Add dependency on upstream ceph cookbook for better key management

The upstream ceph cookbook already hooks into chef for environment information.
This patch utilizes the client LWRP to create or add ceph keys for RBD support.
This patch also changes some default attribute names for more sane organization

Partial-Bug: #1409943

Change-Id: Ibba6c568d4e4d00153061458b71593cd28714e60

Berksfile

@@ -8,3 +8,5 @@ cookbook "openstack-identity",
   github: "stackforge/cookbook-openstack-identity"
 cookbook "openstack-common",
   github: "stackforge/cookbook-openstack-common"
+cookbook "ceph",
+  github: "ceph/ceph-cookbook", branch: "master"

CHANGELOG.md

@@ -20,6 +20,7 @@ This file is used to list changes made in each version of the openstack-block-st
 * Add support for san_password with ibm.storwize_svc.StorwizeSVCDriver
 * Add glance_api_version config option
 * Allow san_private_key to be used instead of san_login for Storwize
+* Add dependency on upstream ceph cookbook for better key management
 
 ## 10.0.0
 * Upgrading to Juno

attributes/default.rb

@@ -265,12 +265,16 @@ default['openstack']['block-storage']['volume']['iscsi_ip_address'] = node['ipad
 default['openstack']['block-storage']['volume']['iscsi_port'] = '3260'
 
 # Ceph/RADOS options
-default['openstack']['block-storage']['rbd_pool'] = 'rbd'
+default['openstack']['block-storage']['rbd']['cinder']['pool'] = 'volumes'
-default['openstack']['block-storage']['rbd_user'] = 'cinder'
+default['openstack']['block-storage']['rbd']['glance']['pool'] = 'images'
-default['openstack']['block-storage']['rbd_secret_uuid'] = nil
+default['openstack']['block-storage']['rbd']['nova']['pool'] = 'instances'
-# make this a valid uuid for when node['openstack']['developer_mode'] = true
+default['openstack']['block-storage']['rbd']['user'] = 'cinder'
-default['openstack']['block-storage']['rbd_secret_name'] = '00000000-0000-0000-0000-000000000000'
+default['openstack']['block-storage']['rbd']['secret_uuid'] = '00000000-0000-0000-0000-000000000000'
-default['openstack']['block-storage']['rbd_key_name'] = 'openstack_image_cephx_key'
+default['openstack']['block-storage']['rbd']['flatten_volume'] = false
+default['openstack']['block-storage']['rbd']['max_clone_depth'] = 5
+default['openstack']['block-storage']['rbd']['chunk_size'] = 4
+default['openstack']['block-storage']['rbd']['rados_timeout'] = '-1'
+default['openstack']['block-storage']['rbd']['conf_dir'] = '/etc/ceph/ceph.conf'
 
 # Multiple backend support
 # Allow multiple backends configured in cinder.conf

metadata.rb

@@ -24,3 +24,5 @@ depends          'openstack-identity', '~> 10.0'
 depends          'openstack-image', '~> 10.0'
 depends          'selinux', '>= 0.7.2'
 depends          'python', '>= 1.4.6'
+depends          'ceph', '>= 0.2.1'
+depends          'ceph', '< 3.0.0'

recipes/volume.rb

@@ -56,31 +56,25 @@ when 'cinder.volume.drivers.netapp.iscsi.NetAppISCSIDriver'
   node.override['openstack']['block-storage']['netapp']['dfm_password'] = get_password 'service', 'netapp'
 
 when 'cinder.volume.drivers.rbd.RBDDriver'
-  # this is used in the cinder.conf template
+  include_recipe 'ceph'
-  node.override['openstack']['block-storage']['rbd_secret_uuid'] = get_secret node['openstack']['block-storage']['rbd_secret_name']
 
-  rbd_user = node['openstack']['block-storage']['rbd_user']
+  cinder_pool = node['openstack']['block-storage']['rbd']['cinder']['pool']
-  rbd_key = get_password 'service', node['openstack']['block-storage']['rbd_key_name']
+  nova_pool = node['openstack']['block-storage']['rbd']['nova']['pool']
+  glance_pool =  node['openstack']['block-storage']['rbd']['glance']['pool']
 
-  include_recipe 'openstack-common::ceph_client'
+  caps = { 'mon' => 'allow r',
+           'osd' => "allow class-read object_prefix rbd_children, allow rwx pool=#{cinder_pool}, allow rwx pool=#{nova_pool}, allow rx pool=#{glance_pool}" }
 
-  platform_options['cinder_ceph_packages'].each do |pkg|
+  ceph_client node['openstack']['block-storage']['rbd']['user'] do
-    package pkg do
+    name node['openstack']['block-storage']['rbd']['user']
-      options platform_options['package_overrides']
+    caps caps
-      action :upgrade
+    keyname "client.#{node['openstack']['block-storage']['rbd']['user']}"
-    end
+    filename "/etc/ceph/ceph.client.#{node['openstack']['block-storage']['rbd']['user']}.keyring"
-  end
-
-  template "/etc/ceph/ceph.client.#{rbd_user}.keyring" do
-    source 'ceph.client.keyring.erb'
-    cookbook 'openstack-common'
     owner node['openstack']['block-storage']['user']
     group node['openstack']['block-storage']['group']
-    mode '0600'
+
-    variables(
+    action :add
-      name: rbd_user,
+    notifies :restart, 'service[cinder-volume]'
-      key: rbd_key
-    )
   end
 
 when 'cinder.volume.drivers.netapp.nfs.NetAppDirect7modeNfsDriver'

spec/cinder_common_spec.rb

@@ -444,11 +444,17 @@ describe 'openstack-block-storage::cinder-common' do
             node.set['openstack']['block-storage']['volume']['driver'] = 'cinder.volume.drivers.rbd.RBDDriver'
           end
 
-          %w(rbd_pool rbd_user rbd_secret_uuid).each do |attr|
+          it 'has a rbd_pool attribute' do
-            it "has a #{attr} attribute" do
+            node.set['openstack']['block-storage']['rbd']['cinder']['pool'] = 'cinder_value'
-              node.set['openstack']['block-storage'][attr] = "#{attr}_value"
+            expect(chef_run).to render_file(file.name).with_content(/^rbd_pool=cinder_value$/)
-              expect(chef_run).to render_file(file.name).with_content(/^#{attr}=#{attr}_value$/)
+          end
-            end
+          it 'has a rbd_user attribute' do
+            node.set['openstack']['block-storage']['rbd']['user'] = 'rbd_user_value'
+            expect(chef_run).to render_file(file.name).with_content(/^rbd_user=rbd_user_value$/)
+          end
+          it 'has a rbd_secret_uuid attribute' do
+            node.set['openstack']['block-storage']['rbd']['secret_uuid'] = 'rbd_secret_uuid_value'
+            expect(chef_run).to render_file(file.name).with_content(/^rbd_secret_uuid=rbd_secret_uuid_value$/)
           end
         end
 
@@ -802,7 +808,7 @@ describe 'openstack-block-storage::cinder-common' do
             }
             node.set['openstack']['block-storage']['volume']['volume_group'] = 'multi-lvm-group'
             node.set['openstack']['block-storage']['volume']['default_volume_type'] = 'some-type-name'
-            node.set['openstack']['block-storage']['rbd_pool'] = 'multi-rbd-pool'
+            node.set['openstack']['block-storage']['rbd']['cinder']['pool'] = 'multi-rbd-pool'
             node.set['openstack']['block-storage']['netapp']['dfm_login'] = 'multi-netapp-login'
             node.set['openstack']['block-storage']['netapp']['netapp_server_hostname'] = ['netapp-host-1', 'netapp-host-2']
             node.set['openstack']['block-storage']['netapp']['netapp_server_port'] = 'multi-netapp-port'

spec/volume_spec.rb

@@ -148,54 +148,13 @@ describe 'openstack-block-storage::volume' do
       let(:file) { chef_run.template('/etc/ceph/ceph.client.cinder.keyring') }
       before do
         node.set['openstack']['block-storage']['volume']['driver'] = 'cinder.volume.drivers.rbd.RBDDriver'
-        node.set['openstack']['block-storage']['rbd_secret_name'] = 'rbd_secret_uuid'
+        node.set['ceph']['config']['fsid'] = '00000000-0000-0000-0000-000000000000'
       end
 
-      it 'fetches the rbd_uuid_secret' do
+      it 'includes the ceph recipe' do
-        n = chef_run.node['openstack']['block-storage']['rbd_secret_uuid']
+        expect(chef_run).to include_recipe('ceph')
-        expect(n).to eq 'b0ff3bba-e07b-49b1-beed-09a45552b1ad'
-      end
-
-      it 'includes the ceph_client recipe' do
-        expect(chef_run).to include_recipe('openstack-common::ceph_client')
-      end
-
-      it 'upgrades the needed ceph packages by default' do
-        %w{ python-ceph ceph-common }.each do |pkg|
-          expect(chef_run).to upgrade_package(pkg)
-        end
-      end
-
-      it 'honors package option platform overrides for python-ceph' do
-        node.set['openstack']['block-storage']['rbd_secret_name'] = 'rbd_secret_uuid'
-        node.set['openstack']['block-storage']['platform']['package_overrides'] = '--override1 --override2'
-
-        %w{ python-ceph ceph-common }.each do |pkg|
-          expect(chef_run).to upgrade_package(pkg).with(options: '--override1 --override2')
-        end
-      end
-
-      it 'honors package name platform overrides for python-ceph' do
-        node.set['openstack']['block-storage']['rbd_secret_name'] = 'rbd_secret_uuid'
-        node.set['openstack']['block-storage']['platform']['cinder_ceph_packages'] = ['my-ceph', 'my-other-ceph']
-
-        %w{my-ceph my-other-ceph}.each do |pkg|
-          expect(chef_run).to upgrade_package(pkg)
-        end
-      end
-
-      it 'creates a cephx client keyring correctly' do
-        [/^\[client\.cinder\]$/,
-         /^  key = cephx-key$/].each do |content|
-          expect(chef_run).to render_file(file.name).with_content(content)
-        end
-        expect(chef_run).to create_template(file.name).with(cookbook: 'openstack-common')
-        expect(file.owner).to eq('cinder')
-        expect(file.group).to eq('cinder')
-        expect(sprintf('%o', file.mode)).to eq '600'
       end
     end
-
     context 'Storewize Driver' do
       let(:file) { chef_run.template('/etc/cinder/cinder.conf') }
       before do

templates/default/cinder.conf.erb

@@ -583,14 +583,43 @@ iscsi_port=<%= node["openstack"]["block-storage"]["volume"]["iscsi_port"] %>
 #### (IntOpt) The port that the iSCSI daemon is listening on
 
 <% if @enabled_drivers.include?("cinder.volume.drivers.rbd.RBDDriver") %>
-rbd_pool=<%= node["openstack"]["block-storage"]["rbd_pool"] %>
-#### (StrOpt) the RADOS pool in which rbd volumes are stored
 
-rbd_user=<%= node["openstack"]["block-storage"]["rbd_user"] %>
+#
-#### (StrOpt) the RADOS client name for accessing rbd volumes
+# Options defined in cinder.volume.drivers.rbd
+#
+
+# The RADOS pool where rbd volumes are stored (string value)
+rbd_pool=<%= node["openstack"]["block-storage"]["rbd"]["cinder"]["pool"] %>
+
+# The RADOS client name for accessing rbd volumes - only set
+# when using cephx authentication (string value)
+rbd_user=<%= node["openstack"]["block-storage"]["rbd"]["user"] %>
+
+# Path to the ceph configuration file (string value)
+rbd_ceph_conf=<%= node["openstack"]["block-storage"]["rbd"]["conf_dir"] %>
+
+# Flatten volumes created from snapshots to remove dependency
+# from volume to snapshot (boolean value)
+rbd_flatten_volume_from_snapshot=<%= node["openstack"]["block-storage"]["rbd"]["flatten_volume"] %>
+
+# The libvirt uuid of the secret for the rbd_user volumes
+# (string value)
+rbd_secret_uuid=<%= node["openstack"]["block-storage"]["rbd"]["secret_uuid"] %>
+
+# Maximum number of nested volume clones that are taken before
+# a flatten occurs. Set to 0 to disable cloning. (integer
+# value)
+rbd_max_clone_depth=<%= node["openstack"]["block-storage"]["rbd"]["max_clone_depth"] %>
+
+# Volumes will be chunked into objects of this size (in
+# megabytes). (integer value)
+rbd_store_chunk_size=<%= node["openstack"]["block-storage"]["rbd"]["chunk_size"] %>
+
+# Timeout value (in seconds) used when connecting to ceph
+# cluster. If value < 0, no timeout is set and default
+# librados value is used. (integer value)
+rados_connect_timeout=<%= node["openstack"]["block-storage"]["rbd"]["rados_timeout"] %>
 
-rbd_secret_uuid=<%= node["openstack"]["block-storage"]["rbd_secret_uuid"] %>
-#### (StrOpt) the libvirt uuid of the secret for the rbd_uservolumes
 <% end %>
 # volume_tmp_dir=<None>
 #### (StrOpt) where to store temporary image files if the volume driver