About this guide #
This guide focuses on how to ensure that your Ceph cluster is secure.
SUSE Enterprise Storage 7.1 is an extension to SUSE Linux Enterprise Server 15 SP3. It combines the capabilities of the Ceph (http://ceph.com/) storage project with the enterprise engineering and support of SUSE. SUSE Enterprise Storage 7.1 provides IT organizations with the ability to deploy a distributed storage architecture that can support a number of use cases using commodity hardware platforms.
1 Available documentation #
- Online documentation
- Our documentation is available online at https://documentation.suse.com. Browse or download the documentation in various formats. Note: Latest updates- The latest updates are usually available in the English-language version of this documentation. 
- SUSE Knowledgebase
- If you run into an issue, check out the Technical Information Documents (TIDs) that are available online at https://www.suse.com/support/kb/. Search the SUSE Knowledgebase for known solutions driven by customer need. 
- Release notes
- For release notes, see https://www.suse.com/releasenotes/. 
- In your system
- For offline use, the release notes are also available under - /usr/share/doc/release-noteson your system. The documentation for individual packages is available at- /usr/share/doc/packages.- Many commands are also described in their manual pages. To view them, run - man, followed by a specific command name. If the- mancommand is not installed on your system, install it with- sudo zypper install man.
2 Improving the documentation #
Your feedback and contributions to this documentation are welcome. The following channels for giving feedback are available:
- Service requests and support
- For services and support options available for your product, see https://www.suse.com/support/. - To open a service request, you need a SUSE subscription registered at SUSE Customer Center. Go to https://scc.suse.com/support/requests, log in, and click . 
- Bug reports
- Report issues with the documentation at https://bugzilla.suse.com/. - To simplify this process, click the icon next to a headline in the HTML version of this document. This preselects the right product and category in Bugzilla and adds a link to the current section. You can start typing your bug report right away. - A Bugzilla account is required. 
- Contributions
- To contribute to this documentation, click the icon next to a headline in the HTML version of this document. This will take you to the source code on GitHub, where you can open a pull request. - A GitHub account is required. Note: only available for English- The icons are only available for the English version of each document. For all other languages, use the icons instead. - For more information about the documentation environment used for this documentation, see the repository's README. 
- You can also report errors and send feedback concerning the documentation to <doc-team@suse.com>. Include the document title, the product version, and the publication date of the document. Additionally, include the relevant section number and title (or provide the URL) and provide a concise description of the problem. 
3 Documentation conventions #
The following notices and typographic conventions are used in this document:
- /etc/passwd: Directory names and file names
- PLACEHOLDER: Replace PLACEHOLDER with the actual value 
- PATH: An environment variable
- ls,- --help: Commands, options, and parameters
- user: The name of a user or group
- package_name: The name of a software package 
- Alt, Alt–F1: A key to press or a key combination. Keys are shown in uppercase as on a keyboard. 
- , › : menu items, buttons 
- AMD/Intel This paragraph is only relevant for the AMD64/Intel 64 architectures. The arrows mark the beginning and the end of the text block. - IBM Z, POWER This paragraph is only relevant for the architectures - IBM Zand- POWER. The arrows mark the beginning and the end of the text block.
- Chapter 1, “Example chapter”: A cross-reference to another chapter in this guide. 
- Commands that must be run with - rootprivileges. You can also prefix these commands with the- sudocommand to run them as a non-privileged user:- #- command- >- sudo- command
- Commands that can be run by non-privileged users: - >- command
- Commands can be split into two or multiple lines by a backslash character ( - \) at the end of a line. The backslash informs the shell that the command invocation will continue after the end of the line:- >- echoa b \ c d
- A code block that shows both the command (preceded by a prompt) and the respective output returned by the shell: - >- commandoutput
- Notices Warning: Warning notice- Vital information you must be aware of before proceeding. Warns you about security issues, potential loss of data, damage to hardware, or physical hazards. Important: Important notice- Important information you should be aware of before proceeding. Note: Note notice- Additional information, for example about differences in software versions. Tip: Tip notice- Helpful information, like a guideline or a piece of practical advice. 
- Compact Notices - Additional information, for example about differences in software versions. - Helpful information, like a guideline or a piece of practical advice. 
4 Support #
Find the support statement for SUSE Enterprise Storage and general information about technology previews below. For details about the product lifecycle, see https://www.suse.com/lifecycle.
If you are entitled to support, find details on how to collect information for a support ticket at https://documentation.suse.com/sles-15/html/SLES-all/cha-adm-support.html.
4.1 Support statement for SUSE Enterprise Storage #
To receive support, you need an appropriate subscription with SUSE. To view the specific support offers available to you, go to https://www.suse.com/support/ and select your product.
The support levels are defined as follows:
- L1
- Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering and basic troubleshooting using available documentation. 
- L2
- Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate a problem area and provide a resolution for problems not resolved by Level 1 or prepare for Level 3. 
- L3
- Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support. 
For contracted customers and partners, SUSE Enterprise Storage is delivered with L3 support for all packages, except for the following:
- Technology previews. 
- Sound, graphics, fonts, and artwork. 
- Packages that require an additional customer contract. 
- Some packages shipped as part of the module Workstation Extension are L2-supported only. 
- Packages with names ending in -devel (containing header files and similar developer resources) will only be supported together with their main packages. 
SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.
4.2 Technology previews #
Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback. If you test a technology preview, please contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.
Technology previews have the following limitations:
- Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or otherwise not suitable for production use. 
- Technology previews are not supported. 
- Technology previews may only be available for specific hardware architectures. 
- Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation. 
- SUSE may discover that a preview does not meet customer or market needs, or does not comply with enterprise standards. Technology previews can be removed from a product at any time. SUSE does not commit to providing a supported version of such technologies in the future. 
For an overview of technology previews shipped with your product, see the release notes at https://www.suse.com/releasenotes.
5 Ceph contributors #
The Ceph project and its documentation is a result of the work of hundreds of contributors and organizations. See https://ceph.com/contributors/ for more details.
6 Commands and command prompts used in this guide #
As a Ceph cluster administrator, you will be configuring and adjusting the cluster behavior by running specific commands. There are several types of commands you will need:
6.1 Salt-related commands #
   These commands help you to deploy Ceph cluster nodes, run commands on
   several (or all) cluster nodes at the same time, or assist you when adding
   or removing cluster nodes. The most frequently used commands are
   ceph-salt and ceph-salt config. You
   need to run Salt commands on the Salt Master node as root. These
   commands are introduced with the following prompt:
  
root@master # For example:
root@master # ceph-salt config ls6.2 Ceph related commands #
   These are lower-level commands to configure and fine tune all aspects of the
   cluster and its gateways on the command line, for example
   ceph, cephadm, rbd,
   or radosgw-admin.
  
   To run Ceph related commands, you need to have read access to a Ceph
   key. The key's capabilities then define your privileges within the Ceph
   environment. One option is to run Ceph commands as root (or via
   sudo) and use the unrestricted default keyring
   'ceph.client.admin.key'.
  
The safer and recommended option is to create a more restrictive individual key for each administrator user and put it in a directory where the users can read it, for example:
~/.ceph/ceph.client.USERNAME.keyring
    To use a custom admin user and keyring, you need to specify the user name
    and path to the key each time you run the ceph command
    using the -n client.USER_NAME
    and --keyring PATH/TO/KEYRING
    options.
   
    To avoid this, include these options in the CEPH_ARGS
    variable in the individual users' ~/.bashrc files.
   
   Although you can run Ceph-related commands on any cluster node, we
   recommend running them on the Admin Node. This documentation uses the cephuser
   user to run the commands, therefore they are introduced with the following
   prompt:
  
cephuser@adm > For example:
cephuser@adm > ceph auth listIf the documentation instructs you to run a command on a cluster node with a specific role, it will be addressed by the prompt. For example:
cephuser@mon > 6.2.1 Running ceph-volume #
    Starting with SUSE Enterprise Storage 7, Ceph services are running containerized.
    If you need to run ceph-volume on an OSD node, you need
    to prepend it with the cephadm command, for example:
   
cephuser@adm > cephadm ceph-volume simple scan6.3 General Linux commands #
   Linux commands not related to Ceph, such as mount,
   cat, or openssl, are introduced either
   with the cephuser@adm >  or #  prompts, depending on which
   privileges the related command requires.
  
6.4 Additional information #
   For more information on Ceph key management, refer to
   Book “Administration and Operations Guide”, Chapter 30 “Authentication with cephx”, Section 30.2 “Key management”.