Commit Graph

23 Commits

Author SHA1 Message Date
Pedro Castillo 1494d9a245 Refactor cache validation for the ceph-osd NRPE check
Closes-Bug: #2019251
Closes-Bug: #2021507
Change-Id: Ib50414756165f2587f0127e572675c7ca8e31ef9
2023-11-13 07:53:37 -06:00
Nobuto Murata c4209b3965 Allow ceph device scrape-health-metrics
Ceph has a function to collect health metrics through smartctl or nvme
command out of the box. And it relies on sudo spawned from the ceph-osd
process so it needs to be considered in the apparmor policy.

[/etc/sudoers.d/ceph-smartctl in ceph-base package]
> ## allow ceph daemons (which run as user ceph) to collect device
> ## health metrics
>
> ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
> ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*

Also sync charmhelpers and mock platform info

Closes-Bug: #2031637
Change-Id: I981a5db0fd49eca83aa8a619f0cbd0d34a533842
2023-11-06 20:18:36 +01:00
alitvinov 38407abdd5 Tweak apparmor profile to access OSD volumes.
Plus add aa-profile-mode enforce option to the test bundles.

Closes-Bug: #1860801
Change-Id: I8264ad760d92da3faa384c8edca5566fc622c57d
2023-01-11 08:14:26 +00:00
Luciano Lo Giudice dbe3ee52bc Enable users to start/stop Crimson OSD's
This patchset modifies the add-disk action so that it now
can optionally start a Crimson OSD daemon.

Change-Id: I59bf4e41f1f56c6bda2352b5613289ff73113342
Depends-On: If58bde4d5445ed5de420abc007db6bf8b8e43269
2022-10-18 18:11:47 -03:00
Zuul 8b5cc65de5 Merge "Change file owner so that check_ceph_osd nrpe service can work on CIS hardened environments" 2020-11-03 12:58:30 +00:00
Ioanna Alifieraki 25b97b332f Change file owner so that check_ceph_osd nrpe service can work on CIS hardened environments
check_ceph_ods_services.py reads /var/lib/nagios file to report ceph
status back to nagios. This service runs as nagios user and the file
is owned by root. On CIS hardened servers the default mask is set to
027 making the permissions of the file 640 instead of 644.
This results in the service not being able to read the file and the
status reported to nagios is UNKNOWN even though ceph status is OK.

Closes-Bug: #1879667

Change-Id: Ib67b9a2b86a1c22658aeaf41f8e464072ab1828f
2020-09-28 12:20:14 +01:00
Frode Nordahl 0ca99c2fc3
Unpin flake8, fix lint
Change-Id: I7f47c1dac0761101980ebba3f9aab8732cb0d1ce
2020-08-26 16:29:47 +02:00
Nicolas Pochet 3b2e79a563
Fix NRPE check_osd
Move the result of the systemd service state to `/var/lib/nagios`

Change-Id: I83287590e279054973fdb28b374a49704626ed01
Closes-Bug: 1826594
2019-04-26 20:15:36 +02:00
Alex Kavanagh faefe90ce6 Fix nrpe ceph-osd status respecting permissions
The referenced bug (below) was caused because the nrpe check needed to
access the ceph owned directories, and as the nagios user, nrpe can't.
This change splits the check into a 'collect' phase that runs as root
via a cronjob each minute and writes a file to the tmp directory, and a
nrpe check phase that then reads that file and reports back to nagios.

The 'check' part deletes the 'collect' file, so that fresh information
is available for each nrpe check.  The cron task runs every minute (as
is lightweight), so the nrpe checks should not be sheduled more
frequently than 1 minute.

Change-Id: I4f4594a479eed47cc66643d0c6acece491ae854d
Closes-Bug: #1810749
2019-01-16 12:33:06 +00:00
James Page 5c1a304e0e Misc updates to apparmor profile
Minor refactoring and updates for DENIED messages seen during
'complain' testing with filestore and bluestore based OSD's
with journals, db and wal devices.

Tested with Ceph Luminous on 18.04 including data generation
using rados bench and pg resizing from 8 -> 256 during testing.

Change-Id: I705eacfe4d464b96dde25495eecb95db30423b66
2018-05-15 14:01:12 +01:00
James Page 35ad3de4f2 ceph-volume: Install charm specific udev rules
Ensure that LV's created using the LVM layout implemented
by this charm are correctly owned by the ceph user and group,
ensuring that ceph-osd processes can start correctly at all
times.

Change-Id: I23ea51e3bffe7207f75782c5f34b796e9eed2c80
Closes-Bug: 1767087
2018-05-09 12:36:00 +01:00
James Page c4473c2916 apparmor: Fix use with directory based OSD's
Ensure that directory based OSD's under /srv/ceph can hard
link when apparmor is in enforce mode. If not, then links go
missing over time and the ceph-osd daemons eventually abort.

Change-Id: I7cc25f5d436204d1f47c9a3a67a15f27c16b7505
Closes-Bug: 1748426
2018-02-09 11:21:31 +00:00
Alex Kavanagh 4e1ecd55b8 Bring ceph-osd to Python 3
* Synced version of charm-helpers
* Synced version of charms.ceph to bring in Py3 compatible library
  methods.

Change-Id: I5ac45740f48a71d9cb0c5943472fc8590a723514
2017-11-17 12:13:54 +00:00
Marian Gasparovic d18c17186b Plugin should return also a reason for warning from ceph.
Change-Id: Ic8612eb123ec8335a6a867f0775116dba3a68dce
Signed-off-by: Marian Gasparovic <marian.gasparovic@canonical.com>
2017-10-26 14:05:20 +02:00
Ante Karamatic 8fdffe7bac Allow ceph-osd to create temporary links within OSD's filesystem
AppArmor profile prevents link operation within /var/lib/ceph/osd/*.
This leads to daemon coredump. This patch ensures ceph-osd
is able to create links.

Change-Id: Ia03baac0fec7f134f53254b18e5498a87656817f
Closes-Bug: #1677470
2017-03-30 14:44:43 +08:00
James Page d332db2d52 Revert "Remove /var/lib/ceph from updatedb"
ceph and swift-storage apps may end up on the same unit
so a different approach is needed.

This reverts commit 7b38a56cf5.

Change-Id: Id74e014d856718fbc5e4d714578b233145c9c047
2017-01-23 08:38:40 +00:00
Chris MacNaughton 7b38a56cf5 Remove /var/lib/ceph from updatedb
This stops updatedb from indexing the storage locations

Change-Id: Idd77f0fc087a06af874d2865bfec8c319a0b15dd
Closes-bug: 1520226
2017-01-13 13:33:57 +02:00
Chris Holcombe 7d42f6e060 Add support for apparmor security profiles
Install apparmor profile for ceph-osd processes, and provide
associated configuration option to place any ceph-osd processes
into enforce, complain, or disable apparmor profile mode.

As this is the first release of this feature, default to disabled
and allow charm users to test and provide feedback for this
release.

Change-Id: I4524c587ac70de13aa3a0cb912033e6eb44b0403
2016-09-28 09:30:52 +01:00
James Page c32211c8e1 Re-license charm as Apache-2.0
All contributions to this charm where made under Canonical
copyright; switch to Apache-2.0 license as agreed so we
can move forward with official project status.

In order to make this change, this commit also drops the
inclusion of upstart configurations for very early versions
of Ceph (argonaut), as they are no longer required.

Change-Id: I9609dd79855b545a2c5adc12b7ac573c6f246d48
2016-06-28 12:01:05 +01:00
Brad Marshall af7fa45668 [bradm] Removed nagios check files that were moved to nrpe-external-master charm 2014-11-18 11:06:09 +10:00
Brad Marshall 34ce395984 [bradm] Check if host_context is defined before using it, add check_upstart_job 2014-11-06 17:27:21 +10:00
Brad Marshall 9eafa9985b [bradm] Added nrpe check 2014-11-04 17:05:18 +10:00
James Page 1683ffaa84 Initial ceph-osd charm 2012-10-08 15:07:16 +01:00