smb: add remote control server by phlogistonjohn · Pull Request #64372 · ceph/ceph

phlogistonjohn · 2025-07-07T13:46:20Z

Depends on #64142

Add support for an optional remote-control sidecar server. This server is provided by the sambacc project and creates a gRPC interface that allows systems outside the ceph cluster to get realtime-ish connection information and make changes like disconnecting a client or share.

This server uses mTLS for simple auth{n,z} if a server cert, server key and ca cert are provided. The server can also be deployed in an insecure mode (no TLS) and or non-authenticating mode (no CA Cert). However, these modes are read-only and are mainly just for testing.

To support TLS credentials, a new top-level resource type ceph.smb.tls.credential is added. This type is somewhat similar to the the ceph.smb.join.auth type in behavior. See the updated doc for more information.

Contribution Guidelines

To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

Tracker (select at least one)
- References tracker ticket
- Very recent bug; references commit where it was introduced
- New feature (ticket optional)
- Doc update (no ticket needed)
- Code cleanup (no ticket needed)
Component impact
- Affects Dashboard, opened tracker ticket
- Affects Orchestrator, opened tracker ticket
- No impact that needs to be tracked
Documentation (select at least one)
- Updates relevant documentation
- No doc update is appropriate
Tests (select at least one)
- Includes unit test(s)
- Includes integration test(s)
- Includes bug reproducer
- No tests

Show available Jenkins commands

jenkins test classic perf Jenkins Job | Jenkins Job Definition
jenkins test crimson perf Jenkins Job | Jenkins Job Definition
jenkins test signed Jenkins Job | Jenkins Job Definition
jenkins test make check Jenkins Job | Jenkins Job Definition
jenkins test make check arm64 Jenkins Job | Jenkins Job Definition
jenkins test submodules Jenkins Job | Jenkins Job Definition
jenkins test dashboard Jenkins Job | Jenkins Job Definition
jenkins test dashboard cephadm Jenkins Job | Jenkins Job Definition
jenkins test api Jenkins Job | Jenkins Job Definition
jenkins test docs ReadTheDocs | Github Workflow Definition
jenkins test ceph-volume all Jenkins Jobs | Jenkins Jobs Definition
jenkins test windows Jenkins Job | Jenkins Job Definition
jenkins test rook e2e Jenkins Job | Jenkins Job Definition

github-actions · 2025-07-09T16:00:37Z

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

github-actions · 2025-07-10T17:30:23Z

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

phlogistonjohn · 2025-07-28T17:38:11Z

jenkins test make check

phlogistonjohn · 2025-07-28T17:38:47Z

jenkins test windows

github-actions · 2025-07-30T17:10:26Z

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

phlogistonjohn · 2025-07-31T14:32:50Z

jenkins test make check

Use the new tls credential resource and remote control cluster field to configure the tls creds for the remote control sidecar in the service spec. Signed-off-by: John Mulligan <jmulligan@redhat.com>

Update the handler code needed to make tls credential types work corrently for `ceph smb show` commands. Signed-off-by: John Mulligan <jmulligan@redhat.com>

Support populating the cert data sent to the cephadm binary using special `URI:` prefixed strings instead of putting the cert data itself in the smb service spec. This avoids having an extra copy of the cert floating around but still matches the behavior of other services where cephadm writes the certs into files. In the future we may be able to avoid even putting the data in here as sambacc can use rados apis - but for simplicity and matching other services we will send the data this way for now. Signed-off-by: John Mulligan <jmulligan@redhat.com>

Signed-off-by: John Mulligan <jmulligan@redhat.com>

anoopcs9

Looks OK at a very high level.

src/pybind/mgr/smb/resources.py

doc/mgr/smb.rst

It covers the remote control configuration object and the tls credential resource and source object created to support it and future tls needs. Signed-off-by: John Mulligan <jmulligan@redhat.com>

When not referring to a code object or field value or module name, try to spell ID and SMB in all caps everywhere in the document. Signed-off-by: John Mulligan <jmulligan@redhat.com>

adk3798 · 2025-08-12T23:19:29Z

jenkins test make check

adk3798 · 2025-08-13T03:57:37Z

jenkins test make check

adk3798 · 2025-08-13T05:31:20Z

jenkins test make check

anoopcs9 · 2025-08-13T05:45:37Z