Documentation #58449

Document cephadm set-priv-key command

Added by Kyle Bader 2 months ago. Updated about 1 month ago.

In Progress
Target version:
% Done:


Affected Versions:
Pull request ID:


I inadvertently ran, note the missing '-i' for the first command.

ceph config-key set mgr/cephadm/ssh_identity_key /root/.ssh/id_rsa
ceph config-key set mgr/cephadm/ssh_identity_pub -i /root/.ssh/

The result was an error when adding hosts

[ceph: root@kb-1 ~]# ceph orch host add kb-2
Error EINVAL: Failed to connect to kb-2 (kb-2): KeyImportError('Invalid private key',)
[ceph: root@kb-1 ~]#

It might be helpful to see if the key looks like something that is a path, or perhaps use the private key to sign something and attempt to validate it with the public key, if it fails, then print a warning about the keys not matching as a health warning.


#1 Updated by Adam King about 2 months ago

  • Tracker changed from Bug to Documentation
  • Subject changed from Add validation or checking of pub/priv ssh keys to Document cephadm set-priv-key command
  • Assignee set to Adam King

We actually have validation built in if the key is set using the "ceph cephadm set-priv-key" command rather than directly setting the config-key option (which we can't control really). I think we just need to better document the set-priv-key command. There's nothing else we can do to stop users from setting certain values in the config-key store I think.

#2 Updated by Adam King about 2 months ago

Turns out set-priv-key and set-pub-key are actually broken and probably have been since we moved to asyncssh. Going to also need to fix them up, and will address this documentation as part of that.

#3 Updated by Adam King about 1 month ago

  • Pull request ID set to 49952

#4 Updated by Adam King about 1 month ago

  • Status changed from New to In Progress

Also available in: Atom PDF