Bug 1459314 - OpenStack Manila does not create the keyring file for access to the CephFS [NEEDINFO]
OpenStack Manila does not create the keyring file for access to the CephFS
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-manila (Show other bugs)
10.0 (Newton)
Unspecified Unspecified
low Severity low
: ---
: 10.0 (Newton)
Assigned To: Tom Barron
Raissa Sarmento
Don Domingo
: Triaged, ZStream
Depends On:
Blocks: 1461780 1459851
  Show dependency treegraph
Reported: 2017-06-06 15:06 EDT by rlopez
Modified: 2017-08-03 18:05 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1459851 1461780 (view as bug list)
Last Closed: 2017-08-03 18:05:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tbarron: needinfo? (rlopez)

Attachments (Terms of Use)

  None (edit)
Description rlopez 2017-06-06 15:06:11 EDT
Description of problem:

While I'm very aware that manila is tech preview on OSP10, these are some of the things that I wanted to point out that need fixing and their workaround in case someone out there wants to use Manila on OSP10.

The below assumes that there is an existing Ceph cluster with CephFS and all that is required now is the deployment of the overcloud that includes the manila service.

Using the guide: CephFS Back End Guide for the Shared File System Service : https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/cephfs_back_end_guide_for_the_shared_file_system_service/

The /home/stack/templates/manila-cephfsnative-config.yaml is missing a few parameter defaults that are required specifically:

ManilaCephFSDataPoolName: cephfs_data
ManilaCephFSMetadataPoolName: cephfs_metadata
CephManilaClientKey: 'client_key'

The default manila-cephfsnative-config.yaml file sets the values differently than what is created by default when using an existing Ceph with CephFS cluster. The default names are cephfs_data for the data pool and cephfs_metadata for the metadata pool. 

The names of the pools can be verified within a ceph monitor node using the cmd: ceph fs ls

It should provide something like: 
# ceph fs ls
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]

The CephManilaClientKey is a parameter required as a key that has access to the data pool and metadata pool is required. 

Within the OSP controllers there is no /etc/ceph/ceph.client.manila.keyring that gets created.

This is what my file looks like and created manually on all my controller nodes.

	key = <client_key>
        caps mds = "allow *"
	caps mon = "allow r, allow command=\"auth del\", allow command=\"auth caps\", allow command=\"auth get\", allow command=\"auth get-or-create\""
	caps osd = "allow class-read object_prefix rbd_children, allow rwx pool=cephfs_data, allow rwx pool=cephfs_metadata"

Once this /etc/ceph/ceph.client.manila.keyring is created, it needs the following permissions otherwise it will not initialize:

chmod 600 manila /etc/ceph/ceph.client.manila.keyring

Using pcs status , check to see where the manila-share service is hosted. On that particular controller node restart the openstack-manila-share service via:
systemctl restart openstack-manila-service

Within my Ceph monitors, I created all the options you see in the /etc/ceph/ceph.client.manila.keyring with this cmd:

ceph auth add client.manila mds 'allow *' mon 'allow r, allow command="auth del", allow command="auth caps", allow command="auth get", allow command="auth get-or-create"' osd 'allow class-read object_prefix rbd_children, allow rwx pool=cephfs_data, allow rwx pool=cephfs_metadata'
Comment 13 Don Domingo 2017-06-15 06:43:02 EDT
Thanks Roger. The OSP10 docs update for the Manila+CephFS doc will be published with our changes within a few hours. I also created a clone (BZ#1461780) to track peer review for the doc to further improve it if need be.
Comment 17 Tom Barron 2017-08-03 18:05:10 EDT
Closing this one since OSP10 didn't claim to automate keyring creation and BZ#1414595 covers the valuable doc updates that rlopez supplied.

Note You need to log in before you can comment on or make changes to this bug.