<html><body><div style="font-family: trebuchet ms,sans-serif; font-size: 10pt; color: #000000"><div>So would like to share my experiences with the support of the new CephX authentication support in 4.4, and have a few questions for the development team.</div><div><br></div><div>In short, it works, but the documentation is not very clear on what needs to be done to make it work, so here's what I did (and I'm certain this is the intent of development currently):</div><div><br></div><div><ul><li>A secret needs to be defined within Libvirt on ALL hypervisor nodes that you utilize with Ceph. This needs to be done manually prior to deploying any virtual instances within the cluster.</li><li>Looks like development used the guideline set forth by the Ceph documentation. In this, it is required to create a <b>client.libvirt </b>user, as shown in the example in the Ceph documentation. Otherwise, that user is not validated via Ceph and will be unable to access RBDs in the cluster.</li><li>The UUID can be specified or generated, however the secret.xml file must be defined: See my example here: <a href="http://dev.opennebula.org/issues/1796" data-mce-href="http://dev.opennebula.org/issues/1796">http://dev.opennebula.org/issues/1796</a> and reference the Ceph documentation for defining the secret.xml within Libvirt.</li><li>You must copy the key for the client.libvirt user and define the secret</li><ul><li>'ceph auth list' will list the users and their appropriate keys. Copy the key for placement in the definition string. See the link to the opennebula issue 1796 above for an example:</li></ul></ul><div><br></div><div>Now my questions for the OpenNebula devs:</div><div><br></div><div><ul><li>Since the Ceph_Secret UUID can be defined within a secret.xml file, can that UUID be automatically generated as part of the Ceph Datastore definition? </li><ul><li>I see why it's not based on the source, checking to see if the UUID variable exists to ensure the deployment file has the appropriate information</li><li>Can there be an option for Ceph Datastore creation for whether or not you utilize CephX authentication on the Datastore (like a checkbox or YES/NO)? If so, then a UUID can be generated and the CEPH_SECRET attribute can be defined automatically. Otherwise, no CEPH_SECRET defined automatically.</li></ul><li><span style="font-size: 10pt;">I think the UUID generation would be the most difficult part. The manual process for the administrator would need to be to define the KEY for injection into Libvirt on each hypervisor. I would imagine this key could be defined as a datastore attribute like CEPH_KEY or something?</span></li><li><span style="font-size: 10pt;">At that point, all other operations could be handled by the Transfer Manager</span></li><ul><li>Check to see if the UUID currently exists in the Libvirt secret list on the deployment host ("virsh secret-list | grep -c $CEPH_SECRET" should be an appropriate validation)</li><li>If not, then generate the secret.xml file, injecting the CEPH_SECRET attribute</li><li>Then define the secret and apply the CEPH_KEY value to the secret</li><li>Continue with VM deployment.</li></ul></ul><div>Thoughts on the above?</div></div></div><div><br></div><div><span name="x"></span><style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:-536870145 1107305727 0 0 415 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-536870145 1073786111 1 0 415 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<div class="WordSection1">
<div class="MsoNormal" align="center" style="text-align:center"><span style="mso-fareast-font-family:"Times New Roman"">
<hr size="2" width="100%" align="center">
</span></div>
<div><span size="2" face="trebuchet ms, sans-serif"><span size="2" face="trebuchet ms, sans-serif">
<p class="MsoNormal"><b><span style="font-size:10.0pt;mso-fareast-font-family:
"Times New Roman"">Bill Campbell</span></b><span style="font-size:10.0pt;
mso-fareast-font-family:"Times New Roman""><br>
Infrastructure Architect<br style="mso-special-character:line-break">
<br style="mso-special-character:line-break">
</span><span style="mso-fareast-font-family:"Times New Roman""></span></p>
</span></span></div>
<div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;mso-fareast-font-family:"Times New Roman""><span size="2" face="trebuchet ms, sans-serif">Axcess Financial Services, Inc.<br>
7755 Montgomery Rd., Suite 400<br>
Cincinnati, OH 45236</span></span></p>
</div><span name="x"></span><br></div></div>
<br><html><body><b>NOTICE: Protect the information in this message in accordance with the company's security policies. If you received this message in error, immediately notify the sender and destroy all copies.</b></body></html>
<br></body></html>