3. Cephx认证
为了识别用户并防止中间人攻击,Ceph 提供了 cephx 身份验证系统来对用户和守护进程进行身份验证。
cephx 协议不解决传输中的数据加密(例如 SSL/TLS)或静态加密。
Cephx 使用共享密钥进行身份验证,这意味着客户端和监视器集群都拥有客户端密钥的副本。身份验证协议使得双方都能够向对方证明他们拥有密钥的副本,而无需实际透露它。这提供了相互认证,这意味着集群确信用户拥有密钥,并且用户确信集群拥有密钥的副本。
Ceph 的一个关键可扩展特性是避免使用集中式接口到 Ceph 对象存储,这意味着 Ceph 客户端必须能够直接与 OSD 交互。为了保护数据,Ceph 提供了 cephx 身份验证系统,该系统对操作 Ceph 客户端的用户进行身份验证。 cephx 协议的运行方式类似于 Kerberos。
用户/参与者调用 Ceph 客户端来联系监视器。与 Kerberos 不同的是,每个监视器都可以对用户进行身份验证并分发密钥,因此在使用 cephx 时不会出现单点故障或瓶颈。监视器返回类似于 Kerberos 票证的身份验证数据结构,其中包含用于获取 Ceph 服务的会话密钥。这个会话密钥本身是用用户的永久秘密密钥加密的,所以只有用户才能从 Ceph Monitor(s) 请求服务。然后客户端使用会话密钥从监视器请求其所需的服务,监视器为客户端提供一张票证,该票证将向实际处理数据的 OSD 验证客户端。 Ceph 监视器和 OSD 共享一个秘密,因此客户端可以将监视器提供的票证与集群中的任何 OSD 或元数据服务器一起使用。与 Kerberos 一样,cephx 票证会过期,因此攻击者无法使用已过期的票证或偷偷获取的会话密钥。这种形式的身份验证将防止有权访问通信介质的攻击者以另一个用户的身份创建虚假消息或更改另一个用户的合法消息,只要用户的密钥在其到期之前不被泄露。
3.1 授权流程
每个 mon 节点都可以对客户端进行身份认证并分发秘钥,因此多个 mon 节点就不存在单点 故障和认证性能瓶颈 mon 节点会返回用于身份认证的数据结构,其中包含获取 ceph 服务时用到的 session key, session key 通 过 客 户 端 秘 钥 进 行 加 密 , 秘 钥 是 在 客 户 端 提 前 配 置 好 的 , /etc/ceph/ceph.client.admin.keyring 客户端使用 session key 向 mon 请求所需要的服务,mon 向客户端提供一个 tiket,用于向 实际处理数据的 OSD 等服务验证客户端身份,MON 和 OSD 共享同一个 secret,因此 OSD 会信任所有 MON 发放的 tiket tiket 存在有效期。
3.2 访问流程
要使用 cephx,管理员必须先设置用户。在下图中,client.admin 用户从命令行调用 ceph auth get-or-create-key 来生成用户名和密钥。 Ceph 的 auth 子系统生成用户名和密钥,将副本与监视器一起存储,并将用户的秘密传输回 client.admin 用户。这意味着客户端和监视器共享一个密钥。
client.admin 用户必须以安全的方式向用户提供用户 ID 和密钥。
image.png
为了向监视器进行身份验证,客户端将用户名传递给监视器,监视器生成会话密钥并使用与用户名关联的密钥对其进行加密。然后,监视器将加密的票发送回客户端。然后客户端使用共享密钥解密有效负载以检索会话密钥。会话密钥标识当前会话的用户。然后,客户端代表由会话密钥签名的用户请求票证。监视器生成一张票,用用户的密钥对其进行加密,然后将其发送回客户端。客户端解密票证并使用它来签署对整个集群的 OSD 和元数据服务器的请求。
image.png
cephx 协议验证客户端机器和 Ceph 服务器之间正在进行的通信。在初始身份验证之后,客户端和服务器之间发送的每条消息都使用票证进行签名,监视器、OSD 和元数据服务器可以使用它们的共享秘密进行验证。
image.png
此身份验证提供的保护位于 Ceph 客户端和 Ceph 服务器主机之间。身份验证不会扩展到 Ceph 客户端之外。如果用户从远程主机访问 Ceph 客户端,则 Ceph 身份验证不会应用于用户主机和客户端主机之间的连接。
有关配置详细信息,请参阅 Cephx 配置指南。有关用户管理的详细信息,请参阅用户管理。
3.3 Cephx配置
1. 创建一个client.admin密钥,并为您的client保存密钥的副本
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get-or-create client.admin mon 'allow *' mds 'allow *' mgr 'allow *' osd 'allow *' -o /etc/ceph/ceph.client.admin.keyring
注: 此命令会覆盖任何存在的 /etc/ceph/client.admin.keyring 文件,如果部署工具已经完成此步骤,千万别再执行此命令。多加小心!
2. 创建monitor集群所需的密钥环、并给它们生成密钥。
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'
3. 把Monitor密钥环复制到ceph.mon.keyring文件,再把此文件复制到各monitor的mon data目录下。比如要把它复制给名为ceph集群的mon.a,用此命令:
cephadm@ceph-deploy:~/ceph-cluster$ sudo cp /tmp/ceph.mon.keyring /var/lib/ceph/mon/ceph-a/keyring
4. 为每个MGR生成密钥,{$id}是MGR编号:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get-or-create mgr.{$id} mon 'allow profile mgr' mds 'allow *' osd 'allow *' -o /var/lib/ceph/mgr/ceph-{$id}/keyring
5. 为每个OSD生成密钥,{$id}是OSD编号:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get-or-create osd.{$id} mon 'allow rwx' osd 'allow *' -o /var/lib/ceph/osd/ceph-{$id}/keyring
6. 为每个MDS生成密钥,{$id}是MDS的标识字母:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get-or-create mds.{$id} mon 'allow rwx' osd 'allow *' mds 'allow *' mgr 'allow profile mds' -o /var/lib/ceph/mds/ceph-{$id}/keyring
7. 把以下配置加入Ceph配置文件的[global]段下以启用cephx认证:
cephadm@ceph-deploy:~/ceph-cluster$ sudo auth cluster required = cephx
cephadm@ceph-deploy:~/ceph-cluster$ sudo auth service required = cephx
cephadm@ceph-deploy:~/ceph-cluster$ sudo auth client required = cephx
8. 启动或重启Ceph集群
3.4 Ceph 的用户管理
用户是指个人(ceph 管理者)或系统参与者(MON/OSD/MDS)。
通过创建用户,可以控制用户或哪个参与者能够访问 ceph 存储集群、以及可访问的存储池
及存储池中的数据。
image.png
ceph 支持多种类型的用户,但可管理的用户都属于 client 类型
区分用户类型的原因在于,MON/OSD/MDS 等系统组件特使用 cephx 协议,但是它们为非客
户端。
通过点号来分割用户类型和用户名,格式为 TYPE.ID,例如 client.admin。
cephadm@ceph-deploy:~/ceph-cluster$ cat /etc/ceph/ceph.client.admin.keyring
[client.admin]
key = AQBPJB1hZHLVNxAAIhqbu3v2WhCx+qHnIeWmlQ==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"
查看用户清单与权限示例
root@ceph-node1:~# ceph auth ls
osd.0
key: AQDRLB1hG+qjLxAAD6bKt1JczVWDr+2EdLnzMw==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.1
key: AQDgLB1hcmQiDxAACxqF3xkbpH99acyN0SkfGA==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.2
key: AQD0LB1hvr31MhAAjI+t/wpD2F7dfCmmK4ad5A==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.3
key: AQACLR1ht4IlHxAAt/7oQ+sEYCIIAsSiT5ZViA==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.5
key: AQAgLR1h8HNUJxAADNZJUFS/kTWH3JKWnv1rAA==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
client.admin
key: AQBPJB1hZHLVNxAAIhqbu3v2WhCx+qHnIeWmlQ==
caps: [mds] allow *
caps: [mgr] allow *
caps: [mon] allow *
caps: [osd] allow *
client.bootstrap-mds
key: AQBPJB1hPczVNxAAZaXZPI8r+JVS/QNlMB4qNA==
caps: [mon] allow profile bootstrap-mds
client.bootstrap-mgr
key: AQBPJB1hPwHWNxAAxmjhSxNbyHMiOuRWGKvz9w==
caps: [mon] allow profile bootstrap-mgr
client.bootstrap-osd
key: AQBPJB1h8y3WNxAAT2Bsj68aaixBqEwzDHREXA==
caps: [mon] allow profile bootstrap-osd
client.bootstrap-rbd
key: AQBPJB1hIVrWNxAAHl823bH7IMbrwH8CEoEXeA==
caps: [mon] allow profile bootstrap-rbd
client.bootstrap-rbd-mirror
key: AQBPJB1hO4nWNxAAQJ22cxDUjUnD74yZjBdkHw==
caps: [mon] allow profile bootstrap-rbd-mirror
client.bootstrap-rgw
key: AQBPJB1h9LXWNxAA37tJ+CbanpqZbuozYSNyzw==
caps: [mon] allow profile bootstrap-rgw
mgr.ceph-node1
key: AQB8Jh1hrCL5JRAAQ8z12m5fybY+m5crWB9B0w==
caps: [mds] allow *
caps: [mon] allow profile mgr
caps: [osd] allow *
mgr.ceph-node2
key: AQAcMx1hZNR/ExAAYxzUcQKfA50nWAt0o+O2JQ==
caps: [mds] allow *
caps: [mon] allow profile mgr
caps: [osd] allow *
installed auth entries:
授权类型
allow:在守护进程进行访问设置之前就已经具有特定权限,常见于管理员和守护进程用户。
r:授予用户读的权限,读取集群各个组件(MON/OSD/MDS/CRUSH/PG)的状态,但是不能修改。
w:授予用户写对象的权限,与 r 配合使用,修改集群的各个组件的状态,可以执行组件的各个动作指令。
x:授予用户调用类方法的能力,仅仅和 ceph auth 操作相关。
class-read:授予用户调用类读取方法的能力,是 x 的子集。
class-write:授予用户调用类写入方法的能力,是 x 的子集。
*:授予用户 rwx 权限。
profile osd:授权用户以 OSD 身份连接到其它 OSD 或 MON,使得 OSD 能够处理副本心跳和状态汇报。
profile mds:授权用户以 MDS 身份连接其它 MDS 或 MON。
profile bootstrap-osd:授权用户引导 OSD 守护进程的能力,通常授予部署工具(e.g. ceph-deploy),让它们在引导 OSD 时就有增加密钥的权限了。
profile bootstrap-mds:授权用户引导 MDS 守护进程的能力。同上。
用户管理常规操作
Ceph 用户管理指令 auth:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth --help
...
auth add <entity> [<caps>...] add auth info for <entity> from input file, or random key if no input is given, and/or any
caps specified in the command
auth caps <entity> <caps>... update caps for <name> from caps specified in the command
auth export [<entity>] write keyring for requested entity, or master keyring if none given
auth get <entity> write keyring file with requested key
auth get-key <entity> display requested key
auth get-or-create <entity> [<caps>...] add auth info for <entity> from input file, or random key if no input given, and/or any caps
specified in the command
auth get-or-create-key <entity> [<caps>...] get, or add, key for <name> from system/caps pairs specified in the command. If key already
exists, any given caps must match the existing caps for that key.
auth import auth import: read keyring file from -i <file>
auth ls list authentication state
auth print-key <entity> display requested key
auth print_key <entity> display requested key
auth rm <entity> remove all caps for <name>
Monitor能力:
包括r/w/x和profile {name}
mon 'allow {access-spec} [network {network/prefix}]'
mon 'profile {name}'
例如:mon 'allow rwx' mon 'allow profile osd'
OSD能力:
包括r、w、x、class-read、class-write(类读取))和profileosd(类写入),另外OSD能力还允许进行存储池和名称空间设置。
osd 'allowc apability' [pool=poolname] [namespace=namespace-name]
MGR能力:
mgr 'allow rwx'
MDS能力:
只需要allow或空都表示允许。
mds 'allow'
获取指定用户的权限信息:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.admin
[client.admin]
key = AQBPJB1hZHLVNxAAIhqbu3v2WhCx+qHnIeWmlQ==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"
exported keyring for client.admin
可以结合使用-o 文件名选项和ceph auth list将输出保存到某个文件。
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth ls -o ceph.key
installed auth entries:
新建用户:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth add client.pop mon 'allow r' osd 'allow rwx pool=popool'
added key for client.pop
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.pop
[client.pop]
key = AQCHBylhqe18MBAAiWjVeYoNoQozvSt0g/xTgQ==
caps mon = "allow r"
caps osd = "allow rwx pool=popool"
exported keyring for client.pop
get-or-create:
ceph auth get-or-create
此命令是创建用户较为常见的方式之一,它会返回包含用户名(在方括号中)和密钥的密钥文,如果该用户已存在,此命令只以密钥文件格式返回用户名和密钥,还可以使用 -o 指定文件名选项将输出保存到某个文件。
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get-or-create client.pop1 mon 'allow r' osd 'allow rwx pool=popool'
[client.pop1]
key = AQD7BylhZgNpGxAAOD0iSKYjcIWFPA/03AN33w==
get-or-create-key:
ceph auth get-or-create-key
此命令是创建用户并仅返回用户密钥,对于只需要密钥的客户端(例如 libvirt),此命令非 常有用。如果该用户已存在,此命令只返回密钥。您可以使用 -o 文件名选项将输出保存到 某个文件。 创建客户端用户时,可以创建不具有能力的用户。不具有能力的用户可以进行身份验证,但 不能执行其他操作,此类客户端无法从监视器检索集群地图,但是,如果希望稍后再添加能 力,可以使用 ceph auth caps 命令创建一个不具有能力的用户。 典型的用户至少对 Ceph monitor 具有读取功能,并对 Ceph OSD 具有读取和写入功能。此 外,用户的 OSD 权限通常限制为只能访问特定的存储池。
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get-or-create-key client.pop1 mon 'allow r' osd 'allow rwx pool=popool'
AQD7BylhZgNpGxAAOD0iSKYjcIWFPA/03AN33w==
print-key:
ceph auth print-key
只获取单个指定用户的key信息
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth print-key client.pop1
AQD7BylhZgNpGxAAOD0iSKYjcIWFPA/03AN33w==
caps:
使用 ceph auth caps 命令可以指定用户以及更改该用户的能力,设置新能力会完全覆盖当前的能力,因此要加上之前的用户已经拥有的能和新的能力,如果看当前能力,可以运行 ceph auth get USERTYPE.USERID,如果要添加能力,使用以下格式时还需要指定现有能力:
root # ceph auth caps USERTYPE.USERID daemon 'allow [r|w|x|*|...] \ [pool=pool-name] [namespace=namespace-name]' [daemon 'allow [r|w|x|*|...] \ [pool=pool-name] [namespace=namespace-name]']
查看当前用户权限:
cephadm@ceph-deploy:~/ceph-cluster$ ceph auth get client.pop1
[client.pop1]
key = AQD7BylhZgNpGxAAOD0iSKYjcIWFPA/03AN33w==
caps mon = "allow r"
caps osd = "allow rwx pool=popool"
exported keyring for client.pop1
更新用户权限:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth caps client.pop1 mon 'allow r' osd 'allow rw pool=popool'
updated caps for client.pop1
del:
ceph auth del
要删除用户使用ceph auth del TYPE.ID,其中TYPE是client、osd、mon或mds之一,ID是用户名或守护进程的 ID。
cephadm@ceph-deploy:~/ceph-cluster$ ceph auth del client.pop1
updated
3.5 秘钥环管理
ceph 的秘钥环是一个保存了 secrets、keys、certificates 并且能够让客户端通认证访问 ceph
的 keyring file(集合文件),一个 keyring file 可以保存一个或者多个认证信息,每一个 key 都
有一个实体名称加权限,类型为:
{client、mon、mds、osd}.name
当客户端访问 ceph 集群时,ceph 会使用以下四个密钥环文件预设置密钥环设置:
/etc/ceph/<$cluster name>.<user $type>.<user $id>.keyring #保存单个用户的 keyring
/etc/ceph/cluster.keyring #保存多个用户的 keyring
/etc/ceph/keyring #未定义集群名称的多个用户的 keyring
/etc/ceph/keyring.bin #编译后的二进制文
3.5.1 通过秘钥环文件备份与恢复用户
使用 ceph auth add 等命令添加的用户还需要额外使用 ceph-authtool 命令为其创建用户秘钥
环文件。
创建 keyring 文件命令格式:
ceph-authtool --create-keyring FILE
导出用户认证信息至 keyring 文件:
1. 创建用户
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get-or-create client.user mon 'allow r' osd 'allow * pool=popool'
[client.user]
key = AQDNDilhhQpbGxAAZHhZdt8W8TIII11/po8Unw==
cephadm@ceph-deploy:~/ceph-cluster$ ceph auth get client.user
[client.user]
key = AQDNDilhhQpbGxAAZHhZdt8W8TIII11/po8Unw==
caps mon = "allow r"
caps osd = "allow * pool=popool"
exported keyring for client.user
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool --create-keyring ceph.client.user.keyring
creating ceph.client.user.keyring
cephadm@ceph-deploy:~/ceph-cluster$ file ceph.client.user.keyring
ceph.client.user.keyring: empty
2. 导出keyring到指定文件
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.user -o ceph.client.user.keyring
exported keyring for client.user
cephadm@ceph-deploy:~/ceph-cluster$ cat ceph.client.user.keyring
[client.user]
key = AQDNDilhhQpbGxAAZHhZdt8W8TIII11/po8Unw==
caps mon = "allow r"
caps osd = "allow * pool=popool"
在创建包含单个用户的密钥环时,通常建议使用ceph集群名称、用户类型和用户名及keyring来命名,并将其保存在/etc/ceph目录中。例如为client.user用户创建ceph.client.user1.keyring。
从keyring文件恢复用户认证信息:
可以使用ceph auth import -i 指定keyring文件并导入到ceph:
cephadm@ceph-deploy:~/ceph-cluster$ cat ceph.client.user.keyring
[client.user]
key = AQDNDilhhQpbGxAAZHhZdt8W8TIII11/po8Unw==
caps mon = "allow r"
caps osd = "allow * pool=popool"
cephadm@ceph-deploy:~/ceph-cluster$ cat ceph.client.user.keyring
[client.user]
key = AQDNDilhhQpbGxAAZHhZdt8W8TIII11/po8Unw==
caps mon = "allow r"
caps osd = "allow * pool=popool"
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth del client.user
updated
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.user
Error ENOENT: failed to find client.user in keyring
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth import -i ceph.client.user.keyring
imported keyring
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.user
[client.user]
key = AQDNDilhhQpbGxAAZHhZdt8W8TIII11/po8Unw==
caps mon = "allow r"
caps osd = "allow * pool=popool"
exported keyring for client.user
密钥环文件多用户:一个keyring文件中可以包含多个不同用户的认证文件。
将多用户导出至密钥环:
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool --create-keyring ceph.client.popuser.keyring
creating ceph.client.popuser.keyring
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool ./ceph.client.popuser.keyring --import-keyring ./ceph.client.admin.keyring
importing contents of ./ceph.client.admin.keyring into ./ceph.client.popuser.keyring
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool -l ./ceph.client.popuser.keyring
[client.admin]
key = AQBPJB1hZHLVNxAAIhqbu3v2WhCx+qHnIeWmlQ==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool ./ceph.client.popuser.keyring --import-keyring ./ceph.client.user.keyring
importing contents of ./ceph.client.user.keyring into ./ceph.client.popuser.keyring
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool -l ./ceph.client.popuser.keyring
[client.admin]
key = AQBPJB1hZHLVNxAAIhqbu3v2WhCx+qHnIeWmlQ==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"
[client.user]
key = AQDNDilhhQpbGxAAZHhZdt8W8TIII11/po8Unw==
caps mon = "allow r"
caps osd = "allow * pool=popool"
4. 块设备RBD
RBD(RADOS Block Devices)即为块存储的一种,RBD 通过 librbd 库与 OSD 进行交互,RBD 为 KVM 等虚拟化技术和云服务(如 OpenStack 和 CloudStack)提供高性能和无限可扩展 性的存储后端,这些系统依赖于 libvirt 和 QEMU 实用程序与 RBD 进行集成,客户端基于 librbd 库即可将 RADOS 存储集群用作块设备,不过,用于 rbd 的存储池需要事先启用 rbd 功能并进行初始化。例如,下面的命令创建一个名为 poprbd1 的存储池,并在启用 rbd 功能 后对其进行初始化
image.png
4.1 创建RBD
创建一个名为poprbd1的存储池,并在启用rbd功能后对其进行初始化:
创建存储池
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph osd pool create poprbd1 64 64
pool 'poprbd1' created
开启rbd功能
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph osd pool application enable poprbd1 rbd
enabled application 'rbd' on pool 'poprbd1'
初始化
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd pool init -p poprbd1
4.2 创建img
rbd存储池不能直接用于块设备,需要事先在其中按需创建映像(image),并把映像文件作为块设备使用,rbd命令可用于创建、查看及删除块设备上在的映像(image),以及克隆映像、创建快照、将映像回滚到快照和查看快照等管理操作。
创建名为popimg1和popimg2的映像:
创建img
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd create popimg1 --size 5G --pool poprbd1
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd create popimg2 --size 3G --pool poprbd1 --image-format 2 --image-feature layering
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd ls --pool poprbd1
popimg1
popimg2
# 后续步骤会使用popimg2 ,由于centos系统内核较低无法挂载使用,因此只开启部分特性。除了layering其他特性需要高版本内核支持
查看信息
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd --image popimg1 --pool poprbd1 info
rbd image 'popimg1':
size 5 GiB in 1280 objects
order 22 (4 MiB objects)
snapshot_count: 0
id: 3742307b82eb
block_name_prefix: rbd_data.3742307b82eb
format: 2
features: layering, exclusive-lock, object-map, fast-diff, deep-flatten
op_features:
flags:
create_timestamp: Thu Aug 19 00:34:26 2021
access_timestamp: Thu Aug 19 00:34:26 2021
modify_timestamp: Thu Aug 19 00:34:26 2021
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd --image popimg2 --pool poprbd1 info
rbd image 'popimg2':
size 3 GiB in 768 objects
order 22 (4 MiB objects)
snapshot_count: 0
id: 3745f86a8d86
block_name_prefix: rbd_data.3745f86a8d86
format: 2
features: layering
op_features:
flags:
create_timestamp: Thu Aug 19 00:34:46 2021
access_timestamp: Thu Aug 19 00:34:46 2021
modify_timestamp: Thu Aug 19 00:34:46 2021
4.3 客户端使用存储
查看ceph存储状态
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph df
--- RAW STORAGE ---
CLASS SIZE AVAIL USED RAW USED %RAW USED
hdd 100 GiB 100 GiB 79 MiB 79 MiB 0.08
TOTAL 100 GiB 100 GiB 79 MiB 79 MiB 0.08
--- POOLS ---
POOL ID PGS STORED OBJECTS USED %USED MAX AVAIL
device_health_metrics 1 1 0 B 0 0 B 0 32 GiB
popool 2 32 0 B 0 0 B 0 32 GiB
poprbd1 3 64 405 B 7 48 KiB 0 32 GiB
安装client端Python2
$ sudo apt install python2.7 -y
$ sudo ln -sv /usr/bin/python2.7 /usr/bin/python2
设置yum源和ceph源
$ sudo cat <<"EOF">/etc/apt/sources.list
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
EOF
$ wget -q -O- 'https://mirrors.tuna.tsinghua.edu.cn/ceph/keys/release.asc' | sudo apt-key add -
$ sudo apt-add-repository 'deb https://mirrors.aliyun.com/ceph/debian-pacific/ bionic main'
$ sudo apt update
给ceph-client创建个用户挂载
从ceph-deploy安装ceph并同步认证信息
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-deploy install --no-adjust-repos --nogpgcheck root@192.168.1.120
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-deploy admin root@192.168.1.120
cephadm@ceph-deploy:~/ceph-cluster$ sudo ssh root@ceph-client 'sudo apt install acl -y && sudo setfacl -m u:ceph:rw /etc/ceph/ceph.client.admin.keyring'
客户端映射
cephadm@ceph-deploy:~/ceph-cluster$ sudo ssh root@ceph-client
root@ceph-client:~# sudo rbd -p poprbd1 map popimg2
/dev/rbd0
root@ceph-client:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 120G 0 disk
└─sda1 8:1 0 120G 0 part /
sr0 11:0 1 1024M 0 rom
rbd0 252:0 0 3G 0 disk
root@ceph-client:~# sudo fdisk -l /dev/rbd0
Disk /dev/rbd0: 3 GiB, 3221225472 bytes, 6291456 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4194304 bytes / 4194304 bytes
格式化并挂载
root@ceph-client:~# sudo mkfs.ext4 -m0 /dev/rbd0
root@ceph-client:~# sudo mkdir /data
root@ceph-client:~# sudo mount /dev/rbd0 /data/
root@ceph-client:~# sudo cp /var/log/lastlog /data
root@ceph-client:~# sudo df -h
Filesystem Size Used Avail Use% Mounted on
udev 451M 0 451M 0% /dev
tmpfs 97M 9.3M 87M 10% /run
/dev/sda1 120G 5.6G 115G 5% /
tmpfs 482M 0 482M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 482M 0 482M 0% /sys/fs/cgroup
tmpfs 97M 0 97M 0% /run/user/0
/dev/rbd0 2.9G 9.1M 2.9G 1% /data
上传文件测试
root@ceph-client:~# sudo dd if=/dev/zero of=/data/ceph-test-file bs=1MB count=100
100+0 records in
100+0 records out
100000000 bytes (100 MB, 95 MiB) copied, 0.0620529 s, 1.6 GB/s
root@ceph-client:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 451M 0 451M 0% /dev
tmpfs 97M 9.3M 87M 10% /run
/dev/sda1 120G 5.6G 115G 5% /
tmpfs 482M 0 482M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 482M 0 482M 0% /sys/fs/cgroup
tmpfs 97M 0 97M 0% /run/user/0
/dev/rbd0 2.9G 105M 2.8G 4% /data
root@ceph-client:~# ll -h /data/
total 96M
drwxr-xr-x 3 root root 4.0K Aug 19 01:05 ./
drwxr-xr-x 23 root root 4.0K Aug 19 01:04 ../
-rw-r--r-- 1 root root 96M Aug 19 01:05 ceph-test-file
-rw-r--r-- 1 root root 18M Aug 19 01:04 lastlog
drwx------ 2 root root 16K Aug 19 01:04 lost+found/
root@ceph-client:~# sudo ceph df
--- RAW STORAGE ---
CLASS SIZE AVAIL USED RAW USED %RAW USED
hdd 100 GiB 99 GiB 1.0 GiB 1.0 GiB 1.02
TOTAL 100 GiB 99 GiB 1.0 GiB 1.0 GiB 1.02
--- POOLS ---
POOL ID PGS STORED OBJECTS USED %USED MAX AVAIL
device_health_metrics 1 1 0 B 0 0 B 0 31 GiB
popool 2 32 0 B 0 0 B 0 31 GiB
poprbd1 3 64 161 MiB 56 483 MiB 0.50 31 GiB
4.4 客户端使用普通帐号挂载并使用rbd
4.4.1 创建普通帐号并授权
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth add client.mart mon 'allow r' osd 'allow rwx pool=poprbd1'
added key for client.mart
# 验证用户信息
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.mart
[client.mart]
key = AQBxFSlh42klJxAABcLoxydyEj/QseZyec4FgQ==
caps mon = "allow r"
caps osd = "allow rwx pool=poprbd1"
exported keyring for client.mart
# 创建用keyring文件
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool --create-keyring ceph.client.mart.keyring
creating ceph.client.mart.keyring
# 导出用户keyring
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.mart -o ceph.client.mart.keyring
exported keyring for client.mart
# 验证指定用户的 keyring 文件
cephadm@ceph-deploy:~/ceph-cluster$ sudo cat ceph.client.mart.keyring
[client.mart]
key = AQBxFSlh42klJxAABcLoxydyEj/QseZyec4FgQ==
caps mon = "allow r"
caps osd = "allow rwx pool=poprbd1"
4.4.2 同步普通用户认证文件
cephadm@ceph-deploy:~/ceph-cluster$ sudo scp ceph.conf ceph.client.mart.keyring root@ceph-client:/etc/ceph/
root@ceph-client's password:
ceph.conf 100% 264 19.2KB/s 00:00
ceph.client.mart.keyring 100% 121 33.4KB/s 00:00
4.4.3 在客户端验证权限
root@ceph-client:~# cd /etc/ceph/
root@ceph-client:/etc/ceph# ls
ceph.client.admin.keyring ceph.client.mart.keyring ceph.conf rbdmap tmpmvGMT3
root@ceph-client:/etc/ceph# ceph --user mart -s
cluster:
id: 06d842e1-95c5-442d-b7fe-618050963147
health: HEALTH_OK
services:
mon: 3 daemons, quorum ceph-node1,ceph-node2,ceph-node3 (age 105m)
mgr: ceph-node1(active, since 104m), standbys: ceph-node2
osd: 5 osds: 5 up (since 104m), 5 in (since 9d)
data:
pools: 3 pools, 97 pgs
objects: 56 objects, 173 MiB
usage: 586 MiB used, 99 GiB / 100 GiB avail
pgs: 97 active+clean
4.4.4 映射 rbd
root@ceph-client:/etc/ceph# rbd --user mart -p poprbd1 map popimg2
/dev/rbd0
rbd: --user is deprecated, use --id
root@ceph-client:/etc/ceph# fdisk -l /dev/rbd0
Disk /dev/rbd0: 3 GiB, 3221225472 bytes, 6291456 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4194304 bytes / 4194304 bytes
4.4.5 格式化并使用 rbd 镜像
root@ceph-client:/etc/ceph# mkfs.ext4 /dev/rbd0
mke2fs 1.44.1 (24-Mar-2018)
/dev/rbd0 contains a ext4 file system
last mounted on /data on Thu Aug 19 01:04:46 2021
Proceed anyway? (y,N) y
Discarding device blocks: done
Creating filesystem with 786432 4k blocks and 196608 inodes
Filesystem UUID: 0c99e3b3-5b03-49a7-a3b6-b3ffb77fc2a9
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
root@ceph-client:/etc/ceph# mkdir /data
root@ceph-client:/etc/ceph# mount /dev/rbd0 /data/
root@ceph-client:/etc/ceph# cp /var/log/syslog /data/
root@ceph-client:/etc/ceph# ll /data/
total 6004
drwxr-xr-x 3 root root 4096 Aug 28 00:52 ./
drwxr-xr-x 23 root root 4096 Aug 19 01:04 ../
drwx------ 2 root root 16384 Aug 28 00:51 lost+found/
-rw-r----- 1 root root 6122402 Aug 28 00:52 syslog
root@ceph-client:/etc/ceph# df -Th
Filesystem Type Size Used Avail Use% Mounted on
udev devtmpfs 451M 0 451M 0% /dev
tmpfs tmpfs 97M 9.3M 87M 10% /run
/dev/sda1 xfs 120G 5.6G 115G 5% /
tmpfs tmpfs 482M 0 482M 0% /dev/shm
tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs tmpfs 482M 0 482M 0% /sys/fs/cgroup
tmpfs tmpfs 97M 0 97M 0% /run/user/0
/dev/rbd0 ext4 2.9G 15M 2.8G 1% /data
# 管理端验证镜像状态
root@ceph-client:/etc/ceph# rbd ls -p poprbd1 -l
NAME SIZE PARENT FMT PROT LOCK
popimg1 5 GiB 2
popimg2 3 GiB 2
4.4.6 验证 ceph 内核模块
挂载 rbd 之后系统内核会自动加载 libceph.ko 模块
root@ceph-client:/etc/ceph# lsmod |grep ceph
libceph 315392 1 rbd
libcrc32c 16384 3 xfs,raid456,libceph
root@ceph-client:/etc/ceph# modinfo libceph
filename: /lib/modules/4.15.0-130-generic/kernel/net/ceph/libceph.ko
license: GPL
description: Ceph core library
author: Patience Warnick <patience@newdream.net>
author: Yehuda Sadeh <yehuda@hq.newdream.net>
author: Sage Weil <sage@newdream.net>
srcversion: 89A5EF37D4AA2C7E073D35B
depends: libcrc32c
retpoline: Y
intree: Y
name: libceph
vermagic: 4.15.0-130-generic SMP mod_unload
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
4.4.7 拉伸rbd镜像空间
可以扩展空间,不建议缩小空间
# rbd 镜像空间拉伸命令
cephadm@ceph-deploy:~/ceph-cluster$ rbd help resize
usage: rbd resize [--pool <pool>] [--namespace <namespace>]
[--image <image>] --size <size> [--allow-shrink]
[--no-progress]
<image-spec>
# 命令操作
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd resize --pool poprbd1 --image popimg2 --size 8G
Resizing image: 100% complete...done.
cephadm@ceph-deploy:~/ceph-cluster$ rbd ls -p poprbd1 -l
NAME SIZE PARENT FMT PROT LOCK
popimg1 5 GiB 2
popimg2 8 GiB 2
4.4.8 客户端验证镜像空间
root@ceph-client:/etc/ceph# fdisk -l /dev/rbd0
Disk /dev/rbd0: 8 GiB, 8589934592 bytes, 16777216 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4194304 bytes / 4194304 bytes
4.4.9 设置开机自启
root@ceph-client:~# cat /etc/rc.local
rbd --user mart -p poprbd1 map popimg2
mount /dev/rbd0 /data/
root@ceph-client:~# chmod +x /etc/rc.local
root@ceph-client:~# reboot
# 查看映射
root@ceph-client:~# rbd showmapped
id pool namespace image snap device
0 poprbd1 popimg2 - /dev/rbd0
# 验证挂载
root@ceph-client:~# df -Th
Filesystem Type Size Used Avail Use% Mounted on
udev devtmpfs 451M 0 451M 0% /dev
tmpfs tmpfs 97M 9.3M 87M 10% /run
/dev/sda1 xfs 120G 5.6G 115G 5% /
tmpfs tmpfs 482M 0 482M 0% /dev/shm
tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs tmpfs 482M 0 482M 0% /sys/fs/cgroup
tmpfs tmpfs 97M 0 97M 0% /run/user/0
/dev/rbd0 ext4 2.9G 15M 2.8G 1% /data
4.4.10 卸载 rbd 镜像
root@ceph-client:~# umount /data
root@ceph-client:~# rbd --user mart -p poprbd1 unmap popimg2
root@ceph-client:~# rbd showmapped
4.4.11 删除 rbd 镜像
镜像删除后数据也会被删除而且是无法恢复,因此在执行删除操作的时候要慎重。
cephadm@ceph-deploy:~/ceph-cluster$ rbd help rm
usage: rbd rm [--pool <pool>] [--namespace <namespace>] [--image <image>]
[--no-progress]
<image-spec>
# 删除存储池 poprbd1 中的 popimg2
cephadm@ceph-deploy:~/ceph-cluster$ rbd rm --pool poprbd1 --image popimg2
Removing image: 100% complete...done.
4.4.12 rbd 镜像回收站机制
删除的镜像数据无法恢复,但是还有另外一种方法可以先把镜像移动到回收站,后期确认删
除的时候再从回收站删除即可.
cephadm@ceph-deploy:~/ceph-cluster$ rbd help trash
status Show the status of this image.
trash list (trash ls) List trash images.
trash move (trash mv) Move an image to the trash.
trash purge Remove all expired images from trash.
trash purge schedule add Add trash purge schedule.
trash purge schedule list (... ls)
List trash purge schedule.
trash purge schedule remove (... rm)
Remove trash purge schedule.
trash purge schedule status Show trash purge schedule status.
trash remove (trash rm) Remove an image from trash.
trash restore Restore an image from trash.
watch Watch events on image.
# 查看镜像状态:
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd status --pool poprbd1 --image popimg1
Watchers: none
#将进行移动到回收站:
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd trash move --pool poprbd1 --image popimg1
# 查看回收站的镜像:
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd trash list --pool poprbd1
3742307b82eb popimg1
#从回收站删除镜像
如果镜像不再使用,可以直接使用 trash remove 将其从回收站删除
#还原镜像
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd trash restore --pool poprbd1 --image popimg1
--image-id 3742307b82eb
# 验证镜像
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd ls --pool poprbd1 -l
NAME SIZE PARENT FMT PROT LOCK
popimg1 5 GiB 2
4.5 镜像快照
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd help snap
snap create (snap add) #创建快照
snap limit clear #清除镜像的快照数量限制
snap limit set #设置一个镜像的快照上限
snap list (snap ls) #列出快照
snap protect #保护快照被删除
snap purge #删除所有未保护的快照
snap remove (snap rm) #删除一个快照
snap rename #重命名快照
snap rollback (snap revert) #还原快照
snap unprotect #允许一个快照被删除(取消快照保护)
4.5.1 客户端当前数据
root@ceph-client:~# df -Th
Filesystem Type Size Used Avail Use% Mounted on
udev devtmpfs 451M 0 451M 0% /dev
tmpfs tmpfs 97M 9.3M 87M 10% /run
/dev/sda1 xfs 120G 5.6G 115G 5% /
tmpfs tmpfs 482M 0 482M 0% /dev/shm
tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs tmpfs 482M 0 482M 0% /sys/fs/cgroup
tmpfs tmpfs 97M 0 97M 0% /run/user/0
/dev/rbd0 ext4 2.9G 9.0M 2.8G 1% /data
root@ceph-client:~# cp /var/log/syslog /data/
root@ceph-client:~# cp /etc/passwd /data/
root@ceph-client:~# ll /data/
total 6012
drwxr-xr-x 3 root root 4096 Aug 28 01:25 ./
drwxr-xr-x 23 root root 4096 Aug 19 01:04 ../
drwx------ 2 root root 16384 Aug 28 01:24 lost+found/
-rw-r--r-- 1 root root 1630 Aug 28 01:25 passwd
-rw-r----- 1 root root 6125585 Aug 28 01:24 syslog
4.5.2 创建并验证快照
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd help snap create
usage: rbd snap create [--pool <pool>] [--namespace <namespace>]
[--image <image>] [--snap <snap>] [--skip-quiesce]
[--ignore-quiesce-error] [--no-progress]
<snap-spec>
# 创建快照
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd snap create --pool poprbd1 --image popimg2 --snap img2-snap-2020828
Creating snap: 100% complete...done.
#验证快照
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd snap list --pool poprbd1 --image popimg2 SNAPID NAME SIZE PROTECTED TIMESTAMP
4 img2-snap-2020828 3 GiB Sat Aug 28 01:27:18 2021
4.5.3 :删除数据并还原快照
# 客户端删除数据
root@ceph-client:~# rm -fr /data/passwd
# 验证数据
root@ceph-client:~# ll /data/
total 6008
drwxr-xr-x 3 root root 4096 Aug 28 01:28 ./
drwxr-xr-x 23 root root 4096 Aug 19 01:04 ../
drwx------ 2 root root 16384 Aug 28 01:24 lost+found/
-rw-r----- 1 root root 6125585 Aug 28 01:24 syslog
# 卸载 rbd
root@ceph-client:~# umount /data
root@ceph-client:~# rbd unmap /dev/rbd0
# 回滚命令
cephadm@ceph-deploy:~/ceph-cluster$ rbd help snap rollback
usage: rbd snap rollback [--pool <pool>] [--namespace <namespace>]
[--image <image>] [--snap <snap>] [--no-progress]
<snap-spec>
# 回滚快照
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd snap rollback --pool poprbd1 --image popimg2 --snap img2-snap-2020828
Rolling back to snapshot: 100% complete...done.
4.5.4 客户端验证数据
客户端需要重新映射并挂载 rbd
root@ceph-client:~# umount /data
root@ceph-client:~# rbd unmap /dev/rbd0
root@ceph-client:~# rbd --user mart -p poprbd1 map popimg2
/dev/rbd0
root@ceph-client:~# mount /dev/rbd0 /data/
root@ceph-client:~# ll /data/
total 6012
drwxr-xr-x 3 root root 4096 Aug 28 01:25 ./
drwxr-xr-x 23 root root 4096 Aug 19 01:04 ../
drwx------ 2 root root 16384 Aug 28 01:24 lost+found/
-rw-r--r-- 1 root root 1630 Aug 28 01:25 passwd
-rw-r----- 1 root root 6125585 Aug 28 01:24 syslog
4.5.5 删除快照
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd snap remove --pool poprbd1 --image popimg2 --snap img2-snap-2020828
Removing snap: 100% complete...done.
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd list --pool poprbd1 --image popimg2
rbd: unrecognised option '--image'
4.5.6 快照数量限制
# 设置与修改快照数量限制
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd snap limit set --pool poprbd1 --image popimg2 --limit 30
# 清除快照数量限制
cephadm@ceph-deploy:~/ceph-cluster$ sudo rbd snap limit clear --pool poprbd1 --image popimg2
5. CephFS 文件系统
ceph FS 即 ceph filesystem,可以实现文件系统共享功能,客户端通过 ceph 协议挂载并使用
ceph 集群作为数据存储服务器。
Ceph FS 需要运行 Meta Data Services(MDS)服务,其守护进程为 ceph-mds,ceph-mds 进程管
理与 cephFS 上存储的文件相关的元数据,并协调对 ceph 存储集群的访问。
cephfs 的元数据使用的动态子树分区,把元数据划分名称空间对应到不同的 mds,写入元数据
的时候将元数据按照名称保存到不同主 mds 上,有点类似于 nginx 中的缓存目录分层一样
5.1 部署mds服务
cephadm@ceph-deploy:~/ceph-cluster$ ceph-deploy mds create ceph-node1
[ceph_deploy.conf][DEBUG ] found configuration file at: /home/cephadm/.cephdeploy.conf
[ceph_deploy.cli][INFO ] Invoked (2.0.1): /usr/bin/ceph-deploy mds create ceph-node1
[ceph_deploy.cli][INFO ] ceph-deploy options:
[ceph_deploy.cli][INFO ] username : None
[ceph_deploy.cli][INFO ] verbose : False
[ceph_deploy.cli][INFO ] overwrite_conf : False
[ceph_deploy.cli][INFO ] subcommand : create
[ceph_deploy.cli][INFO ] quiet : False
[ceph_deploy.cli][INFO ] cd_conf : <ceph_deploy.conf.cephdeploy.Conf instance at 0x7fb223105be0>
[ceph_deploy.cli][INFO ] cluster : ceph
[ceph_deploy.cli][INFO ] func : <function mds at 0x7fb2230e23d0>
[ceph_deploy.cli][INFO ] ceph_conf : None
[ceph_deploy.cli][INFO ] mds : [('ceph-node1', 'ceph-node1')]
[ceph_deploy.cli][INFO ] default_release : False
[ceph_deploy.mds][DEBUG ] Deploying mds, cluster ceph hosts ceph-node1:ceph-node1
[ceph-node1][DEBUG ] connection detected need for sudo
[ceph-node1][DEBUG ] connected to host: ceph-node1
[ceph-node1][DEBUG ] detect platform information from remote host
[ceph-node1][DEBUG ] detect machine type
[ceph_deploy.mds][INFO ] Distro info: Ubuntu 18.04 bionic
[ceph_deploy.mds][DEBUG ] remote host will use systemd
[ceph_deploy.mds][DEBUG ] deploying mds bootstrap to ceph-node1
[ceph-node1][DEBUG ] write cluster configuration to /etc/ceph/{cluster}.conf
[ceph-node1][WARNIN] mds keyring does not exist yet, creating one
[ceph-node1][DEBUG ] create a keyring file
[ceph-node1][DEBUG ] create path if it doesn't exist
[ceph-node1][INFO ] Running command: sudo ceph --cluster ceph --name client.bootstrap-mds --keyring /var/lib/ceph/bootstrap-mds/ceph.keyring auth get-or-create mds.ceph-node1 osd allow rwx mds allow mon allow profile mds -o /var/lib/ceph/mds/ceph-ceph-node1/keyring
[ceph-node1][INFO ] Running command: sudo systemctl enable ceph-mds@ceph-node1
[ceph-node1][WARNIN] Created symlink /etc/systemd/system/ceph-mds.target.wants/ceph-mds@ceph-node1.service → /lib/systemd/system/ceph-mds@.service.
[ceph-node1][INFO ] Running command: sudo systemctl start ceph-mds@ceph-node1
[ceph-node1][INFO ] Running command: sudo systemctl enable ceph.target
5.2 创建CephFS metadata和data存储池
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph osd pool create popcephfsmetadata 32 32
pool 'popcephfsmetadata' created
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph osd pool create popcephfsdata 64 64
pool 'popcephfsdata' created
cephadm@ceph-deploy:~/ceph-cluster$ ceph -s
cluster:
id: 06d842e1-95c5-442d-b7fe-618050963147
health: HEALTH_OK
services:
mon: 3 daemons, quorum ceph-node1,ceph-node2,ceph-node3 (age 2h)
mgr: ceph-node1(active, since 2h), standbys: ceph-node2
osd: 5 osds: 5 up (since 2h), 5 in (since 9d)
data:
pools: 5 pools, 193 pgs
objects: 34 objects, 83 MiB
usage: 779 MiB used, 99 GiB / 100 GiB avail
pgs: 193 active+clean
5.3 创建文件系统并验证
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph osd pool create popcephfsmetadata 32 32
pool 'popcephfsmetadata' created
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph osd pool create popcephfsdata 64 64
pool 'popcephfsdata' created
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph fs new popcephfs popcephfsmetadata popcephfsdata
new fs with metadata pool 4 and data pool 5
cephadm@ceph-deploy:~/ceph-cluster$ ceph fs status popcephfs
popcephfs - 0 clients
========
RANK STATE MDS ACTIVITY DNS INOS DIRS CAPS
0 active ceph-node1 Reqs: 0 /s 10 13 12 0
POOL TYPE USED AVAIL
popcephfsmetadata metadata 96.0k 31.2G
popcephfsdata data 0 31.2G
MDS version: ceph version 16.2.5 (0883bdea7337b95e4b611c768c0279868462204a) pacific (stable)
5.4 查看mds状态
cephadm@ceph-deploy:~/ceph-cluster$ ceph mds stat
ydcephfs:1 {0=ceph-node1=up:active}
5.5 创建普通帐号给客户端使用
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth add client.popfs mon 'allow r' mds 'allow rw' osd 'allow rwx pool=popcephfsdata'
added key for client.popfs
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.popfs
[client.popfs]
key = AQBZJSlhYMmEFRAARwoUYb3GC3xtwlPRsDF+zw==
caps mds = "allow rw"
caps mon = "allow r"
caps osd = "allow rwx pool=popcephfsdata"
exported keyring for client.popfs
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-authtool --create-keyring ceph.client.popfs.keyring
creating ceph.client.popfs.keyring
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth get client.popfs -o ceph.client.popfs.keyring
exported keyring for client.popfs
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph auth print-key client.popfs > popfs.key
cephadm@ceph-deploy:~/ceph-cluster$ cat ceph.client.popfs.keyring
[client.popfs]
key = AQBZJSlhYMmEFRAARwoUYb3GC3xtwlPRsDF+zw==
caps mds = "allow rw"
caps mon = "allow r"
caps osd = "allow rwx pool=popcephfsdata"
5.6 同步用户key和ceph.conf到客户端
cephadm@ceph-deploy:~/ceph-cluster$ sudo scp popfs.key ceph.client.popfs.keyring ceph.conf root@ceph-client:/etc/ceph/
root@ceph-client's password:
popfs.key 100% 40 13.3KB/s 00:00
ceph.client.popfs.keyring 100% 151 82.6KB/s 00:00
ceph.conf 100% 264 216.2KB/s 00:00
5.7 客户端验证
root@ceph-client:~# ceph --id popfs -s
cluster:
id: 06d842e1-95c5-442d-b7fe-618050963147
health: HEALTH_OK
services:
mon: 3 daemons, quorum ceph-node1,ceph-node2,ceph-node3 (age 2h)
mgr: ceph-node1(active, since 2h), standbys: ceph-node2
mds: 1/1 daemons up
osd: 5 osds: 5 up (since 2h), 5 in (since 9d)
data:
volumes: 1/1 healthy
pools: 5 pools, 193 pgs
objects: 56 objects, 83 MiB
usage: 780 MiB used, 99 GiB / 100 GiB avail
pgs: 193 active+clean
5.8 内核空间挂载
root@ceph-client:~# mount -t ceph 172.16.1.100:6789,172.16.1.101:6789,172.16.1.102:6789:/ /datafs -o name=popfs,secretfile=/etc/ceph/popfs.key
root@ceph-client:~# df -Th
Filesystem Type Size Used Avail Use% Mounted on
udev devtmpfs 451M 0 451M 0% /dev
tmpfs tmpfs 97M 9.3M 87M 10% /run
/dev/sda1 xfs 120G 5.6G 115G 5% /
tmpfs tmpfs 482M 0 482M 0% /dev/shm
tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs tmpfs 482M 0 482M 0% /sys/fs/cgroup
tmpfs tmpfs 97M 0 97M 0% /run/user/0
/dev/rbd0 ext4 2.9G 15M 2.8G 1% /data
172.16.1.100:6789,172.16.1.101:6789,172.16.1.102:6789:/ ceph 32G 0 32G 0% /datafs
# 测试cephfs读写
root@ceph-client:~# cp /var/log/auth.log /datafs/
root@ceph-client:~# dd if=/dev/zero of=/datafs/testfile bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 0.245453 s, 427 MB/s
6. MDS高可用
6.1 服务器添加
cephadm@ceph-deploy:~/ceph-cluster$ ceph-deploy mds create ceph-node2
cephadm@ceph-deploy:~/ceph-cluster$ ceph-deploy mds create ceph-node3
6.2 mds集群状态查询
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph mds stat
ydcephfs:1 {0=ceph-node1=up:active} 2 up:standby
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph fs status
popcephfs - 1 clients
========
RANK STATE MDS ACTIVITY DNS INOS DIRS CAPS
0 active ceph-node1 Reqs: 0 /s 12 15 12 3
POOL TYPE USED AVAIL
popcephfsmetadata metadata 156k 30.9G
popcephfsdata data 300M 30.9G
STANDBY MDS
ceph-node2
ceph-node3
MDS version: ceph version 16.2.5 (0883bdea7337b95e4b611c768c0279868462204a) pacific (stable)
6.3 查看当前文件系统状态
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph fs get popcephfs
Filesystem 'popcephfs' (1)
fs_name popcephfs
epoch 4
flags 12
created 2021-08-28T01:42:25.994733+0800
modified 2021-08-28T01:42:27.000780+0800
tableserver 0
root 0
session_timeout 60
session_autoclose 300
max_file_size 1099511627776
required_client_features {}
last_failure 0
last_failure_osd_epoch 0
compat compat={},rocompat={},incompat={1=base v0.20,2=client writeable ranges,3=default file layouts on dirs,4=dir inode in separate object,5=mds uses versioned encoding,6=dirfrag is stored in omap,8=no anchor table,9=file layout v2,10=snaprealm v2}
max_mds 1
in 0
up {0=24720}
failed
damaged
stopped
data_pools [5]
metadata_pool 4
inline_data disabled
balancer
standby_count_wanted 1
[mds.ceph-node1{0:24720} state up:active seq 50 addr [v2:172.16.1.100:6810/3437198129,v1:172.16.1.100:6811/3437198129]]
6.4 设置处于激活状态mds的数量
目前三个mds服务器,但是有一个主二个备,可以优化一下部署架构,设置为两主一备。
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph fs set popcephfs max_mds 2
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph fs status
popcephfs - 1 clients
========
RANK STATE MDS ACTIVITY DNS INOS DIRS CAPS
0 active ceph-node1 Reqs: 0 /s 12 15 12 3
1 active ceph-node3 Reqs: 0 /s 10 13 11 0
POOL TYPE USED AVAIL
popcephfsmetadata metadata 228k 30.9G
popcephfsdata data 300M 30.9G
STANDBY MDS
ceph-node2
MDS version: ceph version 16.2.5 (0883bdea7337b95e4b611c768c0279868462204a) pacific (stable)
6.5 高可用优化
MDS高可用优化: 目前的状态是ceph-node1和ceph-node3分别是active状态,ceph-node2处于standby状态,现在可以将ceph-node2设置为ceph-node1的standby,如果有多的机器话再增加一台mds服务将该服务器设置为ceph-node3的standby,以实现每个主都有一个固定备份角色的结构,则修改配置文件如下:
cephadm@ceph-deploy:~/ceph-cluster$ cat ceph.conf
[global]
fsid = 06d842e1-95c5-442d-b7fe-618050963147
public_network = 172.16.1.0/24
cluster_network = 192.168.1.0/24
mon_initial_members = ceph-node1
mon_host = 172.16.1.100
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
[mds.ceph-node1]
mds_standby_for_name = ceph-node2
mds_standby_replay = true
[mds.ceph-nodex]
mds_standby_for_name = ceph-node3
mds_standby_replay = true
6.6 先各个节点分发配置文件
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-deploy --overwrite-conf config push ceph-node1
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-deploy --overwrite-conf config push ceph-node2
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-deploy --overwrite-conf config push ceph-node3
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph-deploy --overwrite-conf config push ceph-nodex
重启服务
cephyd@ceph-deploy:~/ceph-cluster$ sudo ssh ceph-node1 'sudo systemctl restart ceph-mds@ceph-node1.service'
cephyd@ceph-deploy:~/ceph-cluster$ sudo ssh ceph-node2 'sudo systemctl restart ceph-mds@ceph-node2.service'
cephyd@ceph-deploy:~/ceph-cluster$ sudo ssh ceph-node3 'sudo systemctl restart ceph-mds@ceph-node3.service'
cephyd@ceph-deploy:~/ceph-cluster$ sudo ssh ceph-node4 'sudo systemctl restart ceph-mds@ceph-nodex.service'
6.7 查mds集群状态
cephadm@ceph-deploy:~/ceph-cluster$ sudo ceph fs status
popcephfs - 1 clients
========
RANK STATE MDS ACTIVITY DNS INOS DIRS CAPS
0 active ceph-node1 Reqs: 0 /s 12 15 12 1
1 active ceph-node2 Reqs: 0 /s 10 13 11 0
POOL TYPE USED AVAIL
popcephfsmetadata metadata 228k 30.9G
popcephfsdata data 300M 30.9G
STANDBY MDS
ceph-node3
MDS version: ceph version 16.2.5 (0883bdea7337b95e4b611c768c0279868462204a) pacific (stable)
