1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
|
.. _mgr-dashboard:
Ceph Dashboard
==============
Overview
--------
The Ceph Dashboard is a built-in web-based Ceph management and monitoring
application through which you can inspect and administer various aspects
and resources within the cluster. It is implemented as a :ref:`ceph-manager-daemon` module.
The original Ceph Dashboard that was shipped with Ceph Luminous started
out as a simple read-only view into run-time information and performance
data of Ceph clusters. It used a very simple architecture to achieve the
original goal. However, there was growing demand for richer web-based
management capabilities, to make it easier to administer Ceph for users that
prefer a WebUI over the CLI.
The new :term:`Ceph Dashboard` module adds web-based monitoring and
administration to the Ceph Manager. The architecture and functionality of this new
module are derived from
and inspired by the `openATTIC Ceph management and monitoring tool
<https://openattic.org/>`_. Development is actively driven by the
openATTIC team at `SUSE <https://www.suse.com/>`_, with support from
companies including `Red Hat <https://redhat.com/>`_ and members of the Ceph
community.
The dashboard module's backend code uses the CherryPy framework and implements
a custom REST API. The WebUI implementation is based on
Angular/TypeScript and includes both functionality from the original dashboard
and new features originally developed for the standalone version
of openATTIC. The Ceph Dashboard module is implemented as an
application that provides a graphical representation of information and statistics
through a web server hosted by ``ceph-mgr``.
Feature Overview
^^^^^^^^^^^^^^^^
The dashboard provides the following features:
* **Multi-User and Role Management**: The dashboard supports multiple user
accounts with different permissions (roles). User accounts and roles
can be managed via both the command line and the WebUI. The dashboard
supports various methods to enhance password security. Password
complexity rules may be configured, requiring users to change their password
after the first login or after a configurable time period. See
:ref:`dashboard-user-role-management` for details.
* **Single Sign-On (SSO)**: The dashboard supports authentication
via an external identity provider using the SAML 2.0 protocol. See
:ref:`dashboard-sso-support` for details.
* **SSL/TLS support**: All HTTP communication between the web browser and the
dashboard is secured via SSL. A self-signed certificate can be created with
a built-in command, but it's also possible to import custom certificates
signed and issued by a CA. See :ref:`dashboard-ssl-tls-support` for details.
* **Auditing**: The dashboard backend can be configured to log all ``PUT``, ``POST``
and ``DELETE`` API requests in the Ceph audit log. See :ref:`dashboard-auditing`
for instructions on how to enable this feature.
* **Internationalization (I18N)**: The language used for dashboard text can be
selected at run-time.
The Ceph Dashboard offers the following monitoring and management capabilities:
* **Overall cluster health**: Display performance and capacity metrics as well
as cluster status.
* **Embedded Grafana Dashboards**: Ceph Dashboard
`Grafana`_ dashboards may be embedded in external applications and web pages
to surface information and performance metrics gathered by
the :ref:`mgr-prometheus` module. See
:ref:`dashboard-grafana` for details on how to configure this functionality.
* **Cluster logs**: Display the latest updates to the cluster's event and
audit log files. Log entries can be filtered by priority, date or keyword.
* **Hosts**: Display a list of all cluster hosts along with their
storage drives, which services are running, and which version of Ceph is
installed.
* **Performance counters**: Display detailed service-specific statistics for
each running service.
* **Monitors**: List all Mons, their quorum status, and open sessions.
* **Monitoring**: Enable creation, re-creation, editing, and expiration of
Prometheus' silences, list the alerting configuration and all
configured and firing alerts. Show notifications for firing alerts.
* **Configuration Editor**: Display all available configuration options,
their descriptions, types, default and currently set values. These may be edited as well.
* **Pools**: List Ceph pools and their details (e.g. applications,
pg-autoscaling, placement groups, replication size, EC profile, CRUSH
rules, quotas etc.)
* **OSDs**: List OSDs, their status and usage statistics as well as
detailed information like attributes (OSD map), metadata, performance
counters and usage histograms for read/write operations. Mark OSDs
up/down/out, purge and reweight OSDs, perform scrub operations, modify
various scrub-related configuration options, select profiles to
adjust the level of backfilling activity. List all drives associated with an
OSD. Set and change the device class of an OSD, display and sort OSDs by
device class. Deploy OSDs on new drives and hosts.
* **Device management**: List all hosts known by the orchestrator. List all
drives attached to a host and their properties. Display drive
health predictions and SMART data. Blink enclosure LEDs.
* **iSCSI**: List all hosts that run the TCMU runner service, display all
images and their performance characteristics (read/write ops, traffic).
Create, modify, and delete iSCSI targets (via ``ceph-iscsi``). Display the
iSCSI gateway status and info about active initiators.
See :ref:`dashboard-iscsi-management` for instructions on how to configure
this feature.
* **RBD**: List all RBD images and their properties (size, objects, features).
Create, copy, modify and delete RBD images (incl. snapshots) and manage RBD
namespaces. Define various I/O or bandwidth limitation settings on a global,
per-pool or per-image level. Create, delete and rollback snapshots of selected
images, protect/unprotect these snapshots against modification. Copy or clone
snapshots, flatten cloned images.
* **RBD mirroring**: Enable and configure RBD mirroring to a remote Ceph server.
List active daemons and their status, pools and RBD images including
sync progress.
* **CephFS**: List active file system clients and associated pools,
including usage statistics. Evict active CephFS clients. Manage CephFS
quotas and snapshots. Browse a CephFS directory structure.
* **Object Gateway**: List all active object gateways and their performance
counters. Display and manage (add/edit/delete) object gateway users and their
details (e.g. quotas) as well as the users' buckets and their details (e.g.
placement targets, owner, quotas, versioning, multi-factor authentication).
See :ref:`dashboard-enabling-object-gateway` for configuration instructions.
* **NFS**: Manage NFS exports of CephFS file systems and RGW S3 buckets via NFS
Ganesha. See :ref:`dashboard-nfs-ganesha-management` for details on how to
enable this functionality.
* **Ceph Manager Modules**: Enable and disable Ceph Manager modules, manage
module-specific configuration settings.
Overview of the Dashboard Landing Page
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The landing page of Ceph Dashboard serves as the home page and features metrics
such as the overall cluster status, performance, and capacity. It provides real-time
updates on any changes in the cluster and allows quick access to other sections of the dashboard.
.. image:: dashboard-landing-page.png
.. note::
You can change the landing page to the previous version from:
``Cluster >> Manager Modules >> Dashboard >> Edit``.
Editing the ``FEATURE_TOGGLE_DASHBOARD`` option will change the landing page, from one view to another.
Note that the previous version of the landing page will be disabled in future releases.
.. _dashboard-landing-page-details:
Details
"""""""
Provides an overview of the cluster configuration, displaying various critical aspects of the cluster.
.. image:: details-card.png
.. _dashboard-landing-page-status:
Status
""""""
Provides a visual indication of cluster health, and displays cluster alerts grouped by severity.
.. image:: status-card-open.png
.. _dashboard-landing-page-capacity:
Capacity
""""""""
* **Used**: Displays the used capacity out of the total physical capacity provided by storage nodes (OSDs)
* **Warning**: Displays the `nearfull` threshold of the OSDs
* **Danger**: Displays the `full` threshold of the OSDs
.. image:: capacity-card.png
.. _dashboard-landing-page-inventory:
Inventory
"""""""""
An inventory for all assets within the cluster.
Provides direct access to subpages of the dashboard from each item of this card.
.. image:: inventory-card.png
.. _dashboard-landing-page-performance:
Cluster Utilization
"""""""""""""""""""
* **Used Capacity**: Total capacity used of the cluster. The maximum value of the chart is the maximum capacity of the cluster.
* **IOPS (Input/Output Operations Per Second)**: Number of read and write operations.
* **Latency**: Amount of time that it takes to process a read or a write request.
* **Client Throughput**: Amount of data that clients read or write to the cluster.
* **Recovery Throughput**: Amount of recovery data that clients read or write to the cluster.
.. image:: cluster-utilization-card.png
Supported Browsers
^^^^^^^^^^^^^^^^^^
Ceph Dashboard is primarily tested and developed using the following web
browsers:
+---------------------------------------------------------------+---------------------------------------+
| Browser | Versions |
+===============================================================+=======================================+
| `Chrome <https://www.google.com/chrome/>`_ and | latest 2 major versions |
| `Chromium <https://www.chromium.org/>`_ based browsers | |
+---------------------------------------------------------------+---------------------------------------+
| `Firefox <https://www.mozilla.org/firefox/>`_ | latest 2 major versions |
+---------------------------------------------------------------+---------------------------------------+
| `Firefox ESR <https://www.mozilla.org/firefox/enterprise/>`_ | latest major version |
+---------------------------------------------------------------+---------------------------------------+
While Ceph Dashboard might work in older browsers, we cannot guarantee compatibility and
recommend keeping your browser up to date.
Enabling
--------
If you have installed ``ceph-mgr-dashboard`` from distribution packages, the
package management system should take care of installing all required
dependencies.
If you're building Ceph from source and want to start the dashboard from your
development environment, please see the files ``README.rst`` and ``HACKING.rst``
in the source directory ``src/pybind/mgr/dashboard``.
Within a running Ceph cluster, the Ceph Dashboard is enabled with:
.. prompt:: bash $
ceph mgr module enable dashboard
Configuration
-------------
.. _dashboard-ssl-tls-support:
SSL/TLS Support
^^^^^^^^^^^^^^^
All HTTP connections to the dashboard are secured with SSL/TLS by default.
To get the dashboard up and running quickly, you can generate and install a
self-signed certificate:
.. prompt:: bash $
ceph dashboard create-self-signed-cert
Note that most web browsers will complain about self-signed certificates
and require explicit confirmation before establishing a secure connection to the
dashboard.
To properly secure a deployment and to remove the warning, a
certificate that is issued by a certificate authority (CA) should be used.
For example, a key pair can be generated with a command similar to:
.. prompt:: bash $
openssl req -new -nodes -x509 \
-subj "/O=IT/CN=ceph-mgr-dashboard" -days 3650 \
-keyout dashboard.key -out dashboard.crt -extensions v3_ca
The ``dashboard.crt`` file should then be signed by a CA. Once that is done, you
can enable it for Ceph manager instances by running the following commands:
.. prompt:: bash $
ceph dashboard set-ssl-certificate -i dashboard.crt
ceph dashboard set-ssl-certificate-key -i dashboard.key
If unique certificates are desired for each manager instance,
the name of the instance can be included as follows (where ``$name`` is the name
of the ``ceph-mgr`` instance, usually the hostname):
.. prompt:: bash $
ceph dashboard set-ssl-certificate $name -i dashboard.crt
ceph dashboard set-ssl-certificate-key $name -i dashboard.key
SSL can also be disabled by setting this configuration value:
.. prompt:: bash $
ceph config set mgr mgr/dashboard/ssl false
This might be useful if the dashboard will be running behind a proxy which does
not support SSL for its upstream servers or other situations where SSL is not
wanted or required. See :ref:`dashboard-proxy-configuration` for more details.
.. warning::
Use caution when disabling SSL as usernames and passwords will be sent to the
dashboard unencrypted.
.. note::
You must restart Ceph manager processes after changing the SSL
certificate and key. This can be accomplished by either running ``ceph mgr
fail mgr`` or by disabling and re-enabling the dashboard module (which also
triggers the manager to respawn itself):
.. prompt:: bash $
ceph mgr module disable dashboard
ceph mgr module enable dashboard
.. _dashboard-host-name-and-port:
Host Name and Port
^^^^^^^^^^^^^^^^^^
Like most web applications, the dashboard binds to a TCP/IP address and TCP port.
By default, the ``ceph-mgr`` daemon hosting the dashboard (i.e., the currently
active manager) will bind to TCP port 8443 or 8080 when SSL is disabled.
If no specific address has been configured, the web app will bind to ``::``,
which corresponds to all available IPv4 and IPv6 addresses.
These defaults can be changed via the configuration key facility on a
cluster-wide level (so they apply to all manager instances) as follows:
.. prompt:: bash $
ceph config set mgr mgr/dashboard/server_addr $IP
ceph config set mgr mgr/dashboard/server_port $PORT
ceph config set mgr mgr/dashboard/ssl_server_port $PORT
Since each ``ceph-mgr`` hosts its own instance of the dashboard, it may be
necessary to configure them separately. The IP address and port for a specific
manager instance can be changed with the following commands:
.. prompt:: bash $
ceph config set mgr mgr/dashboard/$name/server_addr $IP
ceph config set mgr mgr/dashboard/$name/server_port $PORT
ceph config set mgr mgr/dashboard/$name/ssl_server_port $PORT
Replace ``$name`` with the ID of the ceph-mgr instance hosting the dashboard.
.. note::
The command ``ceph mgr services`` will show you all endpoints that are
currently configured. Look for the ``dashboard`` key to obtain the URL for
accessing the dashboard.
Username and Password
^^^^^^^^^^^^^^^^^^^^^
In order to be able to log in, you need to create a user account and associate
it with at least one role. We provide a set of predefined *system roles* that
you can use. For more details please refer to the `User and Role Management`_
section.
To create a user with the administrator role you can use the following
commands:
.. prompt:: bash $
ceph dashboard ac-user-create <username> -i <file-containing-password> administrator
Account Lock-out
^^^^^^^^^^^^^^^^
It disables a user account if a user repeatedly enters the wrong credentials
for multiple times. It is enabled by default to prevent brute-force or dictionary
attacks. The user can get or set the default number of lock-out attempts using
these commands respectively:
.. prompt:: bash $
ceph dashboard get-account-lockout-attempts
ceph dashboard set-account-lockout-attempts <value:int>
.. warning::
This feature can be disabled by setting the default number of lock-out attempts to 0.
However, by disabling this feature, the account is more vulnerable to brute-force or
dictionary based attacks. This can be disabled by:
.. prompt:: bash $
ceph dashboard set-account-lockout-attempts 0
Enable a Locked User
^^^^^^^^^^^^^^^^^^^^
If a user account is disabled as a result of multiple invalid login attempts, then
it needs to be manually enabled by the administrator. This can be done by the following
command:
.. prompt:: bash $
ceph dashboard ac-user-enable <username>
Accessing the Dashboard
^^^^^^^^^^^^^^^^^^^^^^^
You can now access the dashboard using your (JavaScript-enabled) web browser, by
pointing it to any of the host names or IP addresses and the selected TCP port
where a manager instance is running: e.g., ``http(s)://<$IP>:<$PORT>/``.
The dashboard page displays and requests a previously defined username and
password.
.. _dashboard-enabling-object-gateway:
Enabling the Object Gateway Management Frontend
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When RGW is deployed with cephadm, the RGW credentials used by the
dashboard will be automatically configured. You can also manually force the
credentials to be set up with:
.. prompt:: bash $
ceph dashboard set-rgw-credentials
This will create an RGW user with uid ``dashboard`` for each realm in
the system.
If you've configured a custom 'admin' resource in your RGW admin API, you should set it here also:
.. prompt:: bash $
ceph dashboard set-rgw-api-admin-resource <admin_resource>
If you are using a self-signed certificate in your Object Gateway setup,
you should disable certificate verification in the dashboard to avoid refused
connections, e.g. caused by certificates signed by unknown CA or not matching
the host name:
.. prompt:: bash $
ceph dashboard set-rgw-api-ssl-verify False
If the Object Gateway takes too long to process requests and the dashboard runs
into timeouts, you can set the timeout value to your needs:
.. prompt:: bash $
ceph dashboard set-rest-requests-timeout <seconds>
The default value is 45 seconds.
.. _dashboard-iscsi-management:
Enabling iSCSI Management
^^^^^^^^^^^^^^^^^^^^^^^^^
The Ceph Dashboard can manage iSCSI targets using the REST API provided by the
``rbd-target-api`` service of the :ref:`ceph-iscsi`. Please make sure that it is
installed and enabled on the iSCSI gateways.
.. note::
The iSCSI management functionality of Ceph Dashboard depends on the latest
version 3 of the `ceph-iscsi <https://github.com/ceph/ceph-iscsi>`_ project.
Make sure that your operating system provides the correct version, otherwise
the dashboard will not enable the management features.
If the ``ceph-iscsi`` REST API is configured in HTTPS mode and its using a self-signed
certificate, you need to configure the dashboard to avoid SSL certificate
verification when accessing ceph-iscsi API.
To disable API SSL verification run the following command:
.. prompt:: bash $
ceph dashboard set-iscsi-api-ssl-verification false
The available iSCSI gateways must be defined using the following commands:
.. prompt:: bash $
ceph dashboard iscsi-gateway-list
# Gateway URL format for a new gateway: <scheme>://<username>:<password>@<host>[:port]
ceph dashboard iscsi-gateway-add -i <file-containing-gateway-url> [<gateway_name>]
ceph dashboard iscsi-gateway-rm <gateway_name>
.. _dashboard-grafana:
Enabling the Embedding of Grafana Dashboards
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
`Grafana`_ pulls data from `Prometheus <https://prometheus.io/>`_. Although
Grafana can use other data sources, the Grafana dashboards we provide contain
queries that are specific to Prometheus. Our Grafana dashboards therefore
require Prometheus as the data source. The Ceph :ref:`mgr-prometheus`
module exports its data in the Prometheus exposition format. These Grafana
dashboards rely on metric names from the Prometheus module and `Node exporter
<https://prometheus.io/docs/guides/node-exporter/>`_. The Node exporter is a
separate application that provides machine metrics.
.. note::
Prometheus' security model presumes that untrusted users have access to the
Prometheus HTTP endpoint and logs. Untrusted users have access to all the
(meta)data Prometheus collects that is contained in the database, plus a
variety of operational and debugging information.
However, Prometheus' HTTP API is limited to read-only operations.
Configurations can *not* be changed using the API and secrets are not
exposed. Moreover, Prometheus has some built-in measures to mitigate the
impact of denial of service attacks.
Please see `Prometheus' Security model
<https://prometheus.io/docs/operating/security/>` for more detailed
information.
Installation and Configuration using cephadm
""""""""""""""""""""""""""""""""""""""""""""
Grafana and Prometheus can be installed using :ref:`cephadm`. They will
automatically be configured by ``cephadm``. Please see
:ref:`mgr-cephadm-monitoring` documentation for more details on how to use
``cephadm`` for installing and configuring Prometheus and Grafana.
Manual Installation and Configuration
"""""""""""""""""""""""""""""""""""""
The following process describes how to configure Grafana and Prometheus
manually. After you have installed Prometheus, Grafana, and the Node exporter
on appropriate hosts, proceed with the following steps.
#. Enable the Ceph Exporter which comes as Ceph Manager module by running:
.. prompt:: bash $
ceph mgr module enable prometheus
More details can be found in the documentation of the :ref:`mgr-prometheus`.
#. Add the corresponding scrape configuration to Prometheus. This may look
like::
global:
scrape_interval: 5s
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'ceph'
static_configs:
- targets: ['localhost:9283']
- job_name: 'node-exporter'
static_configs:
- targets: ['localhost:9100']
.. note::
Please note that in the above example, Prometheus is configured
to scrape data from itself (port 9090), the Ceph manager module
`prometheus` (port 9283), which exports Ceph internal data, and the Node
Exporter (port 9100), which provides OS and hardware metrics for each host.
Depending on your configuration, you may need to change the hostname in
or add additional configuration entries for the Node
Exporter. It is unlikely that you will need to change the default TCP ports.
Moreover, you don't *need* to have more than one target for Ceph specific
data, provided by the `prometheus` mgr module. But it is recommended to
configure Prometheus to scrape Ceph specific data from all existing Ceph
managers. This enables a built-in high availability mechanism, so that
services run on a manager host will be restarted automatically on a different
manager host if one Ceph Manager goes down.
#. Add Prometheus as data source to Grafana `using the Grafana Web UI <https://grafana.com/docs/grafana/latest/features/datasources/add-a-data-source/>`_.
.. IMPORTANT::
The data source must be named "Dashboard1".
#. Install the `vonage-status-panel and grafana-piechart-panel` plugins using:
.. prompt:: bash $
grafana-cli plugins install vonage-status-panel
grafana-cli plugins install grafana-piechart-panel
#. Add Dashboards to Grafana:
Dashboards can be added to Grafana by importing dashboard JSON files.
Use the following command to download the JSON files:
.. prompt:: bash $
wget https://raw.githubusercontent.com/ceph/ceph/main/monitoring/ceph-mixin/dashboards_out/<Dashboard-name>.json
You can find various dashboard JSON files `here <https://github.com/ceph/ceph/tree/
main/monitoring/ceph-mixin/dashboards_out>`_.
For Example, for ceph-cluster overview you can use:
.. prompt:: bash $
wget https://raw.githubusercontent.com/ceph/ceph/main/monitoring/ceph-mixin/dashboards_out/ceph-cluster.json
You may also author your own dashboards.
#. Configure anonymous mode in ``/etc/grafana/grafana.ini``::
[auth.anonymous]
enabled = true
org_name = Main Org.
org_role = Viewer
In newer versions of Grafana (starting with 6.2.0-beta1) a new setting named
``allow_embedding`` has been introduced. This setting must be explicitly
set to ``true`` for the Grafana integration in Ceph Dashboard to work, as the
default is ``false``.
::
[security]
allow_embedding = true
Enabling RBD-Image monitoring
"""""""""""""""""""""""""""""
Monitoring of RBD images is disabled by default, as it can significantly impact
performance. For more information please see :ref:`prometheus-rbd-io-statistics`.
When disabled, the overview and details dashboards will be empty in Grafana and
metrics will not be visible in Prometheus.
Configuring Dashboard
"""""""""""""""""""""
After you have set up Grafana and Prometheus, you will need to configure the
connection information that the Ceph Dashboard will use to access Grafana.
You need to tell the dashboard on which URL the Grafana instance is
running/deployed:
.. prompt:: bash $
ceph dashboard set-grafana-api-url <grafana-server-url> # default: ''
The format of url is : `<protocol>:<IP-address>:<port>`
.. note::
The Ceph Dashboard embeds Grafana dashboards via ``iframe`` HTML elements.
If Grafana is configured without SSL/TLS support, most browsers will block the
embedding of insecure content if SSL support is
enabled for the dashboard (which is the default). If you
can't see the embedded Grafana dashboards after enabling them as outlined
above, check your browser's documentation on how to unblock mixed content.
Alternatively, consider enabling SSL/TLS support in Grafana.
If you are using a self-signed certificate for Grafana,
disable certificate verification in the dashboard to avoid refused connections,
which can be a result of certificates signed by an unknown CA or that do not
match the host name:
.. prompt:: bash $
ceph dashboard set-grafana-api-ssl-verify False
You can also access Grafana directly to monitor your cluster.
.. note::
Ceph Dashboard configuration information can also be unset. For example, to
clear the Grafana API URL we configured above:
.. prompt:: bash $
ceph dashboard reset-grafana-api-url
Alternative URL for Browsers
""""""""""""""""""""""""""""
The Ceph Dashboard backend requires the Grafana URL to be able to verify the
existence of Grafana Dashboards before the frontend even loads them. Due to the
nature of how Grafana is implemented in Ceph Dashboard, this means that two
working connections are required in order to be able to see Grafana graphs in
Ceph Dashboard:
- The backend (Ceph Mgr module) needs to verify the existence of the requested
graph. If this request succeeds, it lets the frontend know that it can safely
access Grafana.
- The frontend then requests the Grafana graphs directly from the user's
browser using an iframe. The Grafana instance is accessed directly without any
detour through Ceph Dashboard.
Now, it might be the case that your environment makes it difficult for the
user's browser to directly access the URL configured in Ceph Dashboard. To solve
this issue, a separate URL can be configured which will solely be used to tell
the frontend (the user's browser) which URL it should use to access Grafana.
This setting won't ever be changed automatically, unlike the GRAFANA_API_URL
which is set by :ref:`cephadm` (only if cephadm is used to deploy monitoring
services).
To change the URL that is returned to the frontend issue the following command:
.. prompt:: bash $
ceph dashboard set-grafana-frontend-api-url <grafana-server-url>
If no value is set for that option, it will simply fall back to the value of the
GRAFANA_API_URL option. If set, it will instruct the browser to use this URL to
access Grafana.
.. _dashboard-sso-support:
Enabling Single Sign-On (SSO)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The Ceph Dashboard supports external authentication of users via the
`SAML 2.0 <https://en.wikipedia.org/wiki/SAML_2.0>`_ protocol. You need to
first create user accounts and associate them with desired roles, as
authorization is performed by the Dashboard. However, the authentication
process can be performed by an existing Identity Provider (IdP).
.. note::
Ceph Dashboard SSO support relies on onelogin's
`python-saml <https://pypi.org/project/python-saml/>`_ library.
Please ensure that this library is installed on your system, either by using
your distribution's package management or via Python's `pip` installer.
To configure SSO on Ceph Dashboard, you should use the following command:
.. prompt:: bash $
ceph dashboard sso setup saml2 <ceph_dashboard_base_url> <idp_metadata> {<idp_username_attribute>} {<idp_entity_id>} {<sp_x_509_cert>} {<sp_private_key>}
Parameters:
* **<ceph_dashboard_base_url>**: Base URL where Ceph Dashboard is accessible (e.g., `https://cephdashboard.local`)
* **<idp_metadata>**: URL to remote (`http://`, `https://`) or local (`file://`) path or content of the IdP metadata XML (e.g., `https://myidp/metadata`, `file:///home/myuser/metadata.xml`).
* **<idp_username_attribute>** *(optional)*: Attribute that should be used to get the username from the authentication response. Defaults to `uid`.
* **<idp_entity_id>** *(optional)*: Use this when more than one entity id exists on the IdP metadata.
* **<sp_x_509_cert> / <sp_private_key>** *(optional)*: File path of the certificate that should be used by Ceph Dashboard (Service Provider) for signing and encryption (these file paths should be accessible from the active ceph-mgr instance).
.. note::
The issuer value of SAML requests will follow this pattern: **<ceph_dashboard_base_url>**/auth/saml2/metadata
To display the current SAML 2.0 configuration, use the following command:
.. prompt:: bash $
ceph dashboard sso show saml2
.. note::
For more information about `onelogin_settings`, please check the `onelogin documentation <https://github.com/onelogin/python-saml>`_.
To disable SSO:
.. prompt:: bash $
ceph dashboard sso disable
To check if SSO is enabled:
.. prompt:: bash $
ceph dashboard sso status
To enable SSO:
.. prompt:: bash $
ceph dashboard sso enable saml2
.. _dashboard-alerting:
Enabling Prometheus Alerting
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To use Prometheus for alerting you must define `alerting rules
<https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules>`_.
These are managed by the `Alertmanager
<https://prometheus.io/docs/alerting/alertmanager>`_.
If you are not yet using the Alertmanager, `install it
<https://github.com/prometheus/alertmanager#install>`_ as it receives
and manages alerts from Prometheus.
Alertmanager capabilities can be consumed by the dashboard in three different
ways:
#. Use the notification receiver of the dashboard.
#. Use the Prometheus Alertmanager API.
#. Use both sources simultaneously.
All three methods notify you about alerts. You won't be notified
twice if you use both sources, but you need to consume at least the Alertmanager API
in order to manage silences.
1. Use the notification receiver of the dashboard
This allows you to get notifications as `configured
<https://prometheus.io/docs/alerting/configuration/>`_ from the Alertmanager.
You will get notified inside the dashboard once a notification is send out,
but you are not able to manage alerts.
Add the dashboard receiver and the new route to your Alertmanager
configuration. This should look like::
route:
receiver: 'ceph-dashboard'
...
receivers:
- name: 'ceph-dashboard'
webhook_configs:
- url: '<url-to-dashboard>/api/prometheus_receiver'
Ensure that the Alertmanager considers your SSL certificate in terms
of the dashboard as valid. For more information about the correct
configuration checkout the `<http_config> documentation
<https://prometheus.io/docs/alerting/configuration/#%3Chttp_config%3E>`_.
2. Use the API of Prometheus and the Alertmanager
This allows you to manage alerts and silences and will enable the "Active
Alerts", "All Alerts" as well as the "Silences" tabs in the "Monitoring"
section of the "Cluster" menu entry.
Alerts can be sorted by name, job, severity, state and start time.
Unfortunately it's not possible to know when an alert was sent out through a
notification by the Alertmanager based on your configuration, that's why the
dashboard will notify the user on any visible change to an alert and will
notify the changed alert.
Silences can be sorted by id, creator, status, start, updated and end time.
Silences can be created in various ways, it's also possible to expire them.
#. Create from scratch
#. Based on a selected alert
#. Recreate from expired silence
#. Update a silence (which will recreate and expire it (default Alertmanager behaviour))
To use it, specify the host and port of the Alertmanager server:
.. prompt:: bash $
ceph dashboard set-alertmanager-api-host <alertmanager-host:port> # default: ''
For example:
.. prompt:: bash $
ceph dashboard set-alertmanager-api-host 'http://localhost:9093'
To be able to see all configured alerts, you will need to configure the URL to
the Prometheus API. Using this API, the UI will also help you in verifying
that a new silence will match a corresponding alert.
.. prompt:: bash $
ceph dashboard set-prometheus-api-host <prometheus-host:port> # default: ''
For example:
.. prompt:: bash $
ceph dashboard set-prometheus-api-host 'http://localhost:9090'
After setting up the hosts, refresh your browser's dashboard window or tab.
3. Use both methods
The behaviors of both methods are configured in a way that they
should not disturb each other, through annoying duplicated notifications
may pop up.
If you are using a self-signed certificate in your Prometheus or your
Alertmanager setup, you should disable certificate verification in the
dashboard to avoid refused connections caused by certificates signed by
an unknown CA or that do not match the host name.
- For Prometheus:
.. prompt:: bash $
ceph dashboard set-prometheus-api-ssl-verify False
- For Alertmanager:
.. prompt:: bash $
ceph dashboard set-alertmanager-api-ssl-verify False
.. _dashboard-user-role-management:
User and Role Management
------------------------
Password Policy
^^^^^^^^^^^^^^^
By default the password policy feature is enabled, which includes the
following checks:
- Is the password longer than N characters?
- Are the old and new password the same?
The password policy feature can be switched on or off completely:
.. prompt:: bash $
ceph dashboard set-pwd-policy-enabled <true|false>
The following individual checks can also be switched on or off:
.. prompt:: bash $
ceph dashboard set-pwd-policy-check-length-enabled <true|false>
ceph dashboard set-pwd-policy-check-oldpwd-enabled <true|false>
ceph dashboard set-pwd-policy-check-username-enabled <true|false>
ceph dashboard set-pwd-policy-check-exclusion-list-enabled <true|false>
ceph dashboard set-pwd-policy-check-complexity-enabled <true|false>
ceph dashboard set-pwd-policy-check-sequential-chars-enabled <true|false>
ceph dashboard set-pwd-policy-check-repetitive-chars-enabled <true|false>
Additionally the following options are available to configure password
policy.
- Minimum password length (defaults to 8):
.. prompt:: bash $
ceph dashboard set-pwd-policy-min-length <N>
- Minimum password complexity (defaults to 10):
.. prompt:: bash $
ceph dashboard set-pwd-policy-min-complexity <N>
Password complexity is calculated by classifying each character in
the password. The complexity count starts by 0. A character is rated by
the following rules in the given order.
- Increase by 1 if the character is a digit.
- Increase by 1 if the character is a lower case ASCII character.
- Increase by 2 if the character is an upper case ASCII character.
- Increase by 3 if the character is a special character like ``!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~``.
- Increase by 5 if the character has not been classified by one of the previous rules.
- A list of comma separated words that are not allowed to be used in a
password:
.. prompt:: bash $
ceph dashboard set-pwd-policy-exclusion-list <word>[,...]
User Accounts
^^^^^^^^^^^^^
The Ceph Dashboard supports multiple user accounts. Each user account
consists of a username, a password (stored in encrypted form using ``bcrypt``),
an optional name, and an optional email address.
If a new user is created via the Web UI, it is possible to set an option that the
user must assign a new password when they log in for the first time.
User accounts are stored in the monitors' configuration database, and are
available to all ``ceph-mgr`` instances.
We provide a set of CLI commands to manage user accounts:
- *Show User(s)*:
.. prompt:: bash $
ceph dashboard ac-user-show [<username>]
- *Create User*:
.. prompt:: bash $
ceph dashboard ac-user-create [--enabled] [--force-password] [--pwd_update_required] <username> -i <file-containing-password> [<rolename>] [<name>] [<email>] [<pwd_expiration_date>]
To bypass password policy checks use the `force-password` option.
Add the option `pwd_update_required` so that a newly created user has
to change their password after the first login.
- *Delete User*:
.. prompt:: bash $
ceph dashboard ac-user-delete <username>
- *Change Password*:
.. prompt:: bash $
ceph dashboard ac-user-set-password [--force-password] <username> -i <file-containing-password>
- *Change Password Hash*:
.. prompt:: bash $
ceph dashboard ac-user-set-password-hash <username> -i <file-containing-password-hash>
The hash must be a bcrypt hash and salt, e.g. ``$2b$12$Pt3Vq/rDt2y9glTPSV.VFegiLkQeIpddtkhoFetNApYmIJOY8gau2``.
This can be used to import users from an external database.
- *Modify User (name, and email)*:
.. prompt:: bash $
ceph dashboard ac-user-set-info <username> <name> <email>
- *Disable User*:
.. prompt:: bash $
ceph dashboard ac-user-disable <username>
- *Enable User*:
.. prompt:: bash $
ceph dashboard ac-user-enable <username>
User Roles and Permissions
^^^^^^^^^^^^^^^^^^^^^^^^^^
User accounts are associated with a set of roles that define which
dashboard functionality can be accessed.
The Dashboard functionality/modules are grouped within a *security scope*.
Security scopes are predefined and static. The current available security
scopes are:
- **hosts**: includes all features related to the ``Hosts`` menu
entry.
- **config-opt**: includes all features related to management of Ceph
configuration options.
- **pool**: includes all features related to pool management.
- **osd**: includes all features related to OSD management.
- **monitor**: includes all features related to monitor management.
- **rbd-image**: includes all features related to RBD image
management.
- **rbd-mirroring**: includes all features related to RBD mirroring
management.
- **iscsi**: includes all features related to iSCSI management.
- **rgw**: includes all features related to RADOS Gateway (RGW) management.
- **cephfs**: includes all features related to CephFS management.
- **nfs-ganesha**: includes all features related to NFS Ganesha management.
- **manager**: include all features related to Ceph Manager
management.
- **log**: include all features related to Ceph logs management.
- **grafana**: include all features related to Grafana proxy.
- **prometheus**: include all features related to Prometheus alert management.
- **dashboard-settings**: allows to change dashboard settings.
A *role* specifies a set of mappings between a *security scope* and a set of
*permissions*. There are four types of permissions:
- **read**
- **create**
- **update**
- **delete**
See below for an example of a role specification, in the form of a Python dictionary::
# example of a role
{
'role': 'my_new_role',
'description': 'My new role',
'scopes_permissions': {
'pool': ['read', 'create'],
'rbd-image': ['read', 'create', 'update', 'delete']
}
}
The above role dictates that a user has *read* and *create* permissions for
features related to pool management, and has full permissions for
features related to RBD image management.
The Dashboard provides a set of predefined roles that we call
*system roles*, which can be used right away by a fresh Ceph Dashboard
installation.
The list of system roles are:
- **administrator**: allows full permissions for all security scopes.
- **read-only**: allows *read* permission for all security scopes except
dashboard settings.
- **block-manager**: allows full permissions for *rbd-image*,
*rbd-mirroring*, and *iscsi* scopes.
- **rgw-manager**: allows full permissions for the *rgw* scope
- **cluster-manager**: allows full permissions for the *hosts*, *osd*,
*monitor*, *manager*, and *config-opt* scopes.
- **pool-manager**: allows full permissions for the *pool* scope.
- **cephfs-manager**: allows full permissions for the *cephfs* scope.
The list of available roles can be retrieved with the following command:
.. prompt:: bash $
ceph dashboard ac-role-show [<rolename>]
You can also use the CLI to create new roles. The available commands are the
following:
- *Create Role*:
.. prompt:: bash $
ceph dashboard ac-role-create <rolename> [<description>]
- *Delete Role*:
.. prompt:: bash $
ceph dashboard ac-role-delete <rolename>
- *Add Scope Permissions to Role*:
.. prompt:: bash $
ceph dashboard ac-role-add-scope-perms <rolename> <scopename> <permission> [<permission>...]
- *Delete Scope Permission from Role*:
.. prompt:: bash $
ceph dashboard ac-role-del-scope-perms <rolename> <scopename>
To assign roles to users, the following commands are available:
- *Set User Roles*:
.. prompt:: bash $
ceph dashboard ac-user-set-roles <username> <rolename> [<rolename>...]
- *Add Roles To User*:
.. prompt:: bash $
ceph dashboard ac-user-add-roles <username> <rolename> [<rolename>...]
- *Delete Roles from User*:
.. prompt:: bash $
ceph dashboard ac-user-del-roles <username> <rolename> [<rolename>...]
Example of User and Custom Role Creation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In this section we show a complete example of the commands that
create a user account that can manage RBD images, view and create Ceph pools,
and has read-only access to other scopes.
1. *Create the user*:
.. prompt:: bash $
ceph dashboard ac-user-create bob -i <file-containing-password>
2. *Create role and specify scope permissions*:
.. prompt:: bash $
ceph dashboard ac-role-create rbd/pool-manager
ceph dashboard ac-role-add-scope-perms rbd/pool-manager rbd-image read create update delete
ceph dashboard ac-role-add-scope-perms rbd/pool-manager pool read create
3. *Associate roles to user*:
.. prompt:: bash $
ceph dashboard ac-user-set-roles bob rbd/pool-manager read-only
.. _dashboard-proxy-configuration:
Proxy Configuration
-------------------
In a Ceph cluster with multiple ``ceph-mgr`` instances, only the dashboard
running on the currently active ``ceph-mgr`` daemon will serve incoming requests.
Connections to the dashboard's TCP port on standby ``ceph-mgr`` instances
will receive an HTTP redirect (303) to the active manager's dashboard URL.
This enables you to point your browser to any ``ceph-mgr`` instance in
order to access the dashboard.
If you want to establish a fixed URL to reach the dashboard or if you don't want
to allow direct connections to the manager nodes, you could set up a proxy that
automatically forwards incoming requests to the active ``ceph-mgr``
instance.
Configuring a URL Prefix
^^^^^^^^^^^^^^^^^^^^^^^^
If you are accessing the dashboard via a reverse proxy,
you may wish to service it under a URL prefix. To get the dashboard
to use hyperlinks that include your prefix, you can set the
``url_prefix`` setting:
.. prompt:: bash $
ceph config set mgr mgr/dashboard/url_prefix $PREFIX
so you can access the dashboard at ``http://$IP:$PORT/$PREFIX/``.
Disable the redirection
^^^^^^^^^^^^^^^^^^^^^^^
If the dashboard is behind a load-balancing proxy like `HAProxy <https://www.haproxy.org/>`_
you might want to disable redirection to prevent situations in which
internal (unresolvable) URLs are published to the frontend client. Use the
following command to get the dashboard to respond with an HTTP error (500 by default)
instead of redirecting to the active dashboard:
.. prompt:: bash $
ceph config set mgr mgr/dashboard/standby_behaviour "error"
To reset the setting to default redirection, use the following command:
.. prompt:: bash $
ceph config set mgr mgr/dashboard/standby_behaviour "redirect"
Configure the error status code
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When redirection is disabled, you may want to customize the HTTP status
code of standby dashboards. To do so you need to run the command:
.. prompt:: bash $
ceph config set mgr mgr/dashboard/standby_error_status_code 503
Resolve IP address to hostname before redirect
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The redirect from a standby to the active dashboard is done via the IP
address. This is done because resolving IP addresses to hostnames can be error
prone in containerized environments. It is also the reason why the option is
disabled by default.
However, in some situations it might be helpful to redirect via the hostname.
For example if the configured TLS certificate matches only the hostnames. To
activate the redirection via the hostname run the following command::
$ ceph config set mgr mgr/dashboard/redirect_resolve_ip_addr True
You can disable it again by::
$ ceph config set mgr mgr/dashboard/redirect_resolve_ip_addr False
HAProxy example configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Below you will find an example configuration for SSL/TLS passthrough using
`HAProxy <https://www.haproxy.org/>`_.
Please note that this configuration works under the following conditions.
If the dashboard fails over, the front-end client might receive a HTTP redirect
(303) response and will be redirected to an unresolvable host. This happens when
failover occurs between two HAProxy health checks. In this situation the
previously active dashboard node will now respond with a 303 which points to
the new active node. To prevent that situation you should consider disabling
redirection on standby nodes.
::
defaults
log global
option log-health-checks
timeout connect 5s
timeout client 50s
timeout server 450s
frontend dashboard_front
mode http
bind *:80
option httplog
redirect scheme https code 301 if !{ ssl_fc }
frontend dashboard_front_ssl
mode tcp
bind *:443
option tcplog
default_backend dashboard_back_ssl
backend dashboard_back_ssl
mode tcp
option httpchk GET /
http-check expect status 200
server x <HOST>:<PORT> ssl check verify none
server y <HOST>:<PORT> ssl check verify none
server z <HOST>:<PORT> ssl check verify none
.. _dashboard-auditing:
Auditing API Requests
---------------------
The REST API can log PUT, POST and DELETE requests to the Ceph
audit log. This feature is disabled by default, but can be enabled with the
following command:
.. prompt:: bash $
ceph dashboard set-audit-api-enabled <true|false>
If enabled, the following parameters are logged per each request:
* from - The origin of the request, e.g. https://[::1]:44410
* path - The REST API path, e.g. /api/auth
* method - e.g. PUT, POST or DELETE
* user - The name of the user, otherwise 'None'
The logging of the request payload (the arguments and their values) is enabled
by default. Execute the following command to disable this behaviour:
.. prompt:: bash $
ceph dashboard set-audit-api-log-payload <true|false>
A log entry may look like this::
2018-10-22 15:27:01.302514 mgr.x [INF] [DASHBOARD] from='https://[::ffff:127.0.0.1]:37022' path='/api/rgw/user/klaus' method='PUT' user='admin' params='{"max_buckets": "1000", "display_name": "Klaus Mustermann", "uid": "klaus", "suspended": "0", "email": "klaus.mustermann@ceph.com"}'
.. _dashboard-nfs-ganesha-management:
NFS-Ganesha Management
----------------------
The dashboard requires enabling the NFS module which will be used to manage
NFS clusters and NFS exports. For more information check :ref:`mgr-nfs`.
Plug-ins
--------
Plug-ins extend the functionality of the Ceph Dashboard in a modular
and loosely coupled fashion.
.. _Grafana: https://grafana.com/
.. include:: dashboard_plugins/feature_toggles.inc.rst
.. include:: dashboard_plugins/debug.inc.rst
.. include:: dashboard_plugins/motd.inc.rst
Troubleshooting the Dashboard
-----------------------------
Locating the Dashboard
^^^^^^^^^^^^^^^^^^^^^^
If you are unsure of the location of the Ceph Dashboard, run the following command:
.. prompt:: bash $
ceph mgr services | jq .dashboard
::
"https://host:port"
The command returns the URL where the Ceph Dashboard is located: ``https://<host>:<port>/``
.. note::
Many Ceph tools return results in JSON format. We suggest that
you install the `jq <https://stedolan.github.io/jq>`_ command-line
utility to facilitate working with JSON data.
Accessing the Dashboard
^^^^^^^^^^^^^^^^^^^^^^^
If you are unable to access the Ceph Dashboard, run the following
commands:
#. Verify the Ceph Dashboard module is enabled:
.. prompt:: bash $
ceph mgr module ls | jq .enabled_modules
Ensure the Ceph Dashboard module is listed in the return value of the
command. Example snipped output from the command above::
[
"dashboard",
"iostat",
"restful"
]
#. If it is not listed, activate the module with the following command:
.. prompt:: bash $
ceph mgr module enable dashboard
#. Check the Ceph Dashboard and/or ``ceph-mgr`` log files for any errors.
* Check if ``ceph-mgr`` log messages are written to a file by:
.. prompt:: bash $
ceph config get mgr log_to_file
::
true
* Get the location of the log file (it's ``/var/log/ceph/<cluster-name>-<daemon-name>.log``
by default):
.. prompt:: bash $
ceph config get mgr log_file
::
/var/log/ceph/$cluster-$name.log
#. Ensure the SSL/TSL support is configured properly:
* Check if the SSL/TSL support is enabled:
.. prompt:: bash $
ceph config get mgr mgr/dashboard/ssl
* If the command returns ``true``, verify a certificate exists by:
.. prompt:: bash $
ceph config-key get mgr/dashboard/crt
and:
.. prompt:: bash $
ceph config-key get mgr/dashboard/key
* If it doesn't return ``true``, run the following command to generate a self-signed
certificate or follow the instructions outlined in
:ref:`dashboard-ssl-tls-support`:
.. prompt:: bash $
ceph dashboard create-self-signed-cert
Trouble Logging into the Dashboard
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you are unable to log into the Ceph Dashboard and you receive the following
error, run through the procedural checks below:
.. image:: ../images/dashboard/invalid-credentials.png
:align: center
#. Check that your user credentials are correct. If you are seeing the
notification message above when trying to log into the Ceph Dashboard, it
is likely you are using the wrong credentials. Double check your username
and password, and ensure that your keyboard's caps lock is not enabled by accident.
#. If your user credentials are correct, but you are experiencing the same
error, check that the user account exists:
.. prompt:: bash $
ceph dashboard ac-user-show <username>
This command returns your user data. If the user does not exist, it will
print::
Error ENOENT: User <username> does not exist
#. Check if the user is enabled:
.. prompt:: bash $
ceph dashboard ac-user-show <username> | jq .enabled
::
true
Check if ``enabled`` is set to ``true`` for your user. If not the user is
not enabled, run:
.. prompt:: bash $
ceph dashboard ac-user-enable <username>
Please see :ref:`dashboard-user-role-management` for more information.
A Dashboard Feature is Not Working
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When an error occurs on the backend, you will usually receive an error
notification on the frontend. Run through the following scenarios to debug.
#. Check the Ceph Dashboard and ``ceph-mgr`` logfile(s) for any errors. These can
found by searching for keywords, such as *500 Internal Server Error*,
followed by ``traceback``. The end of a traceback contains more details about
what exact error occurred.
#. Check your web browser's JavaScript Console for any errors.
Ceph Dashboard Logs
^^^^^^^^^^^^^^^^^^^
Dashboard Debug Flag
""""""""""""""""""""
With this flag enabled, error traceback is included in backend responses.
To enable this flag via the Ceph Dashboard, navigate from *Cluster* to *Manager
modules*. Select *Dashboard module* and click the edit button. Click the
*debug* checkbox and update.
To enable it via the CLI, run the following command:
.. prompt:: bash $
ceph dashboard debug enable
Setting Logging Level of Dashboard Module
"""""""""""""""""""""""""""""""""""""""""
Setting the logging level to debug makes the log more verbose and helpful for
debugging.
#. Increase the logging level of manager daemons:
.. prompt:: bash $
ceph tell mgr config set debug_mgr 20
#. Adjust the logging level of the Ceph Dashboard module via the Dashboard or
CLI:
* Navigate from *Cluster* to *Manager modules*. Select *Dashboard module*
and click the edit button. Modify the ``log_level`` configuration.
* To adjust it via the CLI, run the following command:
.. prompt:: bash $
bin/ceph config set mgr mgr/dashboard/log_level debug
3. High log levels can result in considerable log volume, which can
easily fill up your filesystem. Set a calendar reminder for an hour, a day,
or a week in the future to revert this temporary logging increase. This looks
something like this:
.. prompt:: bash $
ceph config log
::
...
--- 11 --- 2020-11-07 11:11:11.960659 --- mgr.x/dashboard/log_level = debug ---
...
.. prompt:: bash $
ceph config reset 11
.. _centralized-logging:
Enable Centralized Logging in Dashboard
"""""""""""""""""""""""""""""""""""""""
To learn more about centralized logging, see :ref:`cephadm-monitoring-centralized-logs`
1. Create the Loki service on any particular host using "Create Services" option.
2. Similarly create the Promtail service which will be by default deployed
on all the running hosts.
3. To see debug-level messages as well as info-level events, run the following command via CLI:
.. prompt:: bash $
ceph config set mgr mgr/cephadm/log_to_cluster_level debug
4. To enable logging to files, run the following commands via CLI:
.. prompt:: bash $
ceph config set global log_to_file true
ceph config set global mon_cluster_log_to_file true
5. Click on the Daemon Logs tab under Cluster -> Logs.
6. You can find some pre-defined labels there on clicking the Log browser button such as filename,
job etc that can help you query the logs at one go.
7. You can query the logs with LogQL for advanced search and perform some
calculations as well - https://grafana.com/docs/loki/latest/logql/.
Reporting issues from Dashboard
"""""""""""""""""""""""""""""""
Ceph-Dashboard provides two ways to create an issue in the Ceph Issue Tracker,
either using the Ceph command line interface or by using the Ceph Dashboard
user interface.
To create an issue in the Ceph Issue Tracker, a user needs to have an account
on the issue tracker. Under the ``my account`` tab in the Ceph Issue Tracker,
the user can see their API access key. This key is used for authentication
when creating a new issue. To store the Ceph API access key, in the CLI run:
.. prompt:: bash $
``ceph dashboard set-issue-tracker-api-key -i <file-containing-key>``
Then on successful update, you can create an issue using:
.. prompt:: bash $
``ceph dashboard create issue <project> <tracker_type> <subject> <description>``
The available projects to create an issue on are:
#. dashboard
#. block
#. object
#. file_system
#. ceph_manager
#. orchestrator
#. ceph_volume
#. core_ceph
The available tracker types are:
#. bug
#. feature
The subject and description are then set by the user.
The user can also create an issue using the Dashboard user interface. The settings
icon drop down menu on the top right of the navigation bar has the option to
``Raise an issue``. On clicking it, a modal dialog opens that has the option to
select the project and tracker from their respective drop down menus. The subject
and multiline description are added by the user. The user can then submit the issue.
|