Page MenuHomePhabricator
Create Task
Maniphest T332987

Review and fix any bugs found in the automated bootstrap process for a ceph mon/mgr server
Closed, ResolvedPublic
Actions

Description

Overview

We have recently bootstrapped a new ceph cluster in T330149

Doing so highlighted a couple of problems about the way that puppet behaves when bootstrapping monitor nodes.
This ticket exists in order to record any activity on investigating and fixing these problems.

It will be useful to carry out this work on the new ceph cluster, before it goes into production.
However, we must be mindful that the ceph module is also in use by the cloudceph clusters that are in production and are managed by the cloud-services-team.

Whilst the puppet module is shared, the cloudceph cluster currently uses its own puppet profiles and a different version of Ceph (15 vs 17)
Any one or more of these factors might have an impact on how the behaviour of bootstrapping a cluster, a monitor daemon, and a manager daemon, might differ between the two cases.

Observations

1: Bootstrapping a new monitor fails with a named monitor key

When bootstrapping a monitor server, whether this is for a new cluster or an existing cluster, puppet runs the following command on each monitor

/usr/bin/ceph-mon --mkfs -i ${::hostname} --fsid ${fsid} --keyring ${temp_keyring}

This exec is defined here.

Note that we are using the method of expanding-with-initial-members defined here, since we already have an /etc/ceph/ceph.conf present, which contains the mon initial members option.

The $temp_keyring contains two keys, concatenated into one text file: /var/lib/ceph/tmp/ceph.mon.keyring

  • The contents of the monitor authentcation key: mon.${::hostname}
  • The contents of the client admin key

The following screenshot shows this temporary file, with keydata redacted. It also highlights the named section of the monitor key.

image.png (217×605 px, 39 KB)

When this command is executed on a mon node running ceph quincy, the result is that the file /var/lib/ceph/mon/ceph-$hostname/keyring is not created. Attempting to start the mon service results in errors as shown.

auth: error reading file: /var/lib/ceph/mon/ceph-cephosd1001/keyring: can't open /var/lib/ceph/mon/ceph-cephosd1001/keyring: (2) No such file or directory
mon.cephosd1001@-1(???) e0 unable to load initial keyring /var/lib/ceph/mon/ceph-cephosd1001/keyring

The documents (https://docs.ceph.com/en/quincy/dev/mon-bootstrap/#secret-keys) refer to a secret key named mon. instead of a key named mon.$hostname

The mon. secret key is stored a keyring file in the mon data directory.

In order to bootstrap the cluster, I manually modified /var/lib/ceph/tmp/ceph.mon.keyring on each of the servers, removing the hostname from the monitor key, leaving [mon.] in its place. I then executed the command manually.

Upon doing so, the keyring was created in the correct location and the mon process started successfully.

2: Timeouts running puppet (ceph auth) before the cluster is bootstrapped

TODO explain observation

3: The mgr keys were created instead of being imported so the keydata did not match

TODO explain observation

Details

SubjectRepoBranchLines +/-
Test a fix for the bootstrapping of mon daemons on cephosd*operations/puppetproduction+17 -1
Add dummy keydata for a wildcard ceph monitorlabs/privatemaster+2 -0
Customize query in gerrit

Related Objects

Event Timeline

BTullis created this task.Mar 24 2023, 12:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 24 2023, 12:45 PM
taavi edited projects, added cloud-services-team; removed Cloud-Services.Mar 24 2023, 12:56 PM
taavi updated the task description. (Show Details)
BTullis mentioned this in T330149: Deploy ceph mon and mgr processes to data-engineering cluster.Mar 24 2023, 5:27 PM
JArguello-WMF moved this task from Backlog to Ops Week on the Data-Engineering-Planning board.Jun 29 2023, 9:39 PM
JArguello-WMF edited projects, added Data-Platform-SRE; removed Data-Engineering-Planning.Jun 29 2023, 9:53 PM
BTullis triaged this task as Low priority.Jul 3 2023, 11:37 AM
Gehel moved this task from Incoming to Misc on the Data-Platform-SRE board.Dec 7 2023, 2:16 PM
BTullis removed BTullis as the assignee of this task.Mar 15 2024, 5:59 PM
BTullis mentioned this in T362993: Update cephosd100[1-5] with the most recent stable version of Ceph.Apr 25 2024, 11:10 AM
BTullis claimed this task.Apr 30 2024, 10:29 AM
BTullis raised the priority of this task from Low to Medium.
BTullis edited projects, added Data-Platform-SRE (2024.04.15 - 2024.05.05); removed Data-Platform-SRE.

I am going to work on this ticket at the moment, since I am reimaging the cephosd cluster now.

I intend to test any changes on the Data-Platform team's cluster only, by excluding the cloudceph servers from any change, since these are in production use.
If the results are positive, then we can look to apply the changes to the cloudceph servers as well.

gerritbot added a comment.Apr 30 2024, 11:05 AM

Change #1025724 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Test a fix for the bootstrapping of mon daemons on cephosd*

https://gerrit.wikimedia.org/r/1025724

gerritbot added a project: Patch-For-Review.Apr 30 2024, 11:05 AM
gerritbot added a comment.Apr 30 2024, 11:16 AM

Change #1025728 had a related patch set uploaded (by Btullis; author: Btullis):

[labs/private@master] Add dummy keydata for a wildcard ceph monitor

https://gerrit.wikimedia.org/r/1025728

gerritbot added a comment.Apr 30 2024, 11:27 AM

Change #1025728 merged by Btullis:

[labs/private@master] Add dummy keydata for a wildcard ceph monitor

https://gerrit.wikimedia.org/r/1025728

BTullis mentioned this in rLPRI10232fe16d1f: Add dummy keydata for a wildcard ceph monitor.Apr 30 2024, 11:29 AM
ops-monitoring-bot added a comment.Apr 30 2024, 11:37 AM

Host rebooted by btullis@cumin1002 with reason: Troubleshooting T332987

gerritbot added a comment.Apr 30 2024, 2:10 PM

Change #1025724 merged by Btullis:

[operations/puppet@production] Test a fix for the bootstrapping of mon daemons on cephosd*

https://gerrit.wikimedia.org/r/1025724

Maintenance_bot removed a project: Patch-For-Review.Apr 30 2024, 2:31 PM
BTullis moved this task from Backlog to In Progress on the Data-Platform-SRE (2024.04.15 - 2024.05.05) board.Apr 30 2024, 2:59 PM
BTullis added a comment.Apr 30 2024, 8:45 PM

The test worked, so the automated bootstrapping of a new mon server is now OK.

I have two more hosts to reimage on this round, so I can check that this wasn't a fluke.
The next round of reimages will hopefully be using a reuse-parts recipe, so that we keep /var/lib/ceph intact and do not need to run the bootstrap process.

As @dcaro pointed out, there is a clear opportunity for a refactor in the ceph-auth code but I didn't feel that I could spend the time on it today.
I will make a note and probably tackle it as part of T328010: ceph: introduce puppet logic to purge stale keyfiles in the near future.

BTullis closed this task as Resolved.Apr 30 2024, 8:46 PM
BTullis moved this task from In Progress to Done on the Data-Platform-SRE (2024.04.15 - 2024.05.05) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits