Chapter 9. Creating a Ceph key for external access
External access to Ceph storage is access to Ceph from any site that is not local. Ceph storage at the cental location is external for edge (DCN) sites, just as Ceph storage at the edge is external for the central location.
When you deploy the central or DCN sites with Ceph storage, you have the option of using the default
openstack keyring for both local and external access. Altenatively, you can create a separate key for access by non-local sites.
If you decide to use additional Ceph keys for access to your external sites, each key must have the same name. The key name is
external in the examples that follow.
If you use a separate key for access by non-local sites, you have the additional security benefit of being able to revoke and re-issue the external key in response to a security event without interrupting local access. However, using a separate key for external access will result in the loss of acces to some features, such as cross availability zone backups and offline volume migration. You must balance the needs of your security posture against the desired feature set.
By default, the keys for the central and all DCN sites will be shared.
9.1. Creating a Ceph key for external access
Complete the following steps to create an
external key for non-local access.
Create a Ceph key for external access. This key is sensitive. You can generate the key using the following:
python3 -c 'import os,struct,time,base64; key = os.urandom(16) ; \ header = struct.pack("<hiih", 1, int(time.time()), 0, len(key)) ; \ print(base64.b64encode(header + key).decode())'
In the directory of the stack you are deploying, create a
ceph_keys.yamlenvironment file with contents like the following, using the output from the previous command for the key:
parameter_defaults: CephExtraKeys: - name: "client.external" caps: mgr: "allow *" mon: "profile rbd" osd: "profile rbd pool=vms, profile rbd pool=volumes, profile rbd pool=images" key: "AQD29WteAAAAABAAphgOjFD7nyjdYe8Lz0mQ5Q==" mode: "0600"
ceph_keys.yamlenvironment file in the deployment of the site. For example, to deploy the central site with with the
ceph_keys.yamlenvironment file, run a command like the following:
overcloud deploy \ --stack central \ --templates /usr/share/openstack-tripleo-heat-templates/ \ …. -e ~/central/ceph_keys.yaml
9.2. Using external Ceph keys
You can only use keys that have already been deployed. For information on deploying a site with an
external key, see Section 9.1, “Creating a Ceph key for external access”. This should be done for both central and edge sites.
When you deploy an edge site that will use an
externalkey provided by central, complete the following:
dcn_ceph_external.yamlenvironment file for the edge site. You must include the
cephx-key-client-nameoption to specify the deployed key to include.
sudo -E openstack overcloud export ceph \ --stack central \ --config-download-dir /var/lib/mistral \ --cephx-key-client-name external \ --output-file ~/dcn-common/dcn_ceph_external.yaml
dcn_ceph_external.yamlfile so that the edge site can access the Ceph cluster at the central site. Include the
ceph_keys.yamlfile to deploy an external key for the Ceph cluster at the edge site.
When you update the central location after deploying your edge sites, ensure the central location to use the dcn
Ensure that the
CephClientUserNameparameter matches the key being exported. If you are using the name
externalas shown in these examples, create
glance_update.yamlto be similar to the following:
parameter_defaults: GlanceEnabledImportMethods: web-download,copy-image GlanceBackend: rbd GlanceStoreDescription: 'central rbd glance store' CephClusterName: central GlanceBackendID: central GlanceMultistoreConfig: dcn0: GlanceBackend: rbd GlanceStoreDescription: 'dcn0 rbd glance store' CephClientUserName: 'external' CephClusterName: dcn0 GlanceBackendID: dcn0 dcn1: GlanceBackend: rbd GlanceStoreDescription: 'dcn1 rbd glance store' CephClientUserName: 'external' CephClusterName: dcn1 GlanceBackendID: dcn1
openstack overcloud export cephcommand to include the
externalkeys for DCN edge access from the central location. To do this you must provide a a comma-delimited list of stacks for the
--stackargument, and include the
sudo -E openstack overcloud export ceph \ --stack dcn0,dcn1,dcn2 \ --config-download-dir /var/lib/mistral \ --cephx-key-client-name external \ --output-file ~/central/dcn_ceph_external.yaml
Redeploy the central site using the original templates and include the newly created
openstack overcloud deploy \ --stack central \ --templates /usr/share/openstack-tripleo-heat-templates/ \ -r ~/central/central_roles.yaml \ ... -e /usr/share/openstack-tripleo-heat-templates/environments/ceph-ansible/ceph-ansible.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/nova-az-config.yaml \ -e ~/central/central-images-env.yaml \ -e ~/central/role-counts.yaml \ -e ~/central/site-name.yaml -e ~/central/ceph.yaml \ -e ~/central/ceph_keys.yaml \ -e ~/central/glance.yaml \ -e ~/central/dcn_ceph_external.yaml