[Deepsea-users] Antw: Re: Antw: Re: Deepsea dependency on salt-minion?

Thu Jan 19 04:25:04 MST 2017

> On Thu, Jan 19, 2017 at 03:40:36AM ‑0700, Martin Weiss wrote:
>>   If you do a "mistake" in targeting ‑ you end up with "killing" the
>>   master.
>>   This is also the reason why SUMA servers per default to not patch or
>>   configure "themselves"..
>>   Could you give more details why we need a minion on the salt‑master for
>>   "key management"? Is this just for the ceph‑keys or for ssh keys etc?
>>   Salt should also be able to do any file management on remote minions
>>   without requiring a minion on the master... (even getting the keys from
>>   an other "remote" minion.)
> Talking about cephx keys only. What we gain is that we never leak keys to 
> minions that have more privileges then the daemon on that host needs. I.e. 
> the 
> admin key is only needed on the master (and admin nodes of course) but not 
> on 
> OSDs for example.

So where are these keys created? 

Do we create the on a server that has a minion and ceph installed?
Keep in mind that customers are also not going to install ceph on their SUSE Manager server..

I would have expected that we create the keys via salt on a minion that has the ceph packages installed during initial cluster creation and then copy this to the master and use it as pilar for other minions..
Seems that is done different..

> Otherwise one needs a privileged key on, say an OSD node to authorize the 
> OSD 
> key.

Salt has more or less "root" access - so what is the problem with using a special admin-key for ceph administration via salt?

> So its not an issue of managing files but the way salt manages files in 
> interaction with the cephx tools.

Ok - I have too less knowledge, here... but I can foresee problems in SUMA environments...

>>   Martin
>>   On Thu, Jan 19, 2017 at 03:03:52AM ‑0700, Martin Weiss wrote:
>>   >   Hi *,
>>   >   I had expected that Deepsea needs to be installed on the
>>   salt‑master ‑
>>   >   but have seen that there is a dependency on salt‑minion.
>>   >   Any idea why we have this dependency?
>>   Yes DeepSea needs a minion on the master machine. This is most
>>   importantly used
>>   for key management.
>>   >   (there are customers that do not want to have the salt‑master to be
>>   a
>>   >   salt‑minion at the same point in time)
>>   Did the customer mention why they have an issue with that?
>>   >   Thanks,
>>   >   Martin
>>   >_______________________________________________
>>   >Deepsea‑users mailing list
>>   >Deepsea‑users at lists.suse.com 
>>   >[1]http://lists.suse.com/mailman/listinfo/deepsea‑users 
>>   ‑‑
>>   Jan Fajerski
>>   Engineer Enterprise Storage
>>   SUSE Linux GmbH
>>   jfajerski at suse.com 
>>   _______________________________________________
>>   Deepsea‑users mailing list
>>   Deepsea‑users at lists.suse.com 
>>   [2]http://lists.suse.com/mailman/listinfo/deepsea‑users 
>>
>>References
>>
>>   1. http://lists.suse.com/mailman/listinfo/deepsea‑users 
>>   2. http://lists.suse.com/mailman/listinfo/deepsea‑users 
> 
>>_______________________________________________
>>Deepsea‑users mailing list
>>Deepsea‑users at lists.suse.com 
>>http://lists.suse.com/mailman/listinfo/deepsea‑users 
> 
> 
> ‑‑ 
> Jan Fajerski
> Engineer Enterprise Storage
> SUSE Linux GmbH
> jfajerski at suse.com 
> _______________________________________________
> Deepsea‑users mailing list
> Deepsea‑users at lists.suse.com 
> http://lists.suse.com/mailman/listinfo/deepsea‑users