On January 30, 2024 7:40 pm, Max Carrara wrote: > Introduction > ------------ > > This series fixes #4759 [0], an issue where Ceph's crash daemon is > unable to post crash logs due to insufficient permissions, through an > adaptation of our `pveceph` CLI as well as an accompanying Debian > postinst hook. > > In essence, this series ensures that the crash daemon can authenticate > with its Ceph cluster without requiring elevated privileges. > > For this to work, the following conditions required: > 1. A key named 'client.crash' must be stored in the Ceph cluster > itself > 2. The key must be saved to a '.keyring' file which can be read by > the `ceph` user (in order to authenticate with the cluster) > 3. A reference to the '.keyring' file's location must be provided in > a 'client.crash' section within the '/etc/pve/ceph.conf' file
I like the general direction, it seems sensible. some comments on individual patches as replies, and some general questions here: - do we need to store the key on pmxcfs? would it also work to generate one on each host and store it locally? - is there some way to get away without modifying the config? e.g., a fallback path for keyrings if there is no "client.XXX" section in the config? https://docs.ceph.com/en/reef/rados/configuration/auth-config-ref/#keys would seem to indicate that the answer to those questions is no/yes/yes, but I haven't tested it ;) IMHO that would simplify the handling a lot.. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
