Charm option to enable debugging of the client side of ceph in libvirt / nova
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Compute Charm |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
There are situations where you might want to enable extra rbd debug, during nova-compute troubleshooting scenarios. The process for doing this is documented at https:/
[client.libvirt]
log file = /var/log/
admin socket = /var/run/
Overall, this is pretty straightforward, however that might be tricker in a production environment where the charm is maintaining the ceph.conf file, and that there's also apparmor security handling where the libvirt/qemu process would be able to write to.
As an example, here are some details of what I had to do in order to make this work in a Lab environment:
1. Add the following entries under the [global] section (although this could go into [client] section, per the ceph website):
admin socket = /tmp/$name.
log file = /tmp/qemu-
At this point, I had many issues with apparmor preventing me from creating the files under /tmp. I fixed it by:
2. Change /etc/apparmor.
/tmp/ rw,
/tmp/* rw,
/etc/ceph/ r,
/etc/
Just FYI, I added mine under the following section:
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base
# dir and a few known functions like samba support.
# We want to avoid to give blanket rw permission to everything under /tmp,
# users are expected to add site specific addons for more uncommon cases.
# Qemu processes usually all run as the same users, so the "owner"
# restriction prevents access to other services files, but not across
# different instances.
# This is a tradeoff between usability and security - if paths would be more
# predictable that would be preferred - at least for write rules we would
# want more unique paths per rule.
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
/tmp/ rw,
/tmp/* rw,
/etc/ceph/ r,
/etc/
Note, initially I had only added /tmp/ and /tmp/*, which allowed libvirt to create the log and asok files under /tmp, however, the only message I had in my log file was "auth: unable to find a keyring on /etc/ceph/
3. After that, I just needed to "openstack server stop" and then "openstack server start" the VM, and that created the asok and log files. This is required because the stop/start process using openstack commands will actually recreate (undefine/define) the VM, and the UUID will change, and so will the /etc/apparmor.
Note: Although the files were created, there was nothing being logged in the /tmp/qemu-
admin socket = /tmp/$name.
log file = /tmp/qemu-
debug rbd = 20
debug rbd mirror = 20
debug rbd replay = 20
After stop/start the VM again, I can see the debug entries:
root@juju-
2022-02-
2022-02-
2022-02-
2022-02-
2022-02-
2022-02-
2022-02-
2022-02-
2022-02-
2022-02-
And the admin socket also works:
root@juju-
"debug_rbd": "20/20",
"debug_
"debug_
"debug_
It would be great if the charm could handle this process, in order to ease the debug/troublesh
This would be a very good addition to have for debugging scenarios involving the librbd clients.