avatarDaeGon Kim

Summary

The website content provides a detailed guide on managing Ceph RBD (RADOS Block Device) images, including creating users, mounting images with non-admin clients, and handling snapshots and clones across different pools.

Abstract

The provided text is a technical tutorial focusing on advanced Ceph RBD management tasks. It builds upon a previous article that demonstrated mounting RBD images using an admin client. This follow-up guide emphasizes security by using a non-admin client for operations. It outlines steps to create a Ceph user with specific permissions, mount RBD images as a non-admin user, and manage RBD snapshots and clones, particularly in scenarios where a clone is created from a snapshot in a different pool. The tutorial also addresses permission issues and how to resolve them by creating a user with cross-pool read-only access. The practical examples include command-line operations and screenshots to illustrate the process and outcomes, ensuring that users can follow along and apply the knowledge to their Ceph environments.

Opinions

  • The author advocates for using non-admin clients over admin clients for RBD image manipulation to enhance security.
  • The tutorial underscores the importance of proper user permission management to maintain system integrity and prevent unauthorized access.
  • The use of real-world scenarios, such as setting up an overlay filesystem with Ceph's snapshot and clone features, demonstrates the practical applications of Ceph RBD beyond basic storage tasks.
  • The author implies that understanding how to manage permissions and access to different pools is crucial for effective Ceph RBD usage in multi-tenant environments.
  • By showing error messages and resolutions, the author highlights the common challenges users might face and provides solutions, indicating a user-centric approach to technical writing.

Ceph RBD Mount & More

Ceph RBD, Mount, User Management, Snapshot, Clone

In the previous article, we showed how to mount an rbd image and mount it temporarily and permanently. That was with the admin client, which is discouraged due to security concerns. In this tutorial, we will show how to

  • Create a Ceph user
  • Create rbd images and mount rbd images using non-admin client

Furthermore, we will demonstrate a real use-case where a rbd image is cloned from another rbd image in a pool that a Ceph user should not be able to change.

Mounting an rbd image using non-admin client

Before we create a Ceph user, we will create an rbd pool that we want to assign to a new user.

Please note that we use the admin user to run these commands. We got sub-block-devices rbd pool and projectX rbd image. The other entities will be explained later.

Now, we are ready to create a client (user) that will manage the pool.

“profile rbd” gives a user permission to manipulate RBD images. With pool option, we can restrict what pools this user can access. The screenshot below show the result of the above command.

Now, we need to move sub.keyring file to a ceph client node. Then, we can create a rbd image, list images in the pool and mount rbd images.

List of rbd images, lsblk output after mapping two rbd images

Now, we want to check that this user does have permission to map other images in pools other than the assigned one, sub-block-devices. We try to map rbd image foo in main-block-devices and this is what we got.

Failed rbd map attempt of foo by sub client

Some of objects here are described in the previous article on RBD mount. The persistent configuration for mounting rbd images is also explained there.

For a clone rbd image where the underlying snapshot is in a different pool

Let’s say we have a few projects where their own Ubuntu Repos are required. Majority of files will be duplicated, so we want to set up overlay file system. Ceph provides this feature through snapshots and clones. Let’s assume that main-block-devices/foo has a base repo. Then, we can create a snap of it and clone it to be placed in sub-block-devices pool.

Note that the clone is in sub-block-devices pool.

Snap and clone images

Now, we want to use (mount and read/write) this clone image using user sub. So, we tried and got some errors.

Most likely, it is becasue the client.sub does not have permission to read the snapshot. Snapshots are read-only. Now, we will create another user called subplus with the following command.

In addition to profile rbd on sub-block-devices pool, another ready-only permission was granted on the main-block-devices pool.

Now, we can copy the subplus.keyring to the ceph-client node and map the clone image.

rbd map of the clone image and failed attempt of mapping of foo

This is the desirable output. The subplus.client can map an image cloned from main-block-devices pool, but cannot map an image in the pool itself.

Ceph
User Management
Storage Solutions
Overlayfs
Snapshot
Recommended from ReadMedium
avatarDaeGon Kim
Ingress for Ceph RGW service

Some Kubernetes common applications use object storage. Gitlab and Loki are such examples. Their default installation comes with minio…

2 min read
avatarKorivideekshith
ODOO

For a few weeks on my feed A Brand named Odoo is poping more Not by ads but by a more powerful weapon  It’s by Influencers  It’s common for…

1 min read
avatarFabio Fernandes
How to use NFS in Kubernetes Cluster: Step By Step

The primary nature of the containers makes them immutable, they do not persist any information on the disks, and when the container is shut…

14 min read
avatarSunil Angadi
Ceph RBD Cache types and it’s use cases

Persistent cache:

4 min read
avatarGenesta Sebastien
Kubernetes — Kubernetes cluster deployment on Proxmox 8 — Part 1 — Proxmox deployment on Debian 12…

we’ll talked about Proxmox deployment and configuration on a Debian 12 dedicated server (iptables, fail2ban, isc-dhcp, bind9, wireguard)

9 min read
avatarPau Santana
Setting Up Grafana + InfluxDB + Telegraf Using Docker: A Step-by-Step Guide

In today’s data-driven world, monitoring system performance and collecting metrics is crucial for maintaining the health and efficiency of…

6 min read