:_mod-docs-content-type: PROCEDURE
[id="configuring-a-ceph-backend_{context}"]

= Configuring a {Ceph} back end

[role="_abstract"]
If your {rhos_prev_long} ({OpenStackShort}) {rhos_prev_ver} deployment uses a {Ceph} back end for any service, such as {image_service_first_ref}, {block_storage_first_ref}, {compute_service_first_ref}, or {rhos_component_storage_file_first_ref}, you must configure the custom resources (CRs) to use the same back end in the {rhos_long} {rhos_curr_ver} deployment.

[NOTE]
To run `ceph` commands, you must use SSH to connect to a {Ceph} node and run `sudo cephadm shell`. This generates a Ceph orchestrator container that enables you to run administrative commands against the {CephCluster} cluster. If you deployed the {CephCluster} cluster by using {OpenStackPreviousInstaller}, you can launch the `cephadm` shell from an {OpenStackShort} Controller node.

.Prerequisites

* The `OpenStackControlPlane` CR is created.
* If your {OpenStackShort} {rhos_prev_ver} deployment uses the {rhos_component_storage_file}, the openstack keyring is updated. Modify the `openstack` user so that you can use it across all {OpenStackShort} services:
+
----
ceph auth caps client.openstack \
  mgr 'allow *' \
  mon 'allow r, profile rbd' \
  osd 'profile rbd pool=vms, profile rbd pool=volumes, profile rbd pool=images, allow rw pool manila_data'
----
+
Using the same user across all services makes it simpler to create a common {Ceph} secret that includes the keyring and `ceph.conf` file and propagate the secret to all the services that need it.
* The following shell variables are defined. Replace the following example values with values that are correct for your environment:
+
[subs=+quotes]
----
ifeval::["{build}" != "downstream"]
CEPH_SSH="ssh -i ~/install_yamls/out/edpm/ansibleee-ssh-key-id_rsa root@192.168.122.100"
endif::[]
ifeval::["{build}" == "downstream"]
CEPH_SSH="ssh -i *<path to SSH key>* root@*<node IP>*"
endif::[]
CEPH_KEY=$($CEPH_SSH "cat /etc/ceph/ceph.client.openstack.keyring | base64 -w 0")
CEPH_CONF=$($CEPH_SSH "cat /etc/ceph/ceph.conf | base64 -w 0")
----

.Procedure

. Create the `ceph-conf-files` secret that includes the {Ceph} configuration:
+
----
$ oc apply -f - <<EOF
apiVersion: v1
data:
  ceph.client.openstack.keyring: $CEPH_KEY
  ceph.conf: $CEPH_CONF
kind: Secret
metadata:
  name: ceph-conf-files
type: Opaque
EOF
----
+
The content of the file should be similar to the following example:
+
[subs="+quotes"]
----
apiVersion: v1
kind: Secret
metadata:
  name: ceph-conf-files
stringData:
  ceph.client.openstack.keyring: |
    [client.openstack]
        key = <secret key>
        caps mgr = "allow *"
        caps mon = "allow r, profile rbd"
        caps osd = "pool=vms, profile rbd pool=volumes, profile rbd pool=images, allow rw pool manila_data'
  ceph.conf: |
    [global]
    fsid = 7a1719e8-9c59-49e2-ae2b-d7eb08c695d4
    mon_host = 10.1.1.2,10.1.1.3,10.1.1.4
----
+
* `mon_host` specifies the addresses of the cluster's monitors. If you use IPv6, use brackets for the `mon_host`. For example:
`mon_host = [v2:[fd00:cccc::100]:3300/0,v1:[fd00:cccc::100]:6789/0]`
+
[NOTE]
====
For Distributed Compute Node (DCN) deployments with multiple {Ceph} clusters, include all cluster configurations in the same secret using `oc create secret generic`. The {Ceph} configuration files for all clusters are available on the {OpenStackShort} controller at `/var/lib/tripleo-config/ceph/` (or `/etc/ceph` if the Heat variable `CephConfigPath` is set to that path). Copy them locally and create the secret:

----
$ CEPH_SSH="ssh root@<controller>"
$ CEPH_DIR="/var/lib/tripleo-config/ceph"
$ TMPDIR=$(mktemp -d)

$ $CEPH_SSH "cat ${CEPH_DIR}/central.conf" > ${TMPDIR}/central.conf
$ $CEPH_SSH "sudo cat ${CEPH_DIR}/central.client.openstack.keyring" > ${TMPDIR}/central.client.openstack.keyring
$ $CEPH_SSH "cat ${CEPH_DIR}/dcn1.conf" > ${TMPDIR}/dcn1.conf
$ $CEPH_SSH "sudo cat ${CEPH_DIR}/dcn1.client.openstack.keyring" > ${TMPDIR}/dcn1.client.openstack.keyring
$ $CEPH_SSH "cat ${CEPH_DIR}/dcn2.conf" > ${TMPDIR}/dcn2.conf
$ $CEPH_SSH "sudo cat ${CEPH_DIR}/dcn2.client.openstack.keyring" > ${TMPDIR}/dcn2.client.openstack.keyring

$ oc create secret generic ceph-conf-files \
    --from-file=${TMPDIR}/central.conf \
    --from-file=${TMPDIR}/central.client.openstack.keyring \
    --from-file=${TMPDIR}/dcn1.conf \
    --from-file=${TMPDIR}/dcn1.client.openstack.keyring \
    --from-file=${TMPDIR}/dcn2.conf \
    --from-file=${TMPDIR}/dcn2.client.openstack.keyring \
    -n openstack

$ rm -rf ${TMPDIR}
----

Repeat for each additional edge site, adding a `--from-file` entry for each cluster's `.conf` and `.client.openstack.keyring` file.
====

. In your `OpenStackControlPlane` CR, inject `ceph.conf` and `ceph.client.openstack.keyring` to the {OpenStackShort} services that are defined in the propagation list. For example:
+
----
$ oc patch openstackcontrolplane openstack --type=merge --patch '
spec:
  extraMounts:
    - name: v1
      region: r1
      extraVol:
        - propagation:
          - CinderVolume
          - CinderBackup
          - GlanceAPI
          - ManilaShare
          extraVolType: Ceph
          volumes:
          - name: ceph
            projected:
              sources:
              - secret:
                  name: ceph-conf-files
          mounts:
          - name: ceph
            mountPath: "/etc/ceph"
            readOnly: true
'
----