*** rlandy|bbl is now known as rlandy|out | 01:17 | |
*** queria is now known as Guest809 | 02:25 | |
*** queria is now known as Guest811 | 02:31 | |
*** soniya29 is now known as soniya29|rover | 04:19 | |
ironfoot | jamesbenson: do you mean like this? https://docs.openstack.org/kolla-ansible/latest/reference/storage/external-ceph-guide.html#radosgw | 08:24 |
---|---|---|
ironfoot | note the "ceph_rgw_swift_compatibility" option if you want full swift API compatibility | 08:26 |
*** soniya29|rover is now known as soniya29|rover|lunch | 10:08 | |
*** rlandy|out is now known as rlandy | 10:25 | |
*** soniya29|rover|lunch is now known as soniya29|rover | 10:27 | |
*** soniya29|rover is now known as soniya29|rover|afk | 11:18 | |
*** soniya29 is now known as soniya29|rover | 12:07 | |
jamesbenson | @ironfoot, yes, but I'm trying to figure out what needs to be done on ceph side as well. I've enabled that option, specified my ceph_rgw_internal/external_fqdn, and ceph_rgw_port but swift still doesn't connect properly. I'm wondering if there are other configs I need either in kolla or in ceph. | 12:52 |
ironfoot | oh, yes, you need to configure you rgw clients | 13:58 |
ironfoot | jamesbenson: this in your ceph.conf : https://paste.openstack.org/show/bDHUimGO6oCKtRqgVwW3/ | 13:59 |
ironfoot | jamesbenson: the [client] header would work, but better if it's replaced with the client name (in my case for example [client.rgw.openstack-ceph1] ) | 14:01 |
ironfoot | if you have multiple clients (rgw running in multiple nodes) you need to add one block like that for each | 14:01 |
jamesbenson | @ironfoot. Okay, those configs are different than what I used: https://paste.ubuntu.com/p/y5jyW7QBqy/ (this was a test environment, destroyed nightly so not worried about passwords, etc) | 14:13 |
ironfoot | oh, you used ceph_rgw_keystone_password ? i went with keystone_admin_password and it worked. I don't know which one is right though | 14:15 |
ironfoot | I assume you saw this: https://docs.ceph.com/en/latest/radosgw/keystone/ | 14:16 |
jamesbenson | yes, should I use the [client] header or [client.radosgw.gateway] in the ceph.conf | 14:17 |
ironfoot | is better the full name, but using [client] is handy to get things working | 14:17 |
jamesbenson | I used the latter, yours had the former | 14:18 |
jamesbenson | okay, so maybe it was just the password that was breaking things. | 14:18 |
ironfoot | yes, this is a copy from when I was testing things recently | 14:18 |
ironfoot | can you, from the ceph node that has radosgw running, run `curl https://192.168.1.63:35357` ? | 14:19 |
ironfoot | I bet the answer is no, cause I don't think you can do https on an IP | 14:20 |
jamesbenson | And you update the ceph.conf with `sudo ceph config assimilate-conf -i /etc/ceph/ceph.conf -o /tmp/bad.conf` | 14:21 |
jamesbenson | curl: (60) SSL certificate problem: unable to get local issuer certificate | 14:22 |
ironfoot | so, that's the problem. Have you configured your cloud with "kolla_enable_tls_internal1 or "kolla_enable_tls_external" ? | 14:24 |
ironfoot | if not, then you could try to run `curl http://192.168.1.63:35357` | 14:25 |
ironfoot | and if that works, then just replace https with http in your configuration | 14:25 |
ironfoot | then restart the radosgw service, and check the logs :) | 14:25 |
jamesbenson | kolla_enable_tls_internal kolla_enable_tls_external kolla_enable_tls_backend rabbitmq_enable_tls all yes. | 14:25 |
ironfoot | are they self-signed certificates? | 14:28 |
ironfoot | you need to use the fqdn then, should be set in `kolla_external_fqdn` | 14:29 |
ironfoot | but if it's self-signed it will be more complicated, you will need to install the CA certificate generated | 14:29 |
jamesbenson | yes, self signed :-( | 14:30 |
jamesbenson | I do have kolla_copy_ca_into_containers enabled | 14:31 |
ironfoot | well, yes, but that won't copy the CA into your ceph cluster | 14:32 |
ironfoot | in summary, you need to be able to run `curl` agains the url you set in "rgw keystone url" | 14:32 |
ironfoot | against* | 14:32 |
jamesbenson | I do have `ceph config set mgr mgr/dashboard/ssl false` | 14:33 |
ironfoot | but this is about your ceph nodes being able to talk to keystone | 14:34 |
jamesbenson | true | 14:34 |
ironfoot | with the current configuration, it can't, and we can see that by using `curl` | 14:34 |
jamesbenson | yeah, would we need to do something like this? https://documentation.suse.com/ses/7/html/ses-all/dashboard-initial-configuration.html#cert-sign-CA | 14:36 |
ironfoot | no | 14:38 |
ironfoot | you need to take your CA certificate (normally called ca.crt), and install it on your ceph nodes | 14:38 |
ironfoot | not in ceph, but in the node OS | 14:38 |
jamesbenson | it's a hyperconverged case here, ceph lives on all of my compute/controller nodes | 14:39 |
ironfoot | then easier | 14:39 |
ironfoot | how did you generate these certificates | 14:39 |
jamesbenson | kolla | 14:39 |
ironfoot | right, can you locate them? | 14:39 |
ironfoot | and I assume you run debian? | 14:39 |
jamesbenson | yeah, default locations. I'm using ubuntu as host os, and cent for kolla images | 14:40 |
ironfoot | something like `sudo cp ca.crt /usr/local/share/ca-certificates` | 14:41 |
ironfoot | and then `sudo update-ca-certificates` | 14:41 |
ironfoot | as explained here: https://ubuntu.com/server/docs/security-trust-store | 14:41 |
ironfoot | (you may need to do that on multiple nodes, of course) | 14:42 |
ironfoot | once that's done, you should be able to `curl http://{{ kolla_external_fqdn }}:35357` | 14:43 |
jamesbenson | cool | 14:44 |
jamesbenson | I'm thinking it'll be the external.crt? https://pasteboard.co/PZrJK3kLNPvF.png | 14:48 |
jamesbenson | or maybe copy all of them on ^_^ | 14:50 |
jamesbenson | it curls! Thank you for the help! | 14:54 |
ironfoot | cool! | 15:00 |
ironfoot | now you are one step closer | 15:00 |
jamesbenson | @ironfoot, how do you update the ceph cluster once everything has been updated? | 16:05 |
ironfoot | after ceph.conf has been modified? | 16:06 |
ironfoot | you only need to restart the radosgw services | 16:06 |
jamesbenson | ok | 16:08 |
*** rlandy is now known as rlandy|rover | 16:09 | |
jamesbenson | @ironfoot, what's your timezone? I'm UTC/GMT -5 hours (CST) | 16:56 |
rezabojnordi | HI guys i have question | 19:10 |
rezabojnordi | HI guys i have question? | 19:10 |
*** rlandy|rover is now known as rlandy|out | 23:08 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!