvesm.pm
+++ b/PVE/CLI/pvesm.pm
@@ -64,13 +64,21 @@ sub param_mapping {
 	}
     };
 
+    my $keyring_map = {
+	name => 'keyring',
+	desc => 'file containing the keyring to authenticate in the Ceph cluster',
+	func => sub {
+	    my ($value) = @_;
+	    return PVE::Tools::file_get_contents($value);
+	},
+    };
 
     my $mapping = {
 	'cifsscan' => [ $password_map ],
 	'cifs' => [ $password_map ],
 	'pbs' => [ $password_map ],
-	'create' => [ $password_map, $enc_key_map, $master_key_map ],
-	'update' => [ $password_map, $enc_key_map, $master_key_map ],
+	'create' => [ $password_map, $enc_key_map, $master_key_map, $keyring_map ],
+	'update' => [ $password_map, $enc_key_map, $master_key_map, $keyring_map ],
     };
     return $mapping->{$name};
 }
diff --git a/PVE/Storage/CephFSPlugin.pm b/PVE/Storage/CephFSPlugin.pm
index 2aaa450..3b9a791 100644
--- a/PVE/Storage/CephFSPlugin.pm
+++ b/PVE/Storage/CephFSPlugin.pm
@@ -146,6 +146,7 @@ sub options {
 	fuse => { optional => 1 },
 	bwlimit => { optional => 1 },
 	maxfiles => { optional => 1 },
+	keyring => { optional => 1 },
 	'prune-backups' => { optional => 1 },
     };
 }
@@ -163,20 +164,29 @@ sub check_config {
 sub on_add_hook {
     my ($class, $storeid, $scfg, %param) = @_;
 
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
+    my $secret = $param{keyring} if defined $param{keyring} // undef;
+    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
 
-    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
+    return;
+}
+
+sub on_update_hook {
+    my ($class, $storeid, $scfg, %param) = @_;
+
+    if (exists($param{keyring})) {
+	if (defined($param{keyring})) {
+	    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $param{keyring});
+	} else {
+	    PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
+	}
+    }
 
     return;
 }
 
 sub on_delete_hook {
     my ($class, $storeid, $scfg) = @_;
-
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
-
     PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
-
     return;
 }
 
diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
index a8d1243..4bd43d5 100644
--- a/PVE/Storage/RBDPlugin.pm
+++ b/PVE/Storage/RBDPlugin.pm
@@ -305,6 +305,10 @@ sub properties {
 	    description => "Always access rbd through krbd kernel module.",
 	    type => 'boolean',
 	},
+	keyring => {
+	    description => "Client keyring contents (for external clusters).",
+	    type => 'string',
+	},
     };
 }
 
@@ -318,6 +322,7 @@ sub options {
 	username => { optional => 1 },
 	content => { optional => 1 },
 	krbd => { optional => 1 },
+	keyring => { optional => 1 },
 	bwlimit => { optional => 1 },
     };
 }
@@ -327,20 +332,29 @@ sub options {
 sub on_add_hook {
     my ($class, $storeid, $scfg, %param) = @_;
 
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
+    my $secret = $param{keyring} if defined $param{keyring} // undef;
+    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
 
-    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
+    return;
+}
+
+sub on_update_hook {
+    my ($class, $storeid, $scfg, %param) = @_;
+
+    if (exists($param{keyring})) {
+	if (defined($param{keyring})) {
+	    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $param{keyring});
+	} else {
+	    PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
+	}
+    }
 gg
     return;
 }
 
 sub on_delete_hook {
     my ($class, $storeid, $scfg) = @_;
-
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
-
     PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
-
     return;
 }
 
-- 
2.30.2

Re: [pve-devel] [PATCH v2 storage 2/2] Ceph: add keyring parameter for external clusters

[Thomas Lamprecht]

On 03/08/2021 13:45, Aaron Lauterer wrote:

patch does not applies..
  
> diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
> index a8d1243..4bd43d5 100644
> --- a/PVE/Storage/RBDPlugin.pm
> +++ b/PVE/Storage/RBDPlugin.pm

.. snip

> @@ -327,20 +332,29 @@ sub options {

diff # do not seem to match even with below bogus `gg` line removed

>  sub on_add_hook {
>      my ($class, $storeid, $scfg, %param) = @_;
>  
> -    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
> +    my $secret = $param{keyring} if defined $param{keyring} // undef;
> +    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
>  
> -    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
> +    return;
> +}
> +
> +sub on_update_hook {
> +    my ($class, $storeid, $scfg, %param) = @_;
> +
> +    if (exists($param{keyring})) {
> +	if (defined($param{keyring})) {
> +	    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $param{keyring});
> +	} else {
> +	    PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
> +	}
> +    }
>  gg

bogus line above, probably from a vim-go-to-top in insert mode mistake..

>      return;
>  }
>  
>  sub on_delete_hook {
>      my ($class, $storeid, $scfg) = @_;
> -
> -    return if defined($scfg->{monhost}); # nothing to do if not pve managed ceph
> -
>      PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
> -
>      return;
>  }
>  
>