Commit Graph

36 Commits

Author SHA1 Message Date
Andrew Bonney 5351a2a96d Add AppArmor configuration for ceph read/write caching
When Ceph read/write caching uses paths which aren't already
covered by the libvirt/qemu apparmor rules then additional
configuration is required to ensure VMs don't fail to boot.

Change-Id: I2dff4bf54191b763e25625aa7a10bceaa1f6e595
2023-10-09 12:54:20 +01:00
Dmitriy Rabotyagov 94a58e398b Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: Idb2dd6cd4bbf815e4b32c9bfbe9a66f33e1c4b97
2023-07-13 11:44:20 +00:00
Jonathan Rosser e819854b0f Fix permissions for ceph cache directories
These difrectories very specific permissions to match up with the user
and group membership.

Change-Id: I711b32a5951357b726c4b4b64e534bcd72e6c4f4
2023-06-19 13:08:38 +01:00
Jonathan Rosser 496cc94cc7 Add config and documentation for ceph perisistent write log cache
Change-Id: I7024e52c4750d4fd7b205cc2376d73bde7b4c11b
2023-05-18 12:26:18 +01:00
Jonathan Rosser 9ee3bb24f6 Add ceph client and configuration for immutable object cache
See [1] for details of this ceph component. Optionally deployed
on nova-compute nodes to accellerate access to read-only data
for volumes created from snapshots.

[1] https://docs.ceph.com/en/latest/rbd/rbd-persistent-read-only-cache/

Change-Id: I34f2f403d03cc95f593f21c717609b9858b8d989
2023-05-18 10:20:12 +00:00
Dmitriy Rabotyagov 7a70556e15 Unify EPEL gpg key and repo provisioning
At the moment we do install EPEL repo in multiple other roles, like
lxc_hosts or systemd_mount. We're trying to be consistent in ways
of adding them, while ceph_client was slightly different, by carrying on
GPG keys in-repo instead of fetching them from `centos_epel_key` url.

With this patch we unify approach with other roles and reducing
maintenance costs of the repo when adding new distributions

Change-Id: I407256dc6eee3365c4f8c191a1f50717f0b35fa8
Related-Bug: #2013276
2023-03-30 21:16:28 +02:00
Dmitriy Rabotyagov b3e7560e80 Provide opportunity to define cluster_name
In some cases, like AZ scenarios, deployments may interact with
several clusters at a time, while they will be distinguished by
the cluster_name. However, ceph_client role now assumes that
cluster name is `ceph` without any way to override such assumption.

Change-Id: I9dcad1e1c63294f4f59a1755507904808acb785e
2022-08-10 07:07:16 +02:00
Zuul e094ff467b Merge "Drop default nova client_uuid" 2022-05-23 11:13:35 +00:00
Dmitriy Rabotyagov 6fbe1ab3c0 Use global package_state
We missed upating ceph_client_package_state to use package_state
for default value, as other roles do.
So we're fixing it not to update ceph client packages every time, which
can lead to interesting consequences depending on the destination.

Change-Id: I0d6014649307bb6556cdc189cf8d749e1ec9b20a
2022-05-18 20:45:30 +02:00
Dmitriy Rabotyagov e271e3e9b9 Drop default nova client_uuid
We have an override in user_secrets and we should not have default uuid.

Change-Id: I62846bc8df7558f9407e6c1b06a7a96e91e8e177
2022-05-18 13:20:05 +02:00
Dmitriy Rabotyagov 0db3d2e7b9 Update ceph clients release to pacific
Change-Id: Id76fec88219da18f496f7fae2481eb2aa097bb5d
2021-12-01 11:41:16 +02:00
Dmitriy Rabotyagov 78ffeb5547 Install octopus ceph client
We disable aio build to resolve circular conflict

Needed-By: https://review.opendev.org/#/c/729331/
Change-Id: Ib03e003bb43896b323f58fec3ecbb61d565bd32f
2020-05-20 10:06:49 +00:00
Zuul ec77f7a895 Merge "Importing keyrings from files rather than from mons" 2019-12-02 23:34:11 +00:00
Mikael Loaec db3e9536d4 Importing keyrings from files rather than from mons
This change permits users to specify a directory where the keyrings are
located.
It is useful when openstack-ansible have no ssh access to the ceph
cluster.

Change-Id: I6693a7f9d0bc7fe1e20eee53a96de8df8985e148
2019-11-28 17:30:07 +01:00
Zuul b2fc0bebc6 Merge "Change group to ceph from cephkeys" 2019-11-21 15:52:47 +00:00
Dmitriy Rabotyagov b9b1275917 Add ceph.conf override option
This commit implements option to partially override ceph.conf with regular
config_template action plugin.

Change-Id: I60cc9d3a4dde0483aa92714a521675a26ad9cd78
2019-11-20 17:39:13 +00:00
Dmitriy Rabotyagov cffa6b5d10 Change group to ceph from cephkeys
When ceph-ansible is used, it tends to use `ceph` group for ceph.conf[1]
This make problems for libvirt and cinder/ceph
as their users are not in ceph group, so don't have access to configs.

This also updates ceph_stable_release to nautilus

[1] bc701860d5/roles/ceph-config/tasks/main.yml (L66-L94)

Change-Id: I120a6e66351db62bbd6e270495f455a5e34b4a2b
2019-11-20 19:26:04 +02:00
Jesse Pretorius 706f3b6245 Remove the uca option for ceph_pkg_source
Having 'uca' as a valid value for ceph_pkg_source means that we
have to maintain the UCA parameters in another repo other than
the openstack_hosts role, and it has not been maintained well.
This is evidenced by the fact that the current value is set to
'pike', which is very old.

To reduce this maintenance burden, we simply remove this option.

Change-Id: I78bfd1585804c0261645a8e008a7acef66b5795a
2019-04-19 09:53:12 +01:00
cloudnull 4be4113648 Add manila as a configured component
Manila can be used with openstack and when deployed in a venv the ceph
client role will need to link the appropriate libs into the venv for
this to work. This change adds manila into the default component list so
that should manila be deployed it'll be automatically configured without
needing to provide an override.

Change-Id: I732066e3a3aea77c2c7e43398c833bba1664fde0
Signed-off-by: cloudnull <kevin@cloudnull.com>
2019-03-25 15:38:00 +00:00
Marc Gariepy cdee58123d Fix apt pinning for ceph
Ceph apt pinning need to pin to ceph.com instead of RedHat.
apt policy :

1001 http://download.ceph.com/debian-luminous xenial/main amd64 Packages
     release o=ceph.com,a=stable,n=xenial,c=main,b=amd64
     origin download.ceph.com

Change-Id: Ib95e96130a06d3dd92aa237080a04f762995a729
2018-09-26 09:55:03 -04:00
Dmitriy Rabotjagov 27d5b8d0bb Revert "Added possibility to specify ssh username and port for ceph mons."
These changes are causing integrated build failures due to undefined
variables. Reverting them to work out a better solution.

This reverts commit 8ec0e6c793
This reverts commit 58ac4da336.
Change-Id: I4964625b6513eb062a6ce0513bd01b17922b8188
2018-08-20 14:49:01 +00:00
Dmitriy R 58ac4da336 Added possibility to specify ssh username and port for ceph mons.
Now SSH port relies on ansible_port variable. On case of using
non-standard SSH ports on all infrastructure, only this role fails on
connection to CEPH monitors.
Added ceph_mon_user variable to defaults. This may be usefull, as ceph
recommends to do all actions with non-root users, so ability to override
user is pretty usefull.


Change-Id: I01f42287f50dbeb2c6a7f8912e08d21aca2d24b9
Related-Bug: 1773925
2018-08-17 12:26:30 +00:00
Logan V aaad1b3af6 Bump the Ceph stable release to Luminous
Change-Id: I76766865a03495e982fe71fc1c5f068f1d453954
2017-09-13 16:17:24 -05:00
Logan V 20d00997a1 Use Jewel as default Ceph release
Jewel has been the latest stable release for almost a year now and
Hammer was scheduled for EOL in 11/2016.

Reference the following for more information:
http://docs.ceph.com/docs/master/releases/
https://www.spinics.net/lists/ceph-devel/msg34028.html

Change-Id: Id030688c2203cc11ac68a2c988c95b6850217b9f
2017-01-09 13:12:31 -06:00
Major Hayden 5aea478fc3 Set correct release for ceph pin
This patch sets the correct release name for Ceph packages. It was
originally `Inktank` but it has now changed to `RedHat`.

The `ceph_pin_pref.j2` file was removed since it isn't used by any
of the tasks in the role.

Closes-Bug: 1646855
Change-Id: If45055cdcaebbc47e6091bac84adf8bec00f8bec
2017-01-04 10:04:12 -06:00
Michael Gugino f3eeb2fa15 Deploy files for multiple ceph clusters
Deploy necessary configs and keyrings for multiple
ceph cluters.  Specifically, the intent is to enable
multiple backends for cinder that can be accessed by
compute nodes.

This change will allow automatic retrieval of
ceph.conf and client keyrings from multiple ceph clusters.
Additionally, libvirt ceph client secrets will be created
to support attaching volumes to instances from multiple
ceph clusters.

Change-Id: Icee061b35f374955154a3dd703444b94da0117da
2016-09-30 13:34:58 -04:00
Paulo Matias 5733209bc4 Add support for the Ceph storage driver in Gnocchi
This commit adds support for the ceph_client role to be run on the
Gnocchi containers. The role will only setup the Ceph client in these
containers when `gnocchi_storage_driver` is set to `ceph`.

Change-Id: I7cd717c81ec4e9e0db6d74e645c83b426d3503cf
2016-09-21 21:24:19 -03:00
Jesse Pretorius e0a928c9a9 Add ability to change apt/yum package state for the ceph_client role
The current method of installing the distribution packages required is
set in the tasks and cannot be changed by a deployer.

Currently the apt task always installs the latest package. This results
in unexpected binary changes when a deployer may simply be trying to
execute a configuration change.

This patch adds the ability for a deployer to change the desired state
so that the results are predictable.

Change-Id: I80e58182b5c115f2128780a44d549c5b61beb1fc
2016-08-13 08:36:24 +00:00
Jesse Pretorius 045cfe56e1 Move UCA repo URL var to role defaults
In order to expose the var in role documentation and to allow the use
of dynamically set facts to override the value in CI environments the
variable is moved from the role vars to the role defaults.

The uca_openstack_release var is also changed for Ubuntu 16.04 to
'newton' in order to match the current cycle appropriately. A note is
added to the Ubuntu 14.04 vars to make it clear that there will never
be a Newton UCA release for Trusty.

A small correction to the task description which sets the URL for the
AIO build in OpenStack-CI is also made to be more accurate.

Change-Id: I35b8e99e6e3f127ca507907d6480542b91a4107d
2016-07-23 10:39:48 +00:00
Samuel Matzek bd18d8e8f3 Refactor ceph_client for multi-OS and ceph
This patch refactors the ceph_client role to add support for multiple
operating system distros and multiple sources for Ceph packages.

The support of multiple sources for the Ceph packages  is important
to organizations that must get packages from Canonical for service and
support. The current Ceph repo setup goes to upstream ceph.com
repositories and does not work with the UCA.

The use of UCA is also important when running OpenStack on the ppc64le
architecture because ceph.com does not have Debian packages available
for this architecture and the default trusty and trusty-updates repos
only have Ceph Giant, whereas the user can get later releases such as
Ceph Jewel from UCA.

The multiple operating system support for Trusty and Xenial also plays
into this since Xenial has Ceph Jewel by default.  For Xenial OSA
deployments users may want to use the modern ceph client already
available for the distro.

The choice of which Ceph source to use is simple for deployers. They
simply set it with the ceph_pkg_source variable but have additional
variables they can tweak to pick specific Ceph versions from the
sources:

The ceph_pkg_source variable controls the install source for the
Ceph packages.
Valid values include:
  * ceph This option installs Ceph from a ceph.com repo.  Additional
         variables to adjust items such as Ceph release and regional
         download mirror can be found in vars/*.yml

  * uca  This option installs Ceph from the Ubuntu Cloud Archive.
         Additional variables to adjust items such as the
         OpenStack/Ceph release can be found in vars/*.yml.

  * distro This options installs Ceph from the operating system's
           default repository and unlike the other options does not
           attempt to manage package keys or add additional package
           repositories.

Change-Id: Ib21b3f76ccf4556548180c8694786d43fa0a024f
2016-05-13 10:44:54 +00:00
Jean-Philippe Evrard a66aff2535 Only update apt cache if necessary
Workarounding the upstream ansible apt module bug
documented here:
https://github.com/ansible/ansible-modules-core/pull/1517

For the next versions of ansible we'll be using, we should
check if the apt bug is fixed. When it's fixed, we could
abandon this change and use the standard apt module
with correct cache handling.

Change-Id: I2aaf00da175f31d0157bbc4ae30a4e176b055078
2016-02-09 16:46:22 +01:00
Ice Yao c171e67de1 Update ceph repo
Ceph repo has been moved to download.ceph.org[0].
And actually "http://www.ceph.com/debian-hammer" returns http 301 code now.

[0] http://docs.ceph.com/docs/master/install/get-packages/#add-ceph

TrivalFix

Change-Id: I74d6ecf97fcc991509850db55c357f4105587af0
2016-01-21 21:47:57 +08:00
Matt Thompson 14daf3972f Update ceph key hash
Ceph packages are currently failing to install due to [1].  This commit
updates ceph_client/defaults/main.yml to use the latest Ceph signing
key.  Additionally, we add a new variable ceph_revoked_gpg_keys and
task to ensure revoked keys get removed.

[1] http://ceph.com/releases/important-security-notice-regarding-signing-key-and-binary-downloads-of-ceph/

Change-Id: I3c3f69c0eb471982c314816ae90a69458e48ded6
2015-10-01 19:39:52 +00:00
Kevin Carter 7e6f832255 Rename everything for the osad to osa name change
This change updates all fo the names that we were using to the post
openstack migration name for openstack-ansible.

Change-Id: I6524af53ed02e19a0f56908e42a65d2dae8b71e3
2015-09-12 02:31:21 +01:00
Matt Thompson 75fccbdfa1 Allow cinder-backup to use ceph
This change updates ceph_client and os_cinder roles to allow
cinder-backup to use ceph.  We also create a new group called
'cinder_backup' which allows us to only retreive the cinder backup key
if cinder-backup is actually in use.

To use, you would simply need to set cinder_service_backup_driver to
cinder.backup.drivers.ceph in your user_variables.yml file.

NOTE: You will need to update your
      /etc/openstack_deploy/env.d/cinder.yml in order for this change
      to execute successfully.

Change-Id: Ib94effa40208bbc8de0f78c5487316be007adcf1
Closes-Bug: #1481787
Implements: blueprint ceph-block-devices
DocImpact
2015-09-03 07:37:21 +00:00
Serge van Ginderachter c703195f67 Add Ceph/RBD support to playbooks
Currently the playbooks do not allow Ceph to be configured as a backend
for Cinder, Glance or Nova. This commit adds a new role called
ceph_client to do the required configuration of the hosts and updates
the service roles to include the required configuration file changes.
This commit requires that a Ceph cluster already exists and does not
make any changes to that cluster.

ceph_client role, run on the OpenStack service hosts
  - configures the Ceph apt repo
  - installs any required Ceph dependencies
  - copies the ceph.conf file and appropriate keyring file to /etc/ceph
  - creates the necessary libvirt secrets

os_glance role
glance-api.conf will set the following variables for Ceph:
  - [DEFAULT]/show_image_direct_url
  - [glance_store]/stores
  - [glance_store]/rbd_store_pool
  - [glance_store]/rbd_store_user
  - [glance_store]/rbd_store_ceph_conf
  - [glance_store]/rbd_store_chunk_size

os_nova role
nova.conf will set the following variables for Ceph:
  - [libvirt]/rbd_user
  - [libvirt]/rbd_secret_uuid
  - [libvirt]/images_type
  - [libvirt]/images_rbd_pool
  - [libvirt]/images_rbd_ceph_conf
  - [libvirt]/inject_password
  - [libvirt]/inject_key
  - [libvirt]/inject_partition
  - [libvirt]/live_migration_flag

os_cinder is not updated because ceph is defined as a backend and that
is generated from a dictionary of the config, for an example backend
config, see etc/openstack_deploy/openstack_user_config.yml.example

pw-token-gen.py is updated so that variables ending in uuid are assigned
a UUID.

DocImpact
Implements: blueprint ceph-block-devices
Closes-Bug: #1455238
Change-Id: Ie484ce0bbb93adc53c30be32f291aa5058b20028
2015-08-01 19:49:00 +01:00