This commit adds the `set_ceph_crash_conf` function, which dynamically
adapts the host's Ceph configuration in order to allow the Ceph crash
module's daemon to run without elevated privileges.
This adaptation is only performed if:
* Ceph is installed
* Ceph is configured ('/etc/pve/ceph.conf' exists)
* Connection to RADOS is successful
If the above conditions are met, the function will ensure that:
* Ceph possesses a key named 'client.crash'
* The key is saved to '/etc/pve/ceph/ceph.client.crash.keyring'
* A section for 'client.crash' exists in '/etc/pve/ceph.conf'
* The 'client.crash' section has a key named 'keyring' which
references '/etc/pve/ceph/ceph.client.crash.keyring'
Furthermore, if a key named 'client.crash' already exists within the
cluster, it shall be reused and not regenerated. Also, the
configuration is not altered if the conditions above are already met.
This way the keyring file is available as read-only in
'/etc/pve/ceph/' for the `www-data` group (due to how pmxcfs works).
Because the `ceph` user has been made part of said `www-data` group
[0], it may access the file without requiring any additional
privileges.
Thus, the configuration for the Ceph crash daemon is safely adapted as
expected by PVE tooling and also shared via pmxcfs across one's
cluster.
[0]:
https://git.proxmox.com/?p=ceph.git;a=commitdiff;h=f72c698a55905d93e9a0b7b95674616547deba8a
Signed-off-by: Max Carrara <m.carr...@proxmox.com>
---
debian/postinst | 109 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 109 insertions(+)
diff --git a/debian/postinst b/debian/postinst
index 00d5f2cc..8d2a8c4b 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -110,6 +110,114 @@ migrate_apt_auth_conf() {
fi
}
+set_ceph_crash_conf() {
+ PVE_CEPH_CONFFILE='/etc/pve/ceph.conf'
+ PVE_CEPH_CONFDIR='/etc/pve/ceph'
+ PVE_CEPH_CRASH_KEY="${PVE_CEPH_CONFDIR}/ceph.client.crash.keyring"
+ PVE_CEPH_CRASH_KEY_REF="${PVE_CEPH_CONFDIR}/\$cluster.\$name.keyring"
+
+ # ceph isn't installed -> nothing to do
+ if ! which ceph > /dev/null 2>&1; then
+ return 0
+ fi
+
+ # ceph isn't configured -> nothing to do
+ if test ! -f "${PVE_CEPH_CONFFILE}"; then
+ return 0
+ fi
+
+ CEPH_AUTH_RES="$(ceph auth get-or-create client.crash mon 'profile crash'
mgr 'profile crash' 2>&1 || true)"
+
+ # ceph is installed and possibly configured, but no connection to RADOS
+ # -> assume no monitor was created, nothing to do
+ if echo "${CEPH_AUTH_RES}" | grep -i -q 'RADOS object not found'; then
+ return 0
+ fi
+
+ SECTION_RE='^\[\S+\]$'
+ CRASH_SECTION_RE='^\[client\.crash\]$'
+
+ if echo "${CEPH_AUTH_RES}" | grep -q -E "${CRASH_SECTION_RE}"; then
+ DO_RESTART_UNIT=0
+ CRASH_KEY="$(echo "${CEPH_AUTH_RES}" | grep 'key' | sed -E
's/^\s+key\s+=\s+//')"
+
+ if test ! -d "${PVE_CEPH_CONFDIR}"; then
+ mkdir -p "${PVE_CEPH_CONFDIR}"
+ fi
+
+ # keyring file doesn't exist or contains wrong key
+ if test ! -f "${PVE_CEPH_CRASH_KEY}" || ! grep -q "${CRASH_KEY}"
"${PVE_CEPH_CRASH_KEY}"; then
+ echo "Saving key for 'client.crash' as '${PVE_CEPH_CRASH_KEY}'"
+ echo "${CEPH_AUTH_RES}" > "${PVE_CEPH_CRASH_KEY}"
+ DO_RESTART_UNIT=1
+ fi
+
+ # 'client.crash' section is in conf file
+ if grep -q -E "${CRASH_SECTION_RE}" "${PVE_CEPH_CONFFILE}"; then
+ IFS=''
+ NEW_PVE_CEPH_CONFFILE=''
+ IN_CRASH_SECTION=0
+ WAS_IN_CRASH_SECTION=0
+ REPLACED_KEYRING=0
+
+ # look for 'keyring' key in 'client.crash' section
+ # -> replace it if it points to the wrong location
+ while read -r LINE; do
+ if test "${IN_CRASH_SECTION}" = "1"; then
+ if echo "${LINE}" | grep -q -E "${SECTION_RE}"; then
+ IN_CRASH_SECTION=0
+ elif echo "${LINE}" | grep -q -E '\s+keyring'; then
+ if ! echo "${LINE}" | grep -q
"${PVE_CEPH_CRASH_KEY_REF}"; then
+ echo "Replacing keyring value in section
'client.crash' of '${PVE_CEPH_CONFFILE}'"
+ LINE="$(printf '\t keyring = %s'
"${PVE_CEPH_CRASH_KEY_REF}")"
+ REPLACED_KEYRING=1
+ fi
+ fi
+ elif echo "${LINE}" | grep -q -E "${CRASH_SECTION_RE}"; then
+ IN_CRASH_SECTION=1
+ WAS_IN_CRASH_SECTION=1
+ fi
+
+ NEW_PVE_CEPH_CONFFILE="${NEW_PVE_CEPH_CONFFILE}${LINE}\n"
+ done < "${PVE_CEPH_CONFFILE}"
+
+ unset IFS
+
+ # 'keyring' key was replaced -> write to file
+ if test "${REPLACED_KEYRING}" = "1"; then
+ echo "${NEW_PVE_CEPH_CONFFILE}" > "${PVE_CEPH_CONFFILE}"
+ DO_RESTART_UNIT=1
+ # client.crash section exists, but contained no 'keyring' key
+ # -> put 'keyring' key into 'client.crash' section
+ elif test "${WAS_IN_CRASH_SECTION}" = "1"; then
+ sed -i -E "s#(${CRASH_SECTION_RE})#\1\n\t keyring =
${PVE_CEPH_CRASH_KEY_REF}#" \
+ "${PVE_CEPH_CONFFILE}"
+ DO_RESTART_UNIT=1
+ fi
+
+ # 'client.crash' section doesn't exist -> add it
+ else
+ echo "Adding section for key in '${PVE_CEPH_CONFFILE}'"
+ printf '[client.crash]\n\t keyring = %s\n\n'
"${PVE_CEPH_CRASH_KEY_REF}" \
+ >> "${PVE_CEPH_CONFFILE}"
+ DO_RESTART_UNIT=1
+ fi
+
+ if test "${DO_RESTART_UNIT}" = "1"; then
+ UNIT='ceph-crash.service'
+
+ if systemctl -q is-enabled "${UNIT}"; then
+ echo "Restarting ceph-crash.service"
+ deb-systemd-invoke restart "${UNIT}"
+ fi
+ fi
+
+ else
+ echo "WARNING: Ceph: Unable to retrieve key for 'client.crash' -
output:"
+ printf '%s\n\n' "${CEPH_AUTH_RES}"
+ fi
+}
+
case "$1" in
triggered)
# We don't print a status message here, as dpkg already said
@@ -189,6 +297,7 @@ case "$1" in
fi
set_lvm_conf
+ set_ceph_crash_conf
if test ! -e /proxmox_install_mode; then
# modeled after code generated by dh_start
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
