Red Hat Bugzilla – Bug 1459314
OpenStack Manila does not create the keyring file for access to the CephFS
Last modified: 2017-08-03 18:05:10 EDT
Description of problem:
While I'm very aware that manila is tech preview on OSP10, these are some of the things that I wanted to point out that need fixing and their workaround in case someone out there wants to use Manila on OSP10.
The below assumes that there is an existing Ceph cluster with CephFS and all that is required now is the deployment of the overcloud that includes the manila service.
Using the guide: CephFS Back End Guide for the Shared File System Service : https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/cephfs_back_end_guide_for_the_shared_file_system_service/
The /home/stack/templates/manila-cephfsnative-config.yaml is missing a few parameter defaults that are required specifically:
The default manila-cephfsnative-config.yaml file sets the values differently than what is created by default when using an existing Ceph with CephFS cluster. The default names are cephfs_data for the data pool and cephfs_metadata for the metadata pool.
The names of the pools can be verified within a ceph monitor node using the cmd: ceph fs ls
It should provide something like:
# ceph fs ls
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
The CephManilaClientKey is a parameter required as a key that has access to the data pool and metadata pool is required.
Within the OSP controllers there is no /etc/ceph/ceph.client.manila.keyring that gets created.
This is what my file looks like and created manually on all my controller nodes.
key = <client_key>
caps mds = "allow *"
caps mon = "allow r, allow command=\"auth del\", allow command=\"auth caps\", allow command=\"auth get\", allow command=\"auth get-or-create\""
caps osd = "allow class-read object_prefix rbd_children, allow rwx pool=cephfs_data, allow rwx pool=cephfs_metadata"
Once this /etc/ceph/ceph.client.manila.keyring is created, it needs the following permissions otherwise it will not initialize:
chmod 600 manila /etc/ceph/ceph.client.manila.keyring
Using pcs status , check to see where the manila-share service is hosted. On that particular controller node restart the openstack-manila-share service via:
systemctl restart openstack-manila-service
Within my Ceph monitors, I created all the options you see in the /etc/ceph/ceph.client.manila.keyring with this cmd:
ceph auth add client.manila mds 'allow *' mon 'allow r, allow command="auth del", allow command="auth caps", allow command="auth get", allow command="auth get-or-create"' osd 'allow class-read object_prefix rbd_children, allow rwx pool=cephfs_data, allow rwx pool=cephfs_metadata'
Thanks Roger. The OSP10 docs update for the Manila+CephFS doc will be published with our changes within a few hours. I also created a clone (BZ#1461780) to track peer review for the doc to further improve it if need be.
Closing this one since OSP10 didn't claim to automate keyring creation and BZ#1414595 covers the valuable doc updates that rlopez supplied.