To better support diversity of use cases, we decided a new layout for the puppet code that supports ceph rbd clients.
See https://wikitech.wikimedia.org/wiki/Wikimedia_Cloud_Services_team/EnhancementProposals/ceph_client_refactor for details.
To better support diversity of use cases, we decided a new layout for the puppet code that supports ceph rbd clients.
See https://wikitech.wikimedia.org/wiki/Wikimedia_Cloud_Services_team/EnhancementProposals/ceph_client_refactor for details.
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | • Bstorm | T216208 ToolsDB overload and cleanup | |||
Resolved | • Bstorm | T216441 Evaluate transferring the non-replicated tables to the new toolsdb server | |||
Resolved | fnegri | T236101 Find a way to remove non-replicated tables from ToolsDB | |||
Resolved | dcaro | T301951 toolsdb: full disk on clouddb1001 broke clouddb1002 (secondary) replication | |||
Open | None | T301967 toolsdb: evaluate storage usage by some tools | |||
Open | fnegri | T291782 Migrate largest ToolsDB users to Trove | |||
Open | None | T272395 Cloud: reduce NAT exceptions from cloud to production | |||
Resolved | Andrew | T291405 [NFS] Reduce or eliminate bare-metal NFS servers | |||
Resolved | Andrew | T292546 cloud NFS: figure out backups for cinder volumes | |||
Resolved | aborrero | T293752 cloud ceph: refactor rbd client puppet profiles |
Change 738413 had a related patch set uploaded (by David Caro; author: David Caro):
[operations/puppet@production] openstack::eqiad: Remove cinder key generation from cloudcontrols
Change 738414 had a related patch set uploaded (by David Caro; author: David Caro):
[operations/puppet@production] openstack::eqiad: enable cinder keyring generation on control nodes
Change 738411 merged by David Caro:
[operations/puppet@production] openstack: codfw1dev: remove cinder keyring
Change 738412 merged by David Caro:
[operations/puppet@production] openstack: codfw1dev: enable cinder key generation
Change 738413 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: eqiad1: Remove cinder key generation from cloudcontrols
Change 738414 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: eqiad1: enable cinder keyring generation on control nodes
Change 738903 had a related patch set uploaded (by David Caro; author: David Caro):
[operations/puppet@production] ceph::auth::keyring: allow passing the full client name
Change 738904 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: ceph: migrate admin keyring to new abstraction
Change 738908 had a related patch set uploaded (by David Caro; author: David Caro):
[operations/puppet@production] ceph::auth::keyring: Generate keyring_path if not passed
Change 738904 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: ceph: migrate admin keyring to new abstraction
Change 738963 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: ceph: auth: enable admin client
Change 738964 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[labs/private@master] hieradata: ceph: auth: add dummy keydata for the admin client
Change 738964 merged by Arturo Borrero Gonzalez:
[labs/private@master] hieradata: ceph: auth: add dummy keydata for the admin client
Change 738969 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[labs/private@master] hieradata: ceph: auth: add dummy keydata for the admin client
Change 738969 merged by Arturo Borrero Gonzalez:
[labs/private@master] hieradata: ceph: auth: add dummy keydata for the admin client
Change 738963 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: ceph: auth: enable admin client
Change 738982 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: ceph: reorder osd/auth profile declaration
Change 738982 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: ceph: reorder osd/auth profile declaration
Change 737401 abandoned by David Caro:
[operations/puppet@production] ceph:mon/osd: remove admin class
Reason:
Change 738903 merged by David Caro:
[operations/puppet@production] ceph::auth::keyring: allow passing the full client name
Change 738908 merged by David Caro:
[operations/puppet@production] ceph::auth::keyring: Generate keyring_path if not passed
Change 739127 had a related patch set uploaded (by David Caro; author: David Caro):
[operations/puppet@production] ceph::auth: require load_all when checking keyrings
Change 739127 merged by David Caro:
[operations/puppet@production] p:{osd,b_g_images,backy2}: require c::a::deploy when checking keyrings
Change 739223 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: nova: factorize libvirt secrets management
Change 739228 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: auth: introduce datatype for configuration hash
Change 739235 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: ceph: libvirt: migrate to new ceph auth abstraction
Change 739228 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: auth: introduce datatype for configuration hash
Change 739474 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: ceph: client: rbd_libvirt: enable ceph::auth::conf
Change 739235 abandoned by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: ceph: libvirt: migrate to new ceph auth abstraction
Reason:
trying with https://gerrit.wikimedia.org/r/c/operations/puppet/+/739474 instead
Change 739223 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: nova: factorize libvirt secrets management
Change 739474 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: ceph: client: rbd_libvirt: enable ceph::auth::conf
Change 739516 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: don't deploy cinder keyring in cloudvirts
Change 739516 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: don't deploy cinder keyring in cloudvirts
Change 739522 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: radosgw: migrate to new ceph auth abstraction
Change 739523 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[labs/private@master] hieradata: codfw: ceph: add dummy keydata for radosgw
Change 739523 merged by Arturo Borrero Gonzalez:
[labs/private@master] hieradata: codfw: ceph: add dummy keydata for radosgw
Change 739522 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: radosgw: migrate to new ceph auth abstraction
Change 742132 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: move bootstrap keyring into new auth abstraction
Change 742133 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[labs/private@master] hieradata: ceph: refresh bootstrap auth
Change 742175 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: auth: introduce new parameter 'import_to_ceph'
Change 742176 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: migrate mon auth to the new abstraction
Change 742133 merged by Arturo Borrero Gonzalez:
[labs/private@master] hieradata: ceph: refresh bootstrap auth
Change 742132 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: move bootstrap keyring into new auth abstraction
Change 742699 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[labs/private@master] ceph: auth: introduce keydata for mon.xxxx entries
Change 742709 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: auth: introduce function to calculate keyring_path
Change 742699 merged by Arturo Borrero Gonzalez:
[labs/private@master] ceph: auth: introduce keydata for mon.xxxx entries
Change 742175 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: auth: introduce new parameter 'import_to_ceph'
Change 742709 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: auth: introduce function to calculate keyring_path
Change 742176 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: migrate mon auth to the new abstraction
Change 744784 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: mgr: fix typo in relationship
Change 744808 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: mgr: migrate keyring to new auth abstraction
Change 744784 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: mgr: fix typo in relationship
Change 745477 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[labs/private@master] hiera: ceph: add mgr keyrings placeholders
Change 745477 merged by Arturo Borrero Gonzalez:
[labs/private@master] hiera: ceph: add mgr keyrings placeholders
Change 745478 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[labs/private@master] hiera: ceph: add dummy caps for mgr auth entries
Change 745478 merged by Arturo Borrero Gonzalez:
[labs/private@master] hiera: ceph: add dummy caps for mgr auth entries
Change 744808 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: mgr: migrate keyring to new auth abstraction
Change 745767 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: auth: load_all: fix input datatype
Change 745768 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: auth: load_all: don't fail if only keydata is defined
Change 745767 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: auth: load_all: fix input datatype
Change 745768 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: auth: load_all: don't fail if only keydata is defined
Change 745779 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/puppet@production] ceph: auth: eqiad: fix rgw client name
Change 745779 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] ceph: auth: eqiad: fix rgw client name
After two months, a deep rabbit hole to climb, some frictions within the WMCS team. more than 50 patches, and a severe sidetrack in the WMCS roadmap, I think we could consider this refactor completed.
On the other side, we are (or at least I am) wiser now, gained a lot of knowledge on how ceph works, a couple of interesting code patterns in puppet, and in general, a more robust ceph abstraction. Worth it :-)
Pretty sure there are things that can be improved, but let's do them in a future iteration. Also, the day we bootstrap again a ceph cluster from scratch we may or may not discover a few potential bugs, or race conditions with how keyrings are deployed and how soon ceph needs them in the bootstrap process.
For the future: figure out a way to cleanup old unused keyrings from the ceph internal DB.
Change 737869 abandoned by David Caro:
[operations/puppet@production] p:ceph::client::rbd_cloudcontrol: remove keyring generation
Reason:
obsolete