mgr/cephadm: add RGW support for NFS ganesha#37600
Conversation
| RGW { | ||
| cluster = "ceph"; | ||
| name = "client.{{ rgw_user }}"; | ||
| } | ||
|
|
There was a problem hiding this comment.
Instead of adding RGW block by default. It would be good to have export type option in ceph orch apply nfs or let higher level interfaces modify the ganesha conf according to export type. And we have cluster type option in volumes/nfs interface ceph nfs cluster create <type> <clusterid> [<placement>] for the purpose of modifying minimal ganesha conf according to export type. @batrick @jtlayton
There was a problem hiding this comment.
generally agree our goal is to minimize ganesha.conf into a very simple bootstrap config, but we do need to manage the keyrings (both add/remove) and also mount the keyring into each daemon container.
There was a problem hiding this comment.
I think the problem is that once defined here you can't add other options to the RGW section from another RADOS config. cephadm can setup the keys but I think it'd be better for the higher level config to write the RGW section.
There was a problem hiding this comment.
I've been able to overwrite this block from the higher level config, but the entire block is replaced, which is problematic because this would require the higher level workflow to also have knowledge of the keyring entity.
| mounts[os.path.join(data_dir, 'etc/ganesha')] = '/etc/ganesha:z' | ||
| if self.rgw: | ||
| cluster = self.rgw.get('cluster', 'ceph') | ||
| rgw_user = self.rgw.get('user', 'admin') |
There was a problem hiding this comment.
Do we do this elsewhere? I don't think we should use the admin credential as a default.
There was a problem hiding this comment.
Would a NoneType be better here? At this point, we've already generated a client keyring and the input validation should have raised an exception if no keyring was provided ...
There was a problem hiding this comment.
Would a NoneType be better here?
Yes, I think so.
| 'prefix': 'auth get-or-create', | ||
| 'entity': entity, | ||
| 'caps': ['mon', 'allow r', | ||
| 'osd', 'allow rwx'], |
There was a problem hiding this comment.
Why does NFS-Ganesha need access to the OSDs when talking to RGW?
There was a problem hiding this comment.
Do you have a more restrictive set of perms in mind?
There was a problem hiding this comment.
I think it just needs mon "allow r"? cc @cbodley @mattbenjamin
There was a problem hiding this comment.
librgw is a librados client. does that mean it needs osd caps?
There was a problem hiding this comment.
I thought librgw was just talking to the monitors and not the OSDs but maybe I misunderstood.
In any case, it should not have unlimited access to the OSDs with osd "allow rwx".
There was a problem hiding this comment.
librgw, when initialized, starts an entire radosgw absent only the HTTP front-ends and (by default) some of the background services such as lifecycle. By design, it accesses services in the Ceph cluster the same as an ordinary radosgw would. It needs the same permissions to execute--and even identifies itself with the same client string.
There was a problem hiding this comment.
I see. Thanks for explaining @mattbenjamin. How do you normally restrict rgw instances though in terms of osd caps?
There was a problem hiding this comment.
|
@mgfritch (folks), where does the ganesha.conf come from? There are options here we'd like to check. Also, potentially allow selection of rgw_nfs_fast_attrs. |
https://github.com/ceph/ceph/pull/37600/files#diff-d19145aa3232f726604da0f1f3c6bba7 We've taken to calling this the "bootstrap" config because most configuration should come from a higher layer like the volumes nfs driver. |
|
a "bootstrap" ganesha.conf is rendered from within mgr/cephadm and injected into each daemon container. The bootstrap config defines a Could we have an RGW block defined in both the bootstrap ganesha.conf and also another RGW block later defined via a RADOS conifg object. ... but I think that would require the ganesha daemon to take a union on the config values instead of the current behavior (which is replace the entire RGW block) ? |
As I said in the other comment, it does not take a union so if cephadm defines it then it cannot be overridden TMK. |
I think this was true in older versions of ganesha, but with ganesha v3.3, it does seem the that the |
Fixes: https://tracker.ceph.com/issues/43686 Signed-off-by: Michael Fritch <mfritch@suse.com>
- create an RGW keyring for NFS daemon access - generate RGW FSAL in ganesha.conf Fixes: https://tracker.ceph.com/issues/43686 Signed-off-by: Michael Fritch <mfritch@suse.com>
remove RGW keyring during NFS daemon `post_remove` Fixes: https://tracker.ceph.com/issues/43686 Signed-off-by: Michael Fritch <mfritch@suse.com>
4934879 to
219c0c3
Compare
Daniel-Pivonka
left a comment
There was a problem hiding this comment.
This functionally worked for me i was able to put files in buckets and they would show up on the nfs mount
|
@Daniel-Pivonka woot |
|
@Daniel-Pivonka @kalebskeithley @dang should we have a review of the configs that can now be generated? I'd like to ensure that our preferred configurations (incl. fast-attrs, above) can be set up. |
bk201
left a comment
There was a problem hiding this comment.
work for using Dashboard to create RGW share.
I can access files in buckets with RO mode.
jmolmo
left a comment
There was a problem hiding this comment.
I think we can go with this.
Probably we will need to improve things around how to setup the service in a more simple way. But this modifications are definitely a first and a big step. :-)
restrict the OSD keyring caps to the `rgw` application Signed-off-by: Michael Fritch <mfritch@suse.com>
PR ceph#37600 introduced support for both cephfs and rgw while using the same nfs-ganesha daemon Signed-off-by: Michael Fritch <mfritch@suse.com>
PR ceph#37600 introduced support for both `cephfs` and `rgw` exports to be configured using a single nfs-ganesha cluster Signed-off-by: Michael Fritch <mfritch@suse.com>
PR ceph#37600 introduced support for both `cephfs` and `rgw` exports to be configured using a single nfs-ganesha cluster Fixes: https://tracker.ceph.com/issues/50369 Signed-off-by: Michael Fritch <mfritch@suse.com>
PR ceph#37600 introduced support for both `cephfs` and `rgw` exports to be configured using a single nfs-ganesha cluster Fixes: https://tracker.ceph.com/issues/50369 Signed-off-by: Michael Fritch <mfritch@suse.com> (cherry picked from commit e9b2c38)
PR ceph#37600 introduced support for both `cephfs` and `rgw` exports to be configured using a single nfs-ganesha cluster Fixes: https://tracker.ceph.com/issues/50369 Signed-off-by: Michael Fritch <mfritch@suse.com> (cherry picked from commit e9b2c38)
PR ceph#37600 introduced support for both `cephfs` and `rgw` exports to be configured using a single nfs-ganesha cluster Fixes: https://tracker.ceph.com/issues/50369 Signed-off-by: Michael Fritch <mfritch@suse.com> (cherry picked from commit e9b2c38)
PR ceph#37600 introduced support for both `cephfs` and `rgw` exports to be configured using a single nfs-ganesha cluster Fixes: https://tracker.ceph.com/issues/50369 Signed-off-by: Michael Fritch <mfritch@suse.com> (cherry picked from commit e9b2c38) (cherry picked from commit 678ee63) Resolves: rhbz#1951969
At some point, upstream obviously changed the syntax of the "ceph nfs cluster create" command in octopus, thereby breaking "sesdev create pacific" and "sesdev create ses7". Later, this syntax change got reverted [1], but since this revert was made possible by a big feature [2], so far it has been backported only to pacific [3] [1] ceph/ceph#40411 [2] ceph/ceph#37600 [3] ceph/ceph#41005 Fixes: SUSE#611 Signed-off-by: Nathan Cutler <ncutler@suse.com>
At some point, upstream obviously changed the syntax of the "ceph nfs cluster create" command in octopus, thereby breaking "sesdev create pacific" and "sesdev create ses7". Later, this syntax change got reverted [1], but since this revert was made possible by a big feature [2], so far it has been backported only to pacific [3] [1] ceph/ceph#40411 [2] ceph/ceph#37600 [3] ceph/ceph#41005 Fixes: SUSE#611 Signed-off-by: Nathan Cutler <ncutler@suse.com>
Fixes: https://tracker.ceph.com/issues/43686
Signed-off-by: Michael Fritch mfritch@suse.com
Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume tox