Ceph » devops

https://github.com/ceph/ceph/pull/9871

backport tickets and PRs:

jewel:
http://tracker.ceph.com/issues/16441
https://github.com/ceph/ceph/pull/9872

hammer:
http://tracker.ceph.com/issues/16442
https://github.com/ceph/ceph/pull/9873

@Vladimir: If any changes are made to https://github.com/ceph/ceph/pull/9871 these will have to be manually reflected in the backport PRs you have open. That's why we usually wait until the master PR has been merged before staging backports.

@Nathan Weinberg, okay, no problem, I'll wait until merge and update backport PRs.

Need backports:
hammer
jewel
kraken

Backport to kraken: http://tracker.ceph.com/issues/16652

@Vladislav: Kraken backporting has not started yet. The "master" and "kraken" branches are currently in lock-step. See http://docs.ceph.com/docs/master/dev/#what-is-merged-where-and-when for general info on this topic.

More issue description.

My initial problem was connected with hammer radosgw on el7. I couldn't run radosgw under non-privileged user without shell (/sbin/nologin), because you can't ask su or sudo or runuser to start process from user without shell - these binaries do need shell. But daemon() from /etc/init.d/functions or start_daemon() from /lib/lsb/init-functions don't need it and are written for this special usage.

I decided to write 2 patches: for init-ceph and for init-radosgw to keep start of these daemons with initscripts in the same style.

The problem:

~]# getent passwd radosgw
radosgw:x:1003:1003::/var/lib/ceph/radosgw/:/sbin/nologin
~]# /bin/su radosgw -c '/bin/radosgw -n client.radosgw.i-c5ef3fa1'
This account is currently not available.
~]# ps aux | grep rados
root     11402  0.0  0.0 112648   968 pts/0    S+   11:32   0:00 grep --color=auto rados

Right way (if we don't use systemd-units on el7 hammer):

~]# . /etc/init.d/functions
~]# daemon --user="radosgw" "/bin/radosgw -n client.radosgw.i-c5ef3fa1" 
~]#                                       [  OK  ]
~]# ps aux | grep rados
radosgw  11757  1.0  0.2 2151224 9468 ?        Ssl  11:34   0:00 /bin/radosgw -n client.radosgw.i-c5ef3fa1
root     11893  0.0  0.0 112648   968 pts/0    S+   11:34   0:00 grep --color=auto rados

Anyway, even if you don't use systemd-run, you can work through systemctl:

~]# systemctl status ceph-radosgw
● ceph-radosgw.service - LSB: radosgw RESTful rados gateway
   Loaded: loaded (/etc/rc.d/init.d/ceph-radosgw)
   Active: active (running) since Fri 2016-06-24 11:44:04 MSK; 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 8023 ExecStop=/etc/rc.d/init.d/ceph-radosgw stop (code=exited, status=0/SUCCESS)
  Process: 20117 ExecReload=/etc/rc.d/init.d/ceph-radosgw reload (code=exited, status=0/SUCCESS)
  Process: 13781 ExecStart=/etc/rc.d/init.d/ceph-radosgw start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/ceph-radosgw.service
           └─13805 /bin/radosgw -n client.radosgw.i-c5ef3fa1

Jun 24 11:44:04 i-c5ef3fa1 systemd[1]: Starting LSB: radosgw RESTful rados gateway...
Jun 24 11:44:04 i-c5ef3fa1 ceph-radosgw[13781]: Starting client.radosgw.i-c5ef3fa1...
Jun 24 11:44:04 i-c5ef3fa1 runuser[13801]: pam_unix(runuser:session): session opened for user radosgw by (uid=0)
Jun 24 11:44:04 i-c5ef3fa1 systemd[1]: Started LSB: radosgw RESTful rados gateway.
Jun 24 11:44:04 i-c5ef3fa1 ceph-radosgw[13781]: [  OK  ]

About backports:
It's very needed in EL7 hammer. There is no ability to start daemon under non-privileged user. Since el7 hammer doesn't provide packaged systemd units, and changing packaging is not a good idea in minor release, because it can break the automation and other aspects for users.
I think these changes should be in all supported branches (hammer, jewel) to keep these scripts in unified style - but this is already not a technical issue.