ceph/doc/mgr/ansible.rst
Juan Miguel Olmo Martínez 4c6a1c6c68
mgr/ansible: TLS Mutual Authentication
- Changes needed to allow Ansible Orchestrator to use the new authentication strategy used in Ansible Runner Service
- Changes to propagate Ansible playbook errors to the completion result

Addressed changes suggested by the team

- Certificate and key are stored now in the mon KV store
- Option server_url is now server_location
- Using manager Options to have a better mgmt of MODULE_OPTIONS
- Added verbosity to status command to show problems connecting with external orchestrator
- lint problems fixed

Addressed changes suggested by @sebastian-philipp

- Improved messages and documentation

Fix error in documentation

- Fix error in ansible documentation
- Added examples in orchestrator-cli documentation

Signed-off-by: Juan Miguel Olmo Martínez <jolmomar@redhat.com>
2019-05-29 16:54:56 +02:00

133 lines
4.0 KiB
ReStructuredText

.. _ansible-module:
====================
Ansible Orchestrator
====================
This module is a :ref:`Ceph orchestrator <orchestrator-modules>` module that uses `Ansible Runner Service <https://github.com/ansible/ansible-runner-service>`_ (a RESTful API server) to execute Ansible playbooks in order to satisfy the different operations supported.
These operations basically (and for the moment) are:
- Get an inventory of the Ceph cluster nodes and all the storage devices present in each node
- Hosts management
- Create/remove OSD's
- ...
Usage
=====
Enable the module:
::
# ceph mgr module enable ansible
Disable the module
::
# ceph mgr module disable ansible
Enable the Ansible orchestrator module and use it with the :ref:`CLI <orchestrator-cli-module>`:
::
ceph mgr module enable ansible
ceph orchestrator set backend ansible
Configuration
=============
The external Ansible Runner Service uses TLS mutual authentication to allow clients to use the API.
A client certificate and a key files should be provided by the Administrator of the Ansible Runner Service for each manager node.
This files should be copied in each of the manager nodes with read access for the ceph user.
The destination folder for this files and the name of the files must be the same always in all the manager nodes,
althought the certificate/key content of this files logically will be different in each node.
Configuration must be set once the module is enabled by first time.
This can be done in one monitor node via the configuration key facility on a
cluster-wide level (so they apply to all manager instances) as follows:
In first place, configure the Ansible Runner Service client certificate and key:
::
If the provided client certificate is usable for all servers, apply it using:
# ceph ansible set-ssl-certificate -i <location_of_the_crt_file>
# ceph ansible set-ssl-certificate-key -i <location_of_the_key_file>
::
If the client certificate provided is for an especific manager server use:
# ceph ansible set-ssl-certificate <server> -i <location_of_the_crt_file>
# ceph ansible set-ssl-certificate-key <server> -i <location_of_the_key_file>
After setting the client certificate and key files, finish the configuration as follows:
::
# ceph config set mgr mgr/ansible/server_location <ip_address/server_name>:<port>
# ceph config set mgr mgr/ansible/verify_server <False|True>
# ceph config set mgr mgr/ansible/ca_bundle <path_to_ca_bundle_file>
Where:
* <ip_address/server_name>: Is the ip address/hostname of the server where the Ansible Runner Service is available.
* <port>: The port number where the Ansible Runner Service is listening
* <verify_server_value>: boolean, it controls whether the Ansible Runner Service server's TLS certificate is verified. Defaults to ``True``.
* <path_to_ca_bundle_file>: Path to a CA bundle to use in the verification.
In order to check that everything is OK, use the "status" orchestrator command.
# ceph orchestrator status
Backend: ansible
Available: True
Any kind of problem connecting with the external Ansible Runner Service will be reported using this command.
Debugging
=========
Any kind of incident with this orchestrator module can be debugged using the Ceph manager logs:
Set the right log level in order to debug properly. Remember that the python log levels debug, info, warn, err are mapped into the Ceph severities 20, 4, 1 and 0 respectively.
And use the "active" manager node: ( "ceph -s" command in one monitor give you this information)
* Check current debug level::
[@mgr0 ~]# ceph daemon mgr.mgr0 config show | grep debug_mgr
"debug_mgr": "1/5",
"debug_mgrc": "1/5",
* Change the log level to "debug"::
[mgr0 ~]# ceph daemon mgr.mgr0 config set debug_mgr 20/5
{
"success": ""
}
* Restore "info" log level::
[mgr0 ~]# ceph daemon mgr.mgr0 config set debug_mgr 1/5
{
"success": ""
}
Operations
==========
To see the complete list of operations, use:
:ref:`CLI <orchestrator-cli-module>`