[pve-devel] [PATCH v2 storage 2/2] Ceph: add keyring parameter for external clusters

Aaron Lauterer Tue, 03 Aug 2021 04:46:34 -0700

By adding the keyring for RBD storage or the secret for CephFS ones, it
is possible to add an external Ceph cluster with only one API call.


Previously the keyring / secret file needed to be placed in
/etc/pve/priv/ceph/$storeID.{keyring,secret} manually.

Signed-off-by: Aaron Lauterer <a.laute...@proxmox.com>
---
changes since v1: add check if the keyring parameter exists before
deciding on whether to store or remove the file.

thx @thomas for catching that

 PVE/API2/Storage/Config.pm  |  2 +-
 PVE/CLI/pvesm.pm            | 12 ++++++++++--
 PVE/Storage/CephFSPlugin.pm | 22 ++++++++++++++++------
 PVE/Storage/RBDPlugin.pm    | 26 ++++++++++++++++++++------
 4 files changed, 47 insertions(+), 15 deletions(-)

diff --git a/PVE/API2/Storage/Config.pm b/PVE/API2/Storage/Config.pm
index ea655c5..bf38df3 100755
--- a/PVE/API2/Storage/Config.pm
+++ b/PVE/API2/Storage/Config.pm
@@ -112,7 +112,7 @@ __PACKAGE__->register_method ({
        return &$api_storage_config($cfg, $param->{storage});
     }});
 
-my $sensitive_params = [qw(password encryption-key master-pubkey)];
+my $sensitive_params = [qw(password encryption-key master-pubkey keyring)];
 
 __PACKAGE__->register_method ({
     name => 'create',
diff --git a/PVE/CLI/pvesm.pm b/PVE/CLI/pvesm.pm
index 668170a..190de91 100755
--- a/PVE/CLI/pvesm.pm
+++ b/PVE/CLI/pvesm.pm
@@ -64,13 +64,21 @@ sub param_mapping {
        }
     };
 
+    my $keyring_map = {
+       name => 'keyring',
+       desc => 'file containing the keyring to authenticate in the Ceph 
cluster',
+       func => sub {
+           my ($value) = @_;
+           return PVE::Tools::file_get_contents($value);
+       },
+    };
 
     my $mapping = {
        'cifsscan' => [ $password_map ],
        'cifs' => [ $password_map ],
        'pbs' => [ $password_map ],
-       'create' => [ $password_map, $enc_key_map, $master_key_map ],
-       'update' => [ $password_map, $enc_key_map, $master_key_map ],
+       'create' => [ $password_map, $enc_key_map, $master_key_map, 
$keyring_map ],
+       'update' => [ $password_map, $enc_key_map, $master_key_map, 
$keyring_map ],
     };
     return $mapping->{$name};
 }
diff --git a/PVE/Storage/CephFSPlugin.pm b/PVE/Storage/CephFSPlugin.pm
index 2aaa450..3b9a791 100644
--- a/PVE/Storage/CephFSPlugin.pm
+++ b/PVE/Storage/CephFSPlugin.pm
@@ -146,6 +146,7 @@ sub options {
        fuse => { optional => 1 },
        bwlimit => { optional => 1 },
        maxfiles => { optional => 1 },
+       keyring => { optional => 1 },
        'prune-backups' => { optional => 1 },
     };
 }
@@ -163,20 +164,29 @@ sub check_config {
 sub on_add_hook {
     my ($class, $storeid, $scfg, %param) = @_;
 
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed 
ceph
+    my $secret = $param{keyring} if defined $param{keyring} // undef;
+    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
 
-    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
+    return;
+}
+
+sub on_update_hook {
+    my ($class, $storeid, $scfg, %param) = @_;
+
+    if (exists($param{keyring})) {
+       if (defined($param{keyring})) {
+           PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, 
$param{keyring});
+       } else {
+           PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
+       }
+    }
 
     return;
 }
 
 sub on_delete_hook {
     my ($class, $storeid, $scfg) = @_;
-
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed 
ceph
-
     PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
-
     return;
 }
 
diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
index a8d1243..4bd43d5 100644
--- a/PVE/Storage/RBDPlugin.pm
+++ b/PVE/Storage/RBDPlugin.pm
@@ -305,6 +305,10 @@ sub properties {
            description => "Always access rbd through krbd kernel module.",
            type => 'boolean',
        },
+       keyring => {
+           description => "Client keyring contents (for external clusters).",
+           type => 'string',
+       },
     };
 }
 
@@ -318,6 +322,7 @@ sub options {
        username => { optional => 1 },
        content => { optional => 1 },
        krbd => { optional => 1 },
+       keyring => { optional => 1 },
        bwlimit => { optional => 1 },
     };
 }
@@ -327,20 +332,29 @@ sub options {
 sub on_add_hook {
     my ($class, $storeid, $scfg, %param) = @_;
 
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed 
ceph
+    my $secret = $param{keyring} if defined $param{keyring} // undef;
+    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, $secret);
 
-    PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid);
+    return;
+}
+
+sub on_update_hook {
+    my ($class, $storeid, $scfg, %param) = @_;
+
+    if (exists($param{keyring})) {
+       if (defined($param{keyring})) {
+           PVE::CephConfig::ceph_create_keyfile($scfg->{type}, $storeid, 
$param{keyring});
+       } else {
+           PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
+       }
+    }
 gg
     return;
 }
 
 sub on_delete_hook {
     my ($class, $storeid, $scfg) = @_;
-
-    return if defined($scfg->{monhost}); # nothing to do if not pve managed 
ceph
-
     PVE::CephConfig::ceph_remove_keyfile($scfg->{type}, $storeid);
-
     return;
 }
 
-- 
2.30.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH v2 storage 2/2] Ceph: add keyring parameter for external clusters

Reply via email to