About this guide #
This guide focuses on how to ensure that your Ceph cluster is secure.
SUSE Enterprise Storage 7 is an extension to SUSE Linux Enterprise Server 15 SP2. It combines the capabilities of the Ceph (http://ceph.com/) storage project with the enterprise engineering and support of SUSE. SUSE Enterprise Storage 7 provides IT organizations with the ability to deploy a distributed storage architecture that can support a number of use cases using commodity hardware platforms.
1 Available documentation #
Documentation for our products is available at https://documentation.suse.com, where you can also find the latest updates, and browse or download the documentation in various formats. The latest documentation updates can be found in the English language version.
  In addition, the product documentation is available in your installed system
  under /usr/share/doc/manual. It is included in an RPM
  package named
  ses-manual_LANG_CODE. Install
  it if it is not already on your system, for example:
 
# zypper install ses-manual_enThe following documentation is available for this product:
- Deployment Guide
- This guide focuses on deploying a basic Ceph cluster, and how to deploy additional services. It also cover the steps for upgrading to SUSE Enterprise Storage 7 from the previous product version. 
- Administration and Operations Guide
- This guide focuses on routine tasks that you as an administrator need to take care of after the basic Ceph cluster has been deployed (day 2 operations). It also describes all the supported ways to access data stored in a Ceph cluster. 
- Security Hardening Guide
- This guide focuses on how to ensure your cluster is secure. 
- Troubleshooting Guide
- This guide takes you through various common problems when running SUSE Enterprise Storage 7 and other related issues to relevant components such as Ceph or Object Gateway. 
- SUSE Enterprise Storage for Windows Guide
- This guide describes the integration, installation, and configuration of Microsoft Windows environments and SUSE Enterprise Storage using the Windows Driver. 
2 Giving feedback #
We welcome feedback on, and contributions to, this documentation. There are several channels for this:
- Service requests and support
- For services and support options available for your product, see http://www.suse.com/support/. - To open a service request, you need a SUSE subscription registered at SUSE Customer Center. Go to https://scc.suse.com/support/requests, log in, and click . 
- Bug reports
- Report issues with the documentation at https://bugzilla.suse.com/. Reporting issues requires a Bugzilla account. - To simplify this process, you can use the links next to headlines in the HTML version of this document. These preselect the right product and category in Bugzilla and add a link to the current section. You can start typing your bug report right away. 
- Contributions
- To contribute to this documentation, use the links next to headlines in the HTML version of this document. They take you to the source code on GitHub, where you can open a pull request. Contributing requires a GitHub account. - For more information about the documentation environment used for this documentation, see the repository's README at https://github.com/SUSE/doc-ses. 
- You can also report errors and send feedback concerning the documentation to <doc-team@suse.com>. Include the document title, the product version, and the publication date of the document. Additionally, include the relevant section number and title (or provide the URL) and provide a concise description of the problem. 
3 Documentation conventions #
The following notices and typographic conventions are used in this document:
- /etc/passwd: Directory names and file names
- PLACEHOLDER: Replace PLACEHOLDER with the actual value 
- PATH: An environment variable
- ls,- --help: Commands, options, and parameters
- user: The name of user or group
- package_name: The name of a software package 
- Alt, Alt–F1: A key to press or a key combination. Keys are shown in uppercase as on a keyboard. 
- , › : menu items, buttons 
- AMD/Intel This paragraph is only relevant for the AMD64/Intel 64 architectures. The arrows mark the beginning and the end of the text block. - IBM Z, POWER This paragraph is only relevant for the architectures - IBM Zand- POWER. The arrows mark the beginning and the end of the text block.
- Chapter 1, “Example chapter”: A cross-reference to another chapter in this guide. 
- Commands that must be run with - rootprivileges. Often you can also prefix these commands with the- sudocommand to run them as non-privileged user.- #- command- >- sudo- command
- Commands that can be run by non-privileged users. - >- command
- Notices Warning: Warning notice- Vital information you must be aware of before proceeding. Warns you about security issues, potential loss of data, damage to hardware, or physical hazards. Important: Important notice- Important information you should be aware of before proceeding. Note: Note notice- Additional information, for example about differences in software versions. Tip: Tip notice- Helpful information, like a guideline or a piece of practical advice. 
- Compact Notices - Additional information, for example about differences in software versions. - Helpful information, like a guideline or a piece of practical advice. 
4 Support #
Find the support statement for SUSE Enterprise Storage and general information about technology previews below. For details about the product lifecycle, see https://www.suse.com/lifecycle.
If you are entitled to support, find details on how to collect information for a support ticket at https://documentation.suse.com/sles-15/html/SLES-all/cha-adm-support.html.
4.1 Support statement for SUSE Enterprise Storage #
To receive support, you need an appropriate subscription with SUSE. To view the specific support offerings available to you, go to https://www.suse.com/support/ and select your product.
The support levels are defined as follows:
- L1
- Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering and basic troubleshooting using available documentation. 
- L2
- Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate problem area and provide a resolution for problems not resolved by Level 1 or prepare for Level 3. 
- L3
- Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support. 
For contracted customers and partners, SUSE Enterprise Storage is delivered with L3 support for all packages, except for the following:
- Technology previews. 
- Sound, graphics, fonts, and artwork. 
- Packages that require an additional customer contract. 
- Some packages shipped as part of the module Workstation Extension are L2-supported only. 
- Packages with names ending in -devel (containing header files and similar developer resources) will only be supported together with their main packages. 
SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.
4.2 Technology previews #
Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, please contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.
Technology previews have the following limitations:
- Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use. 
- Technology previews are not supported. 
- Technology previews may only be available for specific hardware architectures. 
- Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation. 
- SUSE may discover that a preview does not meet customer or market needs, or does not comply with enterprise standards. Technology previews can be removed from a product at any time. SUSE does not commit to providing a supported version of such technologies in the future. 
For an overview of technology previews shipped with your product, see the release notes at https://www.suse.com/releasenotes/x86_64/SUSE-Enterprise-Storage/7.
5 Ceph contributors #
The Ceph project and its documentation is a result of the work of hundreds of contributors and organizations. See https://ceph.com/contributors/ for more details.
6 Commands and command prompts used in this guide #
As a Ceph cluster administrator, you will be configuring and adjusting the cluster behavior by running specific commands. There are several types of commands you will need:
6.1 Salt-related commands #
   These commands help you to deploy Ceph cluster nodes, run commands on
   several (or all) cluster nodes at the same time, or assist you when adding
   or removing cluster nodes. The most frequently used commands are
   ceph-salt and ceph-salt config. You
   need to run Salt commands on the Salt Master node as root. These
   commands are introduced with the following prompt:
  
root@master # For example:
root@master # ceph-salt config ls6.2 Ceph related commands #
   These are lower-level commands to configure and fine tune all aspects of the
   cluster and its gateways on the command line, for example
   ceph, cephadm, rbd,
   or radosgw-admin.
  
   To run Ceph related commands, you need to have read access to a Ceph
   key. The key's capabilities then define your privileges within the Ceph
   environment. One option is to run Ceph commands as root (or via
   sudo) and use the unrestricted default keyring
   'ceph.client.admin.key'.
  
The safer and recommended option is to create a more restrictive individual key for each administrator user and put it in a directory where the users can read it, for example:
~/.ceph/ceph.client.USERNAME.keyring
    To use a custom admin user and keyring, you need to specify the user name
    and path to the key each time you run the ceph command
    using the -n client.USER_NAME
    and --keyring PATH/TO/KEYRING
    options.
   
    To avoid this, include these options in the CEPH_ARGS
    variable in the individual users' ~/.bashrc files.
   
   Although you can run Ceph-related commands on any cluster node, we
   recommend running them on the Admin Node. This documentation uses the cephuser
   user to run the commands, therefore they are introduced with the following
   prompt:
  
cephuser@adm > For example:
cephuser@adm > ceph auth listIf the documentation instructs you to run a command on a cluster node with a specific role, it will be addressed by the prompt. For example:
cephuser@mon > 6.2.1 Running ceph-volume #
    Starting with SUSE Enterprise Storage 7, Ceph services are running containerized.
    If you need to run ceph-volume on an OSD node, you need
    to prepend it with the cephadm command, for example:
   
cephuser@adm > cephadm ceph-volume simple scan6.3 General Linux commands #
   Linux commands not related to Ceph, such as mount,
   cat, or openssl, are introduced either
   with the cephuser@adm >  or #  prompts, depending on which
   privileges the related command requires.
  
6.4 Additional information #
   For more information on Ceph key management, refer to
   Book “Administration and Operations Guide”, Chapter 30 “Authentication with cephx”, Section 30.2 “Key management”.