On Mon, May 20, 2019 at 8:56 AM Rainer Krienke <krienke@xxxxxxxxxxxxxx> wrote: > > Hello, > > on a ceph Nautilus cluster (14.2.1) running on Ubuntu 18.04 I try to set > up rbd images with namespaces in order to allow different clients to > access only their "own" rbd images in different namespaces in just one > pool. The rbd image data are in an erasure encoded pool named "ecpool" > and the metadata in the default "rbd" pool. > > With this setup I am experiencing trouble when I try to access a rbd > image in a namespace from a (OpenSuSE Leap 15.0 with Ceph 14.2.1) client > and I do not understand what I am doing wrong. Hope someone can see the > problem and give me a hint: > > # On one of the the ceph servers > > $ rbd namespace create --namespace testnamespace > $ rbd namespace ls > NAME > testnamespace > > $ ceph auth caps client.rainer mon 'profile rbd' osd 'profile rbd > pool=rbd namespace=testnamespace' > > $ ceph auth get client.rainer > [client.rainer] > key = AQCcVt5cHC+WJhBBoRPKhErEYzxGuU8U/GA0xA++ > caps mon = "profile rbd" > caps osd = "profile rbd pool=rbd namespace=testnamespace" > > $ rbd create rbd/rbdtestns --namespace testnamespace --size 50G > --data-pool=rbd-ecpool > > $ rbd --namespace testnamespace ls -l > NAME SIZE PARENT FMT PROT LOCK > rbdtestns 50 GiB 2 > > On the openSuSE Client: > > $ rbd --namespace=testnamespace map rbd/rbdtestns --name client.rainer > --keyring=/etc/ceph/ceph.keyring > rbd: sysfs write failed > rbd: error opening image rbdtestns: (1) Operation not permitted > In some cases useful info is found in syslog - try "dmesg | tail". > 2019-05-20 08:18:29.187 7f42ab7fe700 -1 librbd::image::RefreshRequest: > failed to retrieve pool metadata: (1) Operation not permitted > 2019-05-20 08:18:29.187 7f42aaffd700 -1 librbd::image::OpenRequest: > failed to refresh image: (1) Operation not permitted > 2019-05-20 08:18:29.187 7f42aaffd700 -1 librbd::ImageState: > 0x561792408860 failed to open image: (1) Operation not permitted > rbd: map failed: (22) Invalid argument Hmm, it looks like we overlooked updating the 'rbd' profile when PR 27423 [1] was merged into v14.2.1. We'll get that fixed, but in the meantime, you can add a "class rbd metadata_list" cap on the base pool (w/o the namespace restriction) [2]. > Thanks for your help > Rainer > -- > Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 > 56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312 > Web: http://userpages.uni-koblenz.de/~krienke > PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com [1] https://github.com/ceph/ceph/pull/27423 [2] http://docs.ceph.com/docs/master/rados/operations/user-management/#authorization-capabilities -- Jason _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |