mirror of
https://git.proxmox.com/git/pve-manager
synced 2025-07-24 20:20:13 +00:00
11edd5d88d
Due to Ceph dropping privileges when running the 'ceph-crash' daemon
[0], it is necessary to allow the daemon to authenticate with its
cluster in a safe manner.
In order to avoid exposing sensitive keyrings or somehow escalating
its privileges again, 'ceph-crash' is therefore provided with its own
keyring in the '/etc/pve/ceph' directory. This directory, due to being
on 'pmxcfs', may be read by members of the 'www-data' group, which
'ceph-crash' is made part of [1].
Expected Configuration
----------------------
1. A keyring file named '/etc/pve/ceph/ceph.client.crash.keyring'
exists
2. A section named 'client.crash' exists in '/etc/pve/ceph.conf'
3. The 'client.crash' section has a key named 'keyring' which
references the keyring file as '/etc/pve/ceph/$cluster.$name.keyring'
4. The 'client.crash' section has *no* key named 'key'
New Clusters
------------
The keyring file is created and the conf file is updated after the first
monitor has been created (when calling `pveceph mon create`).
Existing Clusters
-----------------
A new helper script creates and configures the 'client.crash' keyring in
`postinst`, if:
* Ceph is installed
* Ceph is initialized ('/etc/pve/ceph.conf' and '/etc/pve/ceph' exist)
* Connection to RADOS is successful
If the above conditions are met, the helper script ensures that the
existing configuration matches the expected configuration mentioned
above.
The configuration is not changed if it is already as expected.
The helper script may be called again manually if the `postinst` hook
fails. It is installed to '/usr/share/pve-manager/helpers/pve-init-ceph-crash'.
Existing `client.crash` Key
---------------------------
If a key named 'client.crash' already exists within the cluster, it is
reused and not regenerated.
[0]: https://github.com/ceph/ceph/pull/48713
[1]: https://git.proxmox.com/?p=ceph.git;a=commitdiff;h=f72c698a55905d93e9a0b7b95674616547deba8a
Signed-off-by: Max Carrara <m.carrara@proxmox.com>
Tested-by: Friedrich Weber <f.weber@proxmox.com>
|
||
|---|---|---|
| .. | ||
| Ceph | ||
| Cluster | ||
| Hardware | ||
| ACME.pm | ||
| ACMEAccount.pm | ||
| ACMEPlugin.pm | ||
| APT.pm | ||
| Backup.pm | ||
| Capabilities.pm | ||
| Ceph.pm | ||
| Certificates.pm | ||
| Cluster.pm | ||
| HAConfig.pm | ||
| Hardware.pm | ||
| Makefile | ||
| Network.pm | ||
| NodeConfig.pm | ||
| Nodes.pm | ||
| Pool.pm | ||
| Replication.pm | ||
| ReplicationConfig.pm | ||
| Services.pm | ||
| Subscription.pm | ||
| Tasks.pm | ||
| VZDump.pm | ||