Ceph Keyring best practice?

S

Sim0n

Active Member
Sep 19, 2019
3
2
43
Hello,
i created a Ceph Cluster about a year ago from the PVE-Gui with i think version 19.0.x, since then, the cluster is upgraded and now on version 19.2.3.

From this state, in the ceph,conf, the keyrings point in different locations:
  • 'client' to /etc/pve/priv/...
  • 'client.crash' to /etc/pve/ceph/...
  • 'mds' to /var/lib/ceph/mds/...
Yesterday i wanted to create a new osd from the GUI and that failed because the 'ceph.client.bootstrap-osd.keyring' was expected at '/etc/pve/priv/...' but it is under '/var/lib/ceph/...'
After i copied the keyring to the expected location, the osd creation worked again.

My question is now: are there some locations changed due to upgrades? Should i fix the Paths in the ceph.conf?

What is the recommended state of the keyring paths?
 
Last edited:
The different keyring paths in your ceph.conf are normal — they're not a misconfiguration. PVE intentionally stores keyrings in different locations depending on whether they need to be shared cluster-wide or stay node-local:

- /etc/pve/priv/ — shared across all nodes via pmxcfs (admin keyring, mon keyring)
- /etc/pve/ceph/ — also shared via pmxcfs (crash keyring)
- /var/lib/ceph/ — node-local (bootstrap keyrings, per-daemon keyrings)

These paths haven't changed between 19.0.x and 19.2.3.
Regarding the OSD creation failure — I think you may have hit a bug in pve-manager. When creating an OSD, PVE is supposed to auto-create the bootstrap-osd keyring at /var/lib/ceph/bootstrap-osd/ceph.keyring if it doesn't exist. But the code that does this has a condition that checks ceph.conf for auth_client_required:


Perl: 
# PVE/API2/Ceph/OSD.pm, line 408-411
if (
    !-f $ceph_bootstrap_osd_keyring
    && $ceph_conf->{global}->{auth_client_required} eq 'cephx'
) {
    # ... create the bootstrap keyring via auth get-or-create
}


The problem: if auth_client_required is not present in your ceph.conf [global] section, this check fails silently (`undef eq 'cephx'` → false), and PVE skips creating the keyring. ceph-volume then fails because the file doesn't exist.

Ceph defaults to `cephx` when this setting is absent, but PVE reads the file literally and doesn't apply the default.

Could you confirm this by checking your ceph.conf?


Bash: 
grep auth_client_required /etc/pve/ceph.conf

If there's no output (the setting is missing), that's the bug. This typically happens when the `[global]` section in ceph.conf existed before pveceph init was run — pveceph init only writes the auth settings when [global] doesn't already exist.

As a workaround for the next time, you can add it explicitly:

Bash: 
# Check current effective value (from mon config database)
ceph config get mon auth_client_required

# Add it to ceph.conf if missing
pveceph config set auth_client_required cephx --section global


Or simply ensure the bootstrap keyring exists:

Bash: 
ls -la /var/lib/ceph/bootstrap-osd/ceph.keyring
# If missing, create it:
ceph auth get-or-create client.bootstrap-osd mon 'allow profile bootstrap-osd' \
    > /var/lib/ceph/bootstrap-osd/ceph.keyring
 
You must log in or register to reply here.
Top Bottom
Back