[pve-devel] [PATCH v2 manager 1/3] ui: rbd: cephfs: add keyring/secret field for external clusters

[pve-devel] [PATCH v2 manager 1/3] ui: rbd: cephfs: add keyring/secret field for external clusters

[Aaron Lauterer]

Manual switching of xtype because binding 'hidden' does not work with
pmxDisplayEditField.

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
changes: added spaces in front of `?` operator that were missed.


From previous iteration for this patch:

Reviewed-by: Fabian Ebner <f.ebner@proxmox.com>
Tested-by: Fabian Ebner <f.ebner@proxmox.com>

 www/manager6/storage/CephFSEdit.js | 39 ++++++++++++++++++++----------
 www/manager6/storage/RBDEdit.js    | 11 +++++++++
 2 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/www/manager6/storage/CephFSEdit.js b/www/manager6/storage/CephFSEdit.js
index 92fdfe63..b851f2cc 100644
--- a/www/manager6/storage/CephFSEdit.js
+++ b/www/manager6/storage/CephFSEdit.js
@@ -101,20 +101,33 @@ Ext.define('PVE.storage.CephFSInputPanel', {
 	    },
 	];
 
-	me.columnB = [{
-	    xtype: 'proxmoxcheckbox',
-	    name: 'pveceph',
-	    reference: 'pvecephRef',
-	    bind: {
-		disabled: '{!pvecephPossible}',
-		value: '{pveceph}',
+	me.columnB = [
+	    {
+		xtype: me.isCreate ? 'textfield' : 'displayfield',
+		name: 'keyring',
+		fieldLabel: 'Secret',
+		value: me.isCreate ? '' : '***********',
+		allowBlank: false,
+		bind: {
+		    hidden: '{pveceph}',
+		    disabled: '{pveceph}',
+		},
+	    },
+	    {
+		xtype: 'proxmoxcheckbox',
+		name: 'pveceph',
+		reference: 'pvecephRef',
+		bind: {
+		    disabled: '{!pvecephPossible}',
+		    value: '{pveceph}',
+		},
+		checked: true,
+		uncheckedValue: 0,
+		submitValue: false,
+		hidden: !me.isCreate,
+		boxLabel: gettext('Use Proxmox VE managed hyper-converged cephFS'),
 	    },
-	    checked: true,
-	    uncheckedValue: 0,
-	    submitValue: false,
-	    hidden: !me.isCreate,
-	    boxLabel: gettext('Use Proxmox VE managed hyper-converged cephFS'),
-	}];
+	];
 
 	me.callParent();
     },
diff --git a/www/manager6/storage/RBDEdit.js b/www/manager6/storage/RBDEdit.js
index 35568b98..15fc1304 100644
--- a/www/manager6/storage/RBDEdit.js
+++ b/www/manager6/storage/RBDEdit.js
@@ -201,6 +201,17 @@ Ext.define('PVE.storage.RBDInputPanel', {
 	];
 
 	me.columnB = [
+	    {
+		xtype: me.isCreate ? 'textarea' : 'displayfield',
+		name: 'keyring',
+		fieldLabel: 'Keyring',
+		value: me.isCreate ? '' : '***********',
+		allowBlank: false,
+		bind: {
+		    hidden: '{pveceph}',
+		    disabled: '{pveceph}',
+		},
+	    },
 	    {
 		xtype: 'proxmoxcheckbox',
 		name: 'pveceph',
-- 
2.30.2

[pve-devel] [PATCH v2 docs 2/3] storage: rbd: cephs: update authentication section

[Aaron Lauterer]

It is not needed anymore to place the keyring/secret file manually in
the correct location as it can be done with pvesm and the GUI/API now.

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
changes:
restructured the overall flow according to @Fabian_E's suggestions.

First CLI way, then mentioning GUI before giving the background
information where the secret/keyring is actually stored.

I also added more detailed CLI examples and changed their style.

Also rephrased a few other sentences that were rather hard to read.
Especially mentioning that this is done automatically in a
hyperconverged setup.

Fixed footnotes. There should only be one footnote regarding the Ceph
user mgmt docs now.

 pve-storage-cephfs.adoc | 47 ++++++++++++++++++++++++++++-------------
 pve-storage-rbd.adoc    | 42 +++++++++++++++++++++++++++---------
 2 files changed, 64 insertions(+), 25 deletions(-)

diff --git a/pve-storage-cephfs.adoc b/pve-storage-cephfs.adoc
index 4035617..88b92e6 100644
--- a/pve-storage-cephfs.adoc
+++ b/pve-storage-cephfs.adoc
@@ -71,32 +71,49 @@ disabled.
 Authentication
 ~~~~~~~~~~~~~~
 
-If you use `cephx` authentication, which is enabled by default, you need to copy
-the secret from your external Ceph cluster to a Proxmox VE host.
+If you use `cephx` authentication, which is enabled by default, you need to
+provide the secret from the external Ceph cluster.
 
-Create the directory `/etc/pve/priv/ceph` with
+To configure the storage via the CLI, you first need to make the file
+containing the secret available. One way is to copy the file from the external
+Ceph cluster directly to one of the {pve} nodes. The following example will
+copy it to the `/root` directory of the node on which we run it:
 
- mkdir /etc/pve/priv/ceph
+----
+# scp <external cephserver>:/etc/ceph/cephfs.secret /root/cephfs.secret
+----
+
+Then use the `pvesm` CLI tool to configure the external RBD storage, use the
+`--keyring` parameter, which needs to be a path to the secret file that you
+copied.  For example:
+
+----
+# pvesm add cephfs <name> --monhost "10.1.1.20 10.1.1.21 10.1.1.22" --content backup --keyring /root/cephfs.secret
+----
 
-Then copy the secret
+When configuring an external RBD storage via the GUI, you can copy and paste
+the secret into the appropriate field.
 
- scp cephfs.secret <proxmox>:/etc/pve/priv/ceph/<STORAGE_ID>.secret
+The secret is only the key itself, as opposed to the `rbd` backend which also
+contains a `[client.userid]` section.
 
-The secret must be renamed to match your `<STORAGE_ID>`. Copying the
-secret generally requires root privileges. The file must only contain the
-secret key itself, as opposed to the `rbd` backend which also contains a
-`[client.userid]` section.
+The secret will be stored at
+
+----
+# /etc/pve/priv/ceph/<STORAGE_ID>.secret
+----
 
 A secret can be received from the Ceph cluster (as Ceph admin) by issuing the
 command below, where `userid` is the client ID that has been configured to
 access the cluster. For further information on Ceph user management, see the
-Ceph docs footnote:[Ceph user management
-{cephdocs-url}/rados/operations/user-management/].
+Ceph docs.footnoteref:[cephusermgmt]
 
- ceph auth get-key client.userid > cephfs.secret
+----
+# ceph auth get-key client.userid > cephfs.secret
+----
 
-If Ceph is installed locally on the PVE cluster, that is, it was set up using
-`pveceph`, this is done automatically.
+If Ceph is installed locally on the {pve} cluster, this is done automatically
+when adding the storage.
 
 Storage Features
 ~~~~~~~~~~~~~~~~
diff --git a/pve-storage-rbd.adoc b/pve-storage-rbd.adoc
index 917926d..4002fd3 100644
--- a/pve-storage-rbd.adoc
+++ b/pve-storage-rbd.adoc
@@ -1,3 +1,4 @@
+:fn-ceph-user-mgmt: footnote:cephusermgmt[Ceph user management {cephdocs-url}/rados/operations/user-management/]
 [[ceph_rados_block_devices]]
 Ceph RADOS Block Devices (RBD)
 ------------------------------
@@ -69,22 +70,43 @@ TIP: You can use the `rbd` utility to do low-level management tasks.
 Authentication
 ~~~~~~~~~~~~~~
 
-If you use `cephx` authentication, you need to copy the keyfile from your
-external Ceph cluster to a Proxmox VE host.
+If you use `cephx` authentication, which is enabled by default, you need to
+provide the keyring from the external Ceph cluster.
 
-Create the directory `/etc/pve/priv/ceph` with
+To configure the storage via the CLI, you first need to make the file
+containing the keyring available. One way is to copy the file from the external
+Ceph cluster directly to one of the {pve} nodes. The following example will
+copy it to the `/root` directory of the node on which we run it:
 
- mkdir /etc/pve/priv/ceph
+----
+# scp <external cephserver>:/etc/ceph/ceph.client.admin.keyring /root/rbd.keyring
+----
+
+Then use the `pvesm` CLI tool to configure the external RBD storage, use the
+`--keyring` parameter, which needs to be a path to the keyring file that you
+copied.  For example:
+
+----
+# pvesm add rbd <name> --monhost "10.1.1.20 10.1.1.21 10.1.1.22" --content images --keyring /root/rbd.keyring
+----
+
+When configuring an external RBD storage via the GUI, you can copy and paste
+the keyring into the appropriate field.
+
+The keyring will be stored at
+
+----
+# /etc/pve/priv/ceph/<STORAGE_ID>.keyring
+----
 
-Then copy the keyring
+If Ceph is installed locally on the {pve} cluster, this is done automatically
+when adding the storage.
 
- scp <cephserver>:/etc/ceph/ceph.client.admin.keyring /etc/pve/priv/ceph/<STORAGE_ID>.keyring
+TIP: Creating a keyring with only the needed capabilities is recommend when
+connecting to an external cluster. For further information on Ceph user
+management, see the Ceph docs.footnoteref:[cephusermgmt,{cephdocs-url}/rados/operations/user-management/[Ceph User Management]]
 
-The keyring must be named to match your `<STORAGE_ID>`. Copying the
-keyring generally requires root privileges.
 
-If Ceph is installed locally on the PVE cluster, this is done automatically by
-'pveceph' or in the GUI.
 
 Storage Features
 ~~~~~~~~~~~~~~~~
-- 
2.30.2

[pve-devel] [PATCH v2 docs 3/3] update Ceph codename and docs url to octopus

[Aaron Lauterer]

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
I set it to octopus for the lower bound version Ceph in PVE 7

 asciidoc/asciidoc-pve.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/asciidoc/asciidoc-pve.conf b/asciidoc/asciidoc-pve.conf
index 5faac0c..31b8de6 100644
--- a/asciidoc/asciidoc-pve.conf
+++ b/asciidoc/asciidoc-pve.conf
@@ -15,6 +15,6 @@ author=Proxmox Server Solutions GmbH
 email=support@proxmox.com
 endif::docinfo1[]
 ceph=http://ceph.com[Ceph]
-ceph_codename=nautilus
-cephdocs-url=https://docs.ceph.com/en/nautilus
+ceph_codename=octopus
+cephdocs-url=https://docs.ceph.com/en/octopus
 
-- 
2.30.2

[pve-devel] applied-series: [PATCH v2 manager 1/3] ui: rbd: cephfs: add keyring/secret field for external clusters

[Fabian Ebner]

Am 26.01.22 um 11:18 schrieb Aaron Lauterer:
> Manual switching of xtype because binding 'hidden' does not work with
> pmxDisplayEditField.
> 
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
> changes: added spaces in front of `?` operator that were missed.
> 
> 
> From previous iteration for this patch:
> 
> Reviewed-by: Fabian Ebner <f.ebner@proxmox.com>
> Tested-by: Fabian Ebner <f.ebner@proxmox.com>
> 
>  www/manager6/storage/CephFSEdit.js | 39 ++++++++++++++++++++----------
>  www/manager6/storage/RBDEdit.js    | 11 +++++++++
>  2 files changed, 37 insertions(+), 13 deletions(-)
>

thanks! Added two small followups after a brief discussion with Thomas,
namely using gettext('Secret Key') for the field label for CephFS and
making the "is done automatically for local cluster" more obvious in the
docs. Also added the missing f in the second commit title again ;)

Re: [pve-devel] applied-series: [PATCH v2 manager 1/3] ui: rbd: cephfs: add keyring/secret field for external clusters

[Aaron Lauterer]

On 1/28/22 12:23, Fabian Ebner wrote:
> Am 26.01.22 um 11:18 schrieb Aaron Lauterer:
>> Manual switching of xtype because binding 'hidden' does not work with
>> pmxDisplayEditField.
>>
>> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
>> ---
>> changes: added spaces in front of `?` operator that were missed.
>>
>>
>>  From previous iteration for this patch:
>>
>> Reviewed-by: Fabian Ebner <f.ebner@proxmox.com>
>> Tested-by: Fabian Ebner <f.ebner@proxmox.com>
>>
>>   www/manager6/storage/CephFSEdit.js | 39 ++++++++++++++++++++----------
>>   www/manager6/storage/RBDEdit.js    | 11 +++++++++
>>   2 files changed, 37 insertions(+), 13 deletions(-)
>>
> 
> thanks! Added two small followups after a brief discussion with Thomas,
> namely using gettext('Secret Key') for the field label for CephFS and
> making the "is done automatically for local cluster" more obvious in the
> docs. Also added the missing f in the second commit title again ;)

thanks for that... :D git commit --amend and not seeing it...
> 
>