blog
Table des matières
- 2026:
- 2025:
8 billet(s) pour mars 2026
| Notes conteneurs oras artifact OCI | 2026/03/23 21:13 | Jean-Baptiste |
| Notes podman secret | 2026/03/23 15:10 | Jean-Baptiste |
| Notes ansible podman | 2026/03/23 14:08 | Jean-Baptiste |
| Notes podman volume | 2026/03/23 14:00 | Jean-Baptiste |
| Find list - Trouver des fichiers à partir d'une liste | 2026/03/18 14:32 | Jean-Baptiste |
| AWX inventaire vault | 2026/03/17 18:04 | Jean-Baptiste |
| AWX - Configuration git en local (sans serveur web) | 2026/03/05 16:24 | Jean-Baptiste |
| OpenSMTP | 2026/03/03 16:58 | Jean-Baptiste |
Notes supervision check_mk
Voir :
Voir aussi : Nagios, Centreon, Shinken
Note : si vous n'avez pas encore choisi de solution de supervision, Pensez à regarder Zabbix.
Install de check_mk sur Debian
apt-get install xinetd check-mk-agent
n'oublier pas de modifier la ligne disable = yes
- /etc/xinetd.d/check_mk
service check_mk { type = UNLISTED port = 6556 socket_type = stream protocol = tcp wait = no user = root server = /usr/bin/check_mk_agent # If you use fully redundant monitoring and poll the client # from more then one monitoring servers in parallel you might # want to use the agent cache wrapper: #server = /usr/bin/check_mk_caching_agent # configure the IP address(es) of your Nagios server here: #only_from = 127.0.0.1 10.0.20.1 10.0.20.2 # Don't be too verbose. Don't log every check. This might be # commented out for debugging. If this option is commented out # the default options will be used for this service. log_on_success = #disable = yes disable = no }
systemctl restart xinetd
lsof -i TCP:6556 nc 127.0.0.1 6556
Notes supervision - plugin Nagios - centreon_plugins.pl
Voir :
Voir aussi :
Configure those extra SNMP options in the host/host template configuration in the SNMPEXTRAOPTIONS macro.
| snmpwalk | centreon-plugins |
|---|---|
| -a | --authprotocol |
| -A | --authpassphrase |
| -u | --snmp-username |
| -x | --privprotocol |
| -X | --privpassphrase |
| -l | not needed (automatic) |
| -e | --securityengineid |
| -E | --contextengineid |
On lance une fois cpan pour le configurer
cpan # On ferme la session puis on la reouvre pour sourcer le .bashrc exit # Ou source ~/.bashrc
cpan common/sense.pm cpan Types/Serialiser.pm cpan JSON # Pour la commande net-snmp-config necessaire à cpan SNMP #sudo apt-get install libsnmp-dev #sudo yum install net-snmp-devel cpan SNMP
Le plugin a besoin de pouvoir écrire
mkdir -p /var/lib/centreon/centplugins chown nagios: /var/lib/centreon/ /var/lib/centreon/centplugins/ chmod 1777 /var/lib/centreon/centplugins/
./centreon_plugins.pl --list-plugin ./centreon_plugins.pl --list-plugin | grep ^PLUGIN | grep -i snmp | grep -i linux ./centreon_plugins.pl --plugin os::linux::snmp::plugin ./centreon_plugins.pl --plugin os::linux::snmp::plugin --help ./centreon_plugins.pl --plugin os::linux::snmp::plugin --list-mode ./centreon_plugins.pl --plugin os::linux::snmp::plugin --memory ./centreon_plugins.pl --plugin os::linux::snmp::plugin --mode memory ./centreon_plugins.pl --plugin os::linux::snmp::plugin --mode memory --hostname localhost ./centreon_plugins.pl --plugin os::linux::snmp::plugin --mode memory --hostname localhost --help
./centreon_plugins.pl --plugin os::linux::snmp::plugin --mode memory --hostname localhost --snmp-version='3' --authpassphrase P@ssw0rd --snmp-username nagios --authprotocol MD5 OK: Ram Total: 15.25 GB Used (-buffers/cache): 1.95 GB (12.81%) Free: 13.30 GB (87.19%), Buffer: 94.79 MB, Cached: 2.05 GB, Shared: 555.96 MB | 'used'=2097471488B;;;0;16376958976 'free'=14279487488B;;;0;16376958976 'used_prct'=12.81%;;;0;100 'buffer'=99397632B;;;0; 'cached'=2202296320B;;;0; 'shared'=582967296B;;;0;
Exemple avec Fortigate
src/centreon_plugins.pl --plugin=network::fortinet::fortigate::snmp::plugin --mode=cluster-status --hostname=firewall --snmp-version='2c' --snmp-community='public' --warning-status='%{role} !~ /master|slave/' --critical-status='%{sync_status} !~ /^synchronized/' --opt-exit warning --verbose --critical-total-nodes=2
Note : Pour certain plugin il est important d'écrire --hostname=localhost et non --hostname localhost, de même pour les autres arguments
Exemple conf Nagios
commands.cfg
define command{ command_name check_centreon_snmp_linux_disk_all command_line $USER1$/centreon_plugins --plugin=os::linux::snmp::plugin --mode=storage --hostname=$HOSTADDRESS$ --snmp-version=3 --snmp-username "$USER6$" --authprotocol MD5 --authpassphrase "$USER7$" --filter-storage-type=hrStorageFixedDisk --add-access --critical-access=readOnly --warning-usage $ARG1$ --critical-usage $ARG2$ --name --regexp --storage='^((?!cdrom).)*$' }
mode multi
./centreon_plugins.pl --plugin=os::linux::snmp::plugin --hostname=localhost --snmp-version=3 --snmp-username "nagios" --authprotocol MD5 --authpassphrase "P@ssw0rd" --mode multi --modes-exec 'uptime,memory,swap,cpu'
Wrapper en bash
Dans notre cas les plugins sont tous dans /usr/local/nagios/libexec/ mais si on fait un lien symbolique ln -s /usr/local/nagios/libexec/centreon-plugins-develop/src/centreon_plugins /usr/local/nagios/libexec/ ça ne fonctionne pas.
D'où ce petit wrapper.
centreon_plugins
#! /bin/bash set -euo pipefail SCRIPT_DIR=$(readlink -m "$(dirname "$0")") cd "${SCRIPT_DIR}/centreon-plugins-develop/src/" || exit 2 export PERL5LIB="/usr/local/nagios/lib/perl5/site_perl/5.8.8:/usr/local/nagios/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi" exec perl ./centreon_plugins.pl "$@"
Il faut aussi les dépendances suivantes
yum install perl net-snmp-utils net-snmp-perl
Conf pour Centreon
Exemple :
$CENTREONPLUGINS$/centreon_plugins --plugin=network::fortinet::fortigate::snmp::plugin --hostname=$HOSTADDRESS$ --snmp-version='$_HOSTSNMPVERSION$' --snmp-community='$_HOSTSNMPCOMMUNITY$' --mode=cluster-status --warning-status='%{role} !~ /master|slave/' --critical-status='%{sync_status} !~ /^synchronized/' --opt-exit warning --critical-total-nodes=2 $_HOSTSNMPEXTRAOPTIONS$
Autres plugins Centreon similaires
$ rpm -qf /usr/lib/centreon/plugins/centreon_linux_snmp.pl centreon-plugin-Operatingsystems-Linux-Snmp-20241107-152627.el8.noarch
/usr/lib/centreon/plugins/centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=memory --hostname=127.0.0.1 --snmp-version=3 --snmp-username=nagios --authprotocol=MD5 --authpassphrase='P@ssw0rd' --warning-usage=80 --critical-usage=90
Autres
ILO
/usr/lib/centreon/plugins/centreon_hp_ilo_restapi.pl --plugin=hardware::server::hp::ilo::restapi::plugin --mode=hardware --hostname='192.168.1.101' --api-username='sup_ro' --api-password='P@ssw0rd12345678' --component='.*' --verbose --insecure
Centreon plugins - old
http://sugarbug.web4me.fr/atelier/techniques/plugins/plugins_centreon/
yum install git git clone https://github.com/centreon/centreon-plugins.git cd centreon-plugins/ chmod +x centreon_plugins.pl cp -R * /usr/lib/centreon/plugins/
Test centreon_plugins.pl
/usr/lib/centreon/plugins/centreon_plugins.pl --version /usr/lib/centreon/plugins/centreon_plugins.pl --list-plugin /usr/lib/centreon/plugins/centreon_plugins.pl --plugin=os::linux::snmp::plugin --list-mode /usr/lib/centreon/plugins/centreon_plugins.pl --plugin=os::linux::snmp::plugin --mode=load --hostname=127.0.0.1 --snmp-version=2c --snmp-community=public --verbose
/usr/lib/nagios/plugins/centreon_plugins.pl --list-plugin /usr/lib/nagios/plugins/centreon_plugins.pl --plugin=apps::pacemaker::local::plugin --help /usr/lib/nagios/plugins/centreon_plugins.pl --plugin=apps::pacemaker::local::plugin --list-mode /usr/lib/nagios/plugins/centreon_plugins.pl --plugin=apps::pacemaker::local::plugin --mode crm --help /usr/lib/nagios/plugins/centreon_plugins.pl --plugin=apps::pacemaker::local::plugin --mode crm --remote --hostname 192.168.10.3
Dell OpenManage
wget http://folk.uio.no/trondham/software/check_openmanage-3.7.12/check_openmanage cd /usr/lib/nagios/plugins/ chown centreon:centreon-engine /usr/lib/nagios/plugins/check_openmanage chmod 755 /usr/lib/nagios/plugins/check_openmanage
Test
# /usr/lib/nagios/plugins/check_openmanage -H 10.245.108.2 OK - System: 'PowerEdge R430', SN: '58RJZG2', 32 GB ram (2 dimms), 1 logical drives, 2 physical drives
Configuration Commands Checks check Command line :
$USER1$/check_openmanage -H $HOSTADDRESS$ -p $_HOSTSNMPVERSION$ -C $_HOSTSNMPCOMMUNITY$ '$_HOSTOPENMANAGE_OPTIONS$'
Configuration Services Templates Dell_OMSA Max Check Attempts : 5 Normal Check Interval : 5 Retry Check Interval: 5 Check Period : 24×7 Check Command : check_openmanage Relation / Linked to host templates / Selected “Servers-Dell-OMSA”
Configuration Hosts Templates “Servers-Dell-OMSA” Relation / Linked Service Templates / Selected “Dell_OMSA”
SNMP plugin
/usr/lib/centreon/plugins/centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=memory --hostname=$HOSTADDRESS$ --snmp-version=2c --snmp-community=public /usr/lib/centreon/plugins/centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=storage --hostname=$HOSTADDRESS$ --snmp-version='$_HOSTSNMPVERSION$' --snmp-community='$_HOSTSNMPCOMMUNITY$' $_HOSTSNMPEXTRAOPTIONS$ --storage='$_SERVICEFILTER$' --name --regexp --display-transform-src='$_SERVICETRANSFORMSRC$' --display-transform-dst='$_SERVICETRANSFORMDST$' --warning='$_SERVICEWARNING$' --critical='$_SERVICECRITICAL$' $_SERVICEEXTRAOPTIONS$ /usr/lib/centreon/plugins/centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=storage --hostname=172.19.0.1 --snmp-version=2c --snmp-community=public --verbose --storage='.*' --name --regexp --display-transform-src='' --display-transform-dst='' --warning=80 --critical=90 $_SERVICEEXTRAOPTIONS$
$ /usr/lib/nagios/plugins/check_centreon_snmp_remote_storage -H 10.245.108.2 -s hrStorage 1 :: Physical memory hrStorage 3 :: Virtual memory hrStorage 6 :: Memory buffers hrStorage 7 :: Cached memory hrStorage 8 :: Shared memory hrStorage 10 :: Swap space hrStorage 33 :: /dev hrStorage 36 :: /sys/fs/cgroup hrStorage 49 :: /etc/resolv.conf hrStorage 50 :: /etc/hostname hrStorage 51 :: /etc/hosts hrStorage 52 :: /dev/shm hrStorage 53 :: /run/secrets hrStorage 54 :: /usr/lib/modules/3.10.0-862.3.2.el7.x86_64 $ /usr/lib/nagios/plugins/check_centreon_snmp_remote_storage -H 10.245.108.2 -d 10 Disk OK - Swap space TOTAL: 20.000GB USED: 0.003GB (0%) FREE: 19.997GB (100%)|size=21474832384B used=3145728B;19327349145;20401090764;0;21474832384
Pb
Le plugin Centreon pour Stormshield n'est compatible que en MD5|SHA
source : https://docs.centreon.com/pp/integrations/plugin-packs/procedures/network-stormshield-snmp/
SNMP v3 only: Authentication protocol: MD5|SHA. Since net-snmp 5.9.1: SHA224|SHA256|SHA384|SHA512.
Hors AlmaLinux release 8.10 (Cerulean Leopard) n'est pas compatible net-snmp 5.9.1. J'ai essayé de bidouiller et même de compiler net-snmp mais ça ne fonctionne pas. Il faut soit utiliser MD5/SHA1, soit passer à AlmaLinux 9, soit utiliser la commande snmpwalk/snmpget.
Err undefined symbol: Perl_Gthr_key_ptr
$ env PERL5LIB="/usr/local/nagios/lib/perl5/site_perl/5.8.8:/usr/local/nagios/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi" ./centreon_plugins.pl
/usr/bin/perl: symbol lookup error: /usr/local/nagios/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/auto/JSON/XS/XS.so: undefined symbol: Perl_Gthr_key_ptr
$ readelf -s /usr/local/nagios/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/auto/JSON/XS/XS.so | grep Perl_Gthr_key_ptr
92: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND Perl_Gthr_key_ptr
196: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND Perl_Gthr_key_ptr
$ ./centreon_plugins.pl
UNKNOWN: Need to specify '--plugin' option.
Voir Can't locate JSON/XS.pm in @INC
Err - Can't locate JSON/XS.pm in @INC
$ ./centreon_plugins --plugin=network::fortinet::fortigate::snmp::plugin --hostname=$HOSTADDRESS$ --snmp-version=3 --snmp-user14:09:26 [37/453$thprotocol MD5 --authpassphrase "$USER4$" --mode=cluster-status --warning-status='%{role} !~ /master|slave/' --critical-status='%{sync_status} !~ /^synchronized/' --opt-exit warning --critical-total-nodes=2
Can't locate JSON/XS.pm in @INC (@INC contains: /usr/local/nagios/libexec/centreon-plugins-develop/src /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/local/nagios/libexec/centreon-plugins-develop/src/centreon/plugins/misc.pm line 26.
BEGIN failed--compilation aborted at /usr/local/nagios/libexec/centreon-plugins-develop/src/centreon/plugins/misc.pm line 26.
Compilation failed in require at /usr/local/nagios/libexec/centreon-plugins-develop/src/centreon/plugins/output.pm line 25.
BEGIN failed--compilation aborted at /usr/local/nagios/libexec/centreon-plugins-develop/src/centreon/plugins/output.pm line 25.
Compilation failed in require at /usr/local/nagios/libexec/centreon-plugins-develop/src/centreon/plugins/script.pm line 25.
BEGIN failed--compilation aborted at /usr/local/nagios/libexec/centreon-plugins-develop/src/centreon/plugins/script.pm line 25.
Compilation failed in require at ./centreon_plugins.pl line 29. BEGIN failed--compilation aborted at ./centreon_plugins.pl line 29
Solution :
yum install perl net-snmp-utils net-snmp-perl
et définir correctement PERL5LIB
Voir :
man sudo_root
Voir aussi :
- OpenDoas
- runuser / setpriv (util-linux)
- sudoreplay
- sux (su X11)
- userhelper
systemd-run -t bashousystemd-run --shell- Pourquoi ne pas utiliser sudo dans un contener : https://docsaid.org/en/blog/gosu-usage/
Notes sudo et sudoers
sudo does fork+exec instead of just exec
visudo
jean ALL=(test) NOPASSWD: ALL
Utilisation
sudo -u test -s /bin/bash echo 'ls /root/' |sudo -H -S -n bash
Test sudoers
sudo -l sudo -U username -l sudo -U username -ll
env_keep : Check environment variables sudo preserved :
sudo sudo -V
Restricting a sudo command to specific arguments
user ALL=(root) NOPASSWD: /usr/bin/systemctl (stop|start|restart) (httpd|mysql)
Prohibiting Command Arguments with sudo Follow the program name with the single argument “” in /etc/sudoers:
smith ALL = (root) /usr/local/bin/mycommand ""
Exemple de Sudoers
Accès root sans mdp pour un utilisateur
# export EDITOR=vim visudo -f /etc/sudoers.d/admin
- /etc/sudoers.d/admin
jean ALL=(ALL) NOPASSWD: ALL
# # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaults requiretty Host_Alias LOCAL_SERVER=servername Cmnd_Alias CHK_MSG=/usr/local/bin/check_msg.sh Defaults:nagios !requiretty nagios LOCAL_SERVER=(ALL) NOPASSWD: CHK_MSG
operator ALL=(root) sudoedit /home/*/*/test.txt
user1 ALL = NOPASSWD: /bin/ln -s /dev/ttyACM[1-9] /dev/ttyS[1-9] user1 ALL = NOPASSWD: /usr/bin/unlink /dev/ttyS[1-9]
Faire des groupes
sudo visudo -f /etc/sudoers.d/networking
Cmnd_Alias CAPTURE = /usr/sbin/tcpdump Cmnd_Alias SERVERS = /usr/sbin/apache2ctl, /usr/bin/htpasswd Cmnd_Alias NETALL = CAPTURE, SERVERS %netadmin ALL=NETALL
Demander le mot de passe du compte root au lieu de l'utilisateur
Defaults rootpwc
Demander le mot de passe x fois
Defaults passwd_tries=4
Timeout
Defaults timestamp_timeout=x Defaults:peter timestamp_timeout=5
Logs
Defaults logfile=/var/log/sudo.log
Mails
#Defaults mail_always Defaults mail_badpass Defaults mailto="<email@example.com>"
PATH
- /etc/sudoers
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Exemples sudoers
Exemple sudoedit
- /etc/sudoers.d/sudoedit
exploit ALL=(root) NOPASSWD: sudoedit /var/log/*log exploit ALL=(root) NOPASSWD: sudoedit /var/log/*.log.1 exploit ALL=(root) NOPASSWD: sudoedit /var/log/*err exploit ALL=(root) NOPASSWD: sudoedit /var/log/*.gz
export EDITOR=vim sudoedit /var/log/message.log sudo -e /var/log/message.log
Alias
Cmnd_Alias ADMIN=/usr/bin/atop, /usr/bin/qps jean ALL= NOPASSWD: ADMIN
Voir Sudo: You're Doing it Wrong
Defaults insults # Users Hosts = (Runas) Cmds # %Group Hosts = (Runas) Cmds %wheel ALL=(ALL) ALL Defaults env_keep+="HOME SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK" mwlucas dns1=ALL mwlucas,pkdick dns1,dns2 = \ /sbin/service names,/sbin/service syslogd mwlucas db1 = (oracle) ALL mwlucas dns[1-4]=ALL mwlucas ALL = /usr/local/sbin/* mwlucas ALL=/opt/bin/program -[acQ] # "" disallow arguments mwlucas ALL=/opt/bin/program "" Cmnd_Alias BACKUP = /sbin/dump,/sbin/restore,/usr/bin/mt mwlucas ALL=BACKUP User_Alias ADMIN_USERS = sysops,admin,sysadm User_Alias TAPEMONKEYS_USERS = mwlucas, jeanmm Host_Alias WWW = web1,web2,web3 TAPEMONKEYS_USERS WWW=BACKUP Runas_Alias DB_RUNAS = oracle, pqsql, mysql fred DB_HOSTS = (DB_RUNAS) ALL DBA_USERS DB_HOSTS = (DB_RUNAS) ALL mwlucas ALL = NOEXEC: ALL Defaults!ALL NOEXEC Cmnd_Alias MAYEXEC = /bin/newaliases, /sbin/fdisk mwlucas ALL = ALL, EXEC: MAYEXEC mwlucas ALL = sudoedit /etc/rc.conf
identifiant ALL = (ALL) /chemin/complet/commande, NOPASSWD: /chemin/complet/autrecommande
Toutes les commandes situées à la droite du mot-clé NOPASSWD: peuvent être exécutées par l'utilisateur ou le groupe d'utilisateurs précisé en début d'instruction. Celles restées à sa gauche sont toujours soumises à l'authentification par mot de passe.
User_Alias USER_T_PLOP_ALL=user1 USER_T_PLOP_ALL= (jean) EXEC: NOPASSWD: ALL #Runas_Alias=oracle, orainst, mysql, myinst
Checksum
Using openssl, to generate the checksum:
openssl dgst -sha224 /usr/local/sbin/mycommand
SHA224(/usr/local/sbin/mycommand)= 52246fd78f692554c9f6be9c8ea001c9131c3426c27c88dbbad08365
Then in your sudoers file (on the same line):
www-data ALL=(ALL) NOPASSWD:
sha224:52246fd78f692554c9f6be9c8ea001c9131c3426c27c88dbbad08365
/usr/local/sbin/mycommand
Exemple sudo
Get shell
sudo -u jean -i sudo -u jean -s sudo -u jean -s /bin/bash sudo su - jean
PAM
Source : https://www.tecmint.com/switch-user-account-without-password/
Permette aux membres du groupe postgres d'impersonifier l'utilisateur postgres
- /etc/pam.d/su
auth [success=ignore default=1] pam_succeed_if.so user = postgres auth sufficient pam_succeed_if.so use_uid user ingroup postgres
In the above configuration, the first line checks if the target user is postgres, if it is, the service checks the current user, otherwise, the default=1 line is skipped and the normal authentication steps are executed.
Équivalent à
%postgres ALL=NOPASSWD: /bin/su – postgres
Autres
Ausible - become
Voir :
$ ansible-doc -t become ansible.builtin.sudo ... become_flags default: -H -S -n ...
gosu, setpriv, su-exec, setuser (Python)
Voir :
Dans un container doit être appelé exec exec. Exemple :
exec gosu myAppUser /usr/local/bin/myApp --foo=bar
Exemples :
gosu user-spec command [args] gosu tianon bash gosu nobody:root bash -c 'whoami && id' gosu 1000:1 id
su-exec apache:1000 /usr/sbin/httpd -f /opt/www/httpd.conf
Notes stockage
- SDS (Software-Defined Storage)
- pNFS
- NFSv4.1
- Lustre
- GlusterFS
- Ceph
- ZFS
- DRBD
- Tahoe LAFS
- Btrfs
- LVM
Voir :
- les backends rclone
- Longhorn / OpenEBS (Container Attached Storage CAS) / CubeFS
- Ksync (pour dev)
BTRFS
Red Hat will not be moving Btrfs to a fully supported feature. It was fully removed in Red Hat Enterprise Linux 8.
Voir Stratis
ZFS
zpool list <plop>
NAS
- TrueNAS (FreeNAS)
- OpenMediaVault
Notes stockage CEPH
Voir :
Voir aussi :
- SeaweedFS
- JuiceFS
ceph status ceph-deploy admin serveur
30 TB 30 TB 30 TB ——-- 90 TB
DFS 100 TB SMB Windows DFS
Lexique
OSD (pour Object Storage Daemon), un disque
Etapes : Monter un CEPH Monter un Samba
DFS Droits lectures pour tout auth
Synchro les données
U:\Services\Direction des Etudes Gty\Modification\Inventaire DE-SdT\Inventaire 2020
http://people.redhat.com/bhubbard/nature/nature-new/glossary/#term-node
Prérequis
Matériel Voir : https://docs.ceph.com/en/latest/start/hardware-recommendations/
Logiciel ; http://people.redhat.com/bhubbard/nature/nature-new/start/quick-start-preflight/
Liste :
- Réseau (Ceph préconise l’utilisation de 2 interfaces réseau)
- /etc/hosts
- NTP
- Ceph deploy user (with passwordless sudo privileges)
- SSH passwordless
- Sudo tty (Si
requiretty⇒Defaults:ceph !requiretty) - SELinux
Composants
MDS (Meta Data Server)
Consomme du CPU et de la RAM (1 Gi de mémoire par instance). Utile que si l'on planifie d'utiliser CephFS.
Monitors
For small clusters, 1-2 GB is generally sufficient
OSD (Object Storage Daemon)
Du côté de la mémoire, 512 Mi par instance sont suffisants sauf lors de la récupération où 1 Gi de mémoire par Ti de données et par instance est conseillé.
Installation
Voir :
Les users CEPH ne doivent pas être des utilisateurs standard, mais des utilisateurs de services eux même chargés d’une gestion fine des droits Ceph préconise l’utilisation de 2 interfaces réseau
echo "deb http://ftp.debian.org/debian buster-backports main" >> /etc/apt/sources.list.d/backports.list apt-get update apt-get install -t buster-backports ceph
zcat /usr/share/doc/ceph/sample.ceph.conf.gz > /etc/ceph/ceph.conf
# uuidgen 67274814-239f-4a05-8415-ed04df45876c
/etc/ceph/ceph.conf
[global] ### http://docs.ceph.com/docs/master/rados/configuration/general-config-ref/ fsid = 67274814-239f-4a05-8415-ed04df45876c # use `uuidgen` to generate your own UUID public network = 192.168.56.0/24 cluster network = 192.168.56.0/24 # Replication level, number of data copies. # Type: 32-bit Integer # (Default: 3) osd pool default size = 2 ## Replication level in degraded state, less than 'osd pool default size' value. # Sets the minimum number of written replicas for objects in the # pool in order to acknowledge a write operation to the client. If # minimum is not met, Ceph will not acknowledge the write to the # client. This setting ensures a minimum number of replicas when # operating in degraded mode. # Type: 32-bit Integer # (Default: 0), which means no particular minimum. If 0, minimum is size - (size / 2). ;osd pool default min size = 2 osd pool default min size = 1 [mon] ### http://docs.ceph.com/docs/master/rados/configuration/mon-config-ref/ ### http://docs.ceph.com/docs/master/rados/configuration/mon-osd-interaction/ # The IDs of initial monitors in a cluster during startup. # If specified, Ceph requires an odd number of monitors to form an # initial quorum (e.g., 3). # Type: String # (Default: None) mon initial members = kub1,kub2,kub3 [mon.kub1] host = kub1 mon addr = 192.168.56.21:6789 [mon.kub2] host = kub2 mon addr = 192.168.56.22:6789 [mon.kub3] host = kub3 mon addr = 192.168.56.23:6789
ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow'
/etc/ceph/ceph.client.admin.keyring
[client.admin] key = AQBGuWRfchSlDRAA3/bTmiPTLLN0w4JdVOxpDQ== caps mds = "allow" caps mon = "allow *" caps osd = "allow *"
ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *' ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *' ceph-authtool --create-keyring /var/lib/ceph/bootstrap-osd/ceph.keyring --gen-key -n client.bootstrap-osd --cap mon 'profile bootstrap-osd' --cap mgr 'allow r'
systemctl enable ceph.target systemctl start ceph.target systemctl enable ceph-mon@$(hostname -s) systemctl start ceph-mon@$(hostname -s) systemctl status ceph-mon@$(hostname -s).service
# ceph health detail
HEALTH_WARN 3 monitors have not enabled msgr2
MON_MSGR2_NOT_ENABLED 3 monitors have not enabled msgr2
mon.kub1 is not bound to a msgr2 port, only v1:192.168.56.21:6789/0
mon.kub2 is not bound to a msgr2 port, only v1:192.168.56.22:6789/0
mon.kub3 is not bound to a msgr2 port, only v1:192.168.56.23:6789/0
# ceph mon enable-msgr2
# ceph health detail
HEALTH_OK
OSD
Voir : https://wiki.nix-pro.com/view/CEPH_deployment_guide
ceph-volume remplace ceph-disk
ceph-volume inventory ceph-volume inventory /dev/sdb ceph-volume lvm batch --bluestore /dev/sda /dev/sdb /dev/sdc CEPH_VOLUME_DEBUG=1 ceph-volume inventory /dev/sdb ceph-volume lvm zap /dev/sdb --destroy
ceph-osd -i 0 --mkfs --mkkey --osd-uuid 13b2da5a-033f-4d58-b106-2f0212df6438 chown -R ceph:ceph /var/lib/ceph ceph auth list ceph auth add osd.0 osd 'allow *' mon 'allow profile osd' -i /var/lib/ceph/osd/ceph-0/keyring
/var/lib/ceph/osd/ceph-0/keyring
[osd.0] key = AQBizGxGhJcwJxAAHhOGHXQuCUTktxNszj62aQ==
ceph --cluster ceph osd crush add-bucket kub1 host ceph osd crush move kub1 root=default chown -R ceph:ceph /var/lib/ceph ceph --cluster ceph osd crush add osd.0 1.0 host=kub1 ceph-volume raw prepare --bluestore --data /dev/sdb1 systemctl start ceph-osd@1
CephFS
cd /etc/ceph sudo mkcephfs -a -c /etc/ceph/ceph.conf -k ceph.keyring
Administration
Ceph health
ceph -s ceph mon_status -f json-pretty ceph -w ceph df ceph health detail ceph -n client.admin --keyring=/etc/ceph/ceph.client.admin.keyring health ceph pg dump ceph pg X.Y query ceph pgdump_stuck inactive
OSD
ceph osd tree watch ceph osd pool stats ceph osd map
Suppression OSD
ceph osd crush reweight osd.XX 0. # Passage du poids de l’OSD à 0 ceph osd out XX # Marquage de l’OSD comme non disponible au cluster # 1er mouvement de données, ~10To rebalancés #stop ceph-osd id=XX systemctl stop ceph-osd@XX.service # arrêt de l'exécution de l’OSD sur le serveur ceph osd crush remove osd.XX # Sortie logique de l’OSD du cluster # 2nd mouvement de données (non prévu), ~10To rebalancés ceph auth del osd.{osd-num} # suppression des clés d’authentification de l’OSD au cluster ceph osd rm {osd-num} # suppression définitive de l’OSD du cluster #ceph-volume lvm zap /dev/sdb --destroy
Autres
ceph mgr module l
ceph mgr module enable plop
Client
Voir :
mount -t ceph 128.114.86.4:6789:/ /mnt/pulpos -o name=admin,secretfile=/etc/ceph/admin.secret
/etc/fstab
128.114.86.4:6789,128.114.86.5:6789,128.114.86.2:6789:/ /mnt/pulpos ceph name=admin,secretfile=/etc/ceph/admin.secret,noatime,_netdev 0 2
ceph-fuse -m 128.114.86.4:6789 /mnt/pulpos
blog.txt · Dernière modification : de 127.0.0.1