Epidemiology & Technology

Ceph Keyring Locations on Proxmox

Reference CephFS documentation


Ceph FS architecture
CephFS Structure

Standard cepfFS commands

ceph fs ls
ceph mds stat

ceph health
ceph df
ceph auth ls


To restrict clients to only mount and work within a certain directory, use path-based MDS authentication capabilities.

For example, to restrict the MDS daemon to write metadata only to a particular directory, specify that directory while creating the client capabilities.

The following example command restricts the MDS to write metadata only to the /home/cephfs/ directory. Also, it restricts the CephFS client ‘user1‘ to perform read and write operations only within the cephfs pool:

ceph auth get client.admin

ceph auth get-or-create client.user1 mon 'allow r' mds 'allow r, allow rw path=/mnt/pve/cephfs' osd 'allow rw pool=cephfs'Code language: PHP (php)

Location of cephfs folder

MDS1,MDS2,MDS3,MDS4:/  360G     0  360G   0% /mnt/pve/cephfs

root@hp0XXXX:~# mkdir /mnt/pve/cephfs/phy_backups

root@hp0XXXX:~# tree /mnt/pve/cephfs/
├── dump
├── phy_backups
└── template
    ├── cache
    └── isoCode language: PHP (php)

Set a file size limit on the shared folder


Note – If you want to set user quotas on directory, use ceph-fuse when mounting. So far its the only way I’ve been able to get quotas to work.

setfattr -n ceph.quota.max_bytes -v 107300000000 /mnt/pve/cephfs/phy_backups

Location of keyring Files in Proxmox

root@hp0XXXX:~# cat /etc/pve/ceph.conf 
         auth_client_required = cephx
         auth_cluster_required = cephx
         auth_service_required = cephx
         cluster_network = 192.168.yy.xx/24
         fsid = 09fc106c-xxxx-xxxx-xxx-xxxxxxxxxxxxxxxxx
         mon_allow_pool_delete = true
         mon_host = 192.168.yy.xx1 192.168.yy.xx2 192.168.yy.xx3 192.168.yy.xx4
         osd_pool_default_min_size = 2
         osd_pool_default_size = 3
         public_network = 192.168.yy.zz/24

         keyring = /etc/pve/priv/$cluster.$name.keyring

         keyring = /var/lib/ceph/mds/ceph-$id/keyring

         host = dell04
         mds_standby_for_name = pve

         host = hp0105blade07duplicate
         mds standby for name = pve

         host = dell07
         mds_standby_for_name = pve

root@hp0XXXX:~#  tree /etc/pve/priv/
├── authkey.key
├── authorized_keys
├── ceph
│   ├── cephfs.secret
│   └── cephpool1.keyring
├── ceph.client.admin.keyring
├── ceph.mon.keyring
├── known_hosts
├── lock
│   ├── ha_agent_dellXXXX01_lock
│   ├── ha_agent_dellXXXX02_lock
│   ├── ha_agent_dellXXXX04_lock
│   ├── ha_agent_delXXXX10_lock
│   ├── ha_agent_hp0XXXX_lock
│   └── ha_manager_lock
├── pve-root-ca.key
├── pve-root-ca.srl
└── shadow.cfg

root@hp0XXXX:~# tree /var/lib/ceph/
├── bootstrap-mds
├── bootstrap-mgr
├── bootstrap-osd
│   └── ceph.keyring
├── bootstrap-rbd
├── bootstrap-rbd-mirror
├── bootstrap-rgw
├── crash
│   └── posted
├── mds
│   └── ceph-hp0XXXX
│       └── keyring
├── mgr
│   └── ceph-hp0XXXX
│       └── keyring
├── mon
│   └── ceph-hp0XXXX
│       ├── keyring
│       ├── kv_backend
│       ├── min_mon_release
│       └── store.db
│           ├── 078850.log
│           ├── 078852.sst
│           ├── CURRENT
│           ├── IDENTITY
│           ├── LOCK
│           ├── MANIFEST-072471
│           ├── OPTIONS-039000
│           └── OPTIONS-072474
├── osd
│   └── ceph-3
│       ├── block -> /dev/ceph-6a2068a6-XXXX-4461-9bb2-XXXXXX/osd-block-XXXXXXXfd55-XXXX-XXXXXX
│       ├── ceph_fsid
│       ├── fsid
│       ├── keyring
│       ├── ready
│       ├── type
│       └── whoami
└── tmp
Code language: PHP (php)

Copying the Keyring file for admin

cat /etc/pve/priv/ceph.client.admin.keyring 
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow *"
        caps osd = "allow *"Code language: JavaScript (javascript)

Mount CephFS on client [https://www.suse.com/media/report/Discover_CephFS_Technical_Report.pdf]

On client Computer

sudo apt install ceph-common ceph-fuse

scp root@192.168.yy.yyy:/etc/pve/priv/ceph.client.admin.keyring .
sudo mkdir /etc/ceph
sudo touch /etc/ceph/admin.secret
sudo nano /etc/ceph/admin.secret

sudo mkdir /mnt/ceph_fs1

sudo mount ‑t ceph ceph_monitor1:6789:/ /mnt/ceph_fs1 ‑o name=admin, Usecretfile=/etc/ceph/admin.secret
# where /mnt/cephfs  is  the  mount  point,  ceph_monitor1 is a monitor host for the Ceph cluster, admin is the user, and /etc/ceph/admin.secret is the secret key file.

sudo df -hT
Code language: PHP (php)

The monitor host is a system that holds a map of the underlying cluster. The CephFS client will obtain the CRUSH map from the monitor host and thus obtain the information necessary to interface with the cluster. The Ceph monitor host listens on port 6789 by default.

If your Ceph cluster has more than one monitor host, you can specify multiple monitors in the mount command. Use a comma-separated

sudo mount ‑t ceph ceph_monitor1, ceph_monitor2, ceph_monitor3:6789/ /mnt/ceph_fs1 ‑o name=admin, secretfile=/etc/ceph/admin.secret

Code language: JavaScript (javascript)

Specifying multiple monitors provides failover in case one monitor system is down.

Linux views CephFS as a regular filesystem, so you can use all the standard mounting techniques used with other Linux filesystems. For instance, you can add your CephFS filesystem to the /etc/fstab file to mount the filesystem at system startup

CephFS comes with a collection of command-line tools for configuring and managing CephFS filesystems.

The ceph fs command is a general-purpose configuration tool with several options for managing file layout and location.

Related posts