注意

本文档适用于 Ceph 开发版本。

Ceph 仪表板

概述

The Ceph Dashboard is a web-based Ceph management-and-monitoring tool that can be used to inspect and administer resources in the cluster. It is implemented as a Ceph 管理守护进程模块。

The original Ceph Dashboard shipped with Ceph Luminous and was a simple read-only view into the run-time information and performance data of Ceph clusters. It had a simple architecture. However, demand grew for richer, web-based management capabilities for users who prefer a WebUI over the CLI.

The Ceph 仪表板 module adds web-based monitoring and administration to the Ceph Manager. The architecture and functionality of this new module are derived from the openATTIC Ceph management and monitoring tool. Development was originally driven by the openATTIC team at SUSE, with support from members of the Ceph community and from companies including Red Hat.

The dashboard module’s backend code uses the CherryPy framework, and implements a custom REST API. The WebUI implementation is based on Angular/TypeScript and includes both functionality from the original dashboard and new features originally developed for the standalone version of openATTIC. The Ceph Dashboard module is implemented as an application that provides a graphical representation of information and statistics through a web server hosted by ceph-mgr.

功能概述

The dashboard provides the following features:

Multi-User and Role Management: The dashboard supports multiple user accounts with different permissions (roles). User accounts and roles can be managed via both the command line and the WebUI. The dashboard supports various methods to enhance password security. Password complexity rules may be configured, requiring users to change their password after the first login or after a configurable time period. See 用户和角色管理 for details.
Single Sign-On (SSO): The dashboard supports authentication via an external identity provider using the SAML 2.0 protocol. See 启用单点登录 (SSO) for details.
SSL/TLS support: All HTTP communication between the web browser and the dashboard is secured via SSL. A self-signed certificate can be created with a built-in command, but it’s also possible to import custom certificates signed and issued by a CA. See SSL/TLS 支持 for details.
Auditing: The dashboard backend can be configured to log all PUT, POST和DELETE API requests in the Ceph audit log. See 审计 API 请求 for instructions on how to enable this feature.
Internationalization (I18N): The language used for dashboard text can be selected at run-time.

The Ceph Dashboard offers the following monitoring and management capabilities:

Overall cluster health: Display performance and capacity metrics as well as cluster status.
Embedded Grafana Dashboards: Ceph Dashboard Grafana dashboards may be embedded in external applications and web pages to surface information and performance metrics gathered by the Prometheus 模块 module. See 启用 Grafana 仪表板的嵌入 for details on how to configure this functionality.
Cluster logs: Display the latest updates to the cluster’s event and audit log files. Log entries can be filtered by priority, date or keyword.
Hosts: Display a list of all cluster hosts along with their storage drives, which services are running, and which version of Ceph is installed.
Performance counters: Display detailed service-specific statistics for each running service.
Monitors: List all Mons, their quorum status, and open sessions.
Monitoring: Enable creation, re-creation, editing, and expiration of Prometheus’ silences, list the alerting configuration and all configured and firing alerts. Show notifications for firing alerts.
Configuration Editor: Display all available configuration options, their descriptions, types, default and currently set values. These may be edited as well.
Pools: List Ceph pools and their details (e.g. applications, pg-autoscaling, placement groups, replication size, EC profile, CRUSH rules, quotas etc.)
OSDs: List OSDs, their status and usage statistics as well as detailed information like attributes (OSD map), metadata, performance counters and usage histograms for read/write operations. Mark OSDs up/down/out, purge and reweight OSDs, perform scrub operations, modify various scrub-related configuration options, select profiles to adjust the level of backfilling activity. List all drives associated with an OSD. Set and change the device class of an OSD, display and sort OSDs by device class. Deploy OSDs on new drives and hosts.
Device management: List all hosts known by the orchestrator. List all drives attached to a host and their properties. Display drive health predictions and SMART data. Blink enclosure LEDs.
iSCSI: List all hosts that run the TCMU runner service, display all images and their performance characteristics (read/write ops, traffic). Create, modify, and delete iSCSI targets (via ceph-iscsi). Display the iSCSI gateway status and info about active initiators. See 启用 iSCSI 管理 for instructions on how to configure this feature.
RBD: List all RBD images and their properties (size, objects, features). Create, copy, modify and delete RBD images (incl. snapshots) and manage RBD namespaces. Define various I/O or bandwidth limitation settings on a global, per-pool or per-image level. Create, delete and rollback snapshots of selected images, protect/unprotect these snapshots against modification. Copy or clone snapshots, flatten cloned images.
RBD mirroring: Enable and configure RBD mirroring to a remote Ceph server. List active daemons and their status, pools and RBD images including sync progress.
CephFS: List active file system clients and associated pools, including usage statistics. Evict active CephFS clients. Manage CephFS quotas and snapshots. Browse a CephFS directory structure.
Object Gateway: List all active object gateways and their performance counters. Display and manage (add/edit/delete) object gateway users and their details (e.g. quotas) as well as the users’ buckets and their details (e.g. placement targets, owner, quotas, versioning, multi-factor authentication). See 启用对象网关管理前端 for configuration instructions.
NFS: Manage NFS exports of CephFS file systems and RGW S3 buckets via NFS Ganesha. See NFS-Ganesha 管理 for details on how to enable this functionality.
Ceph Manager Modules: Enable and disable Ceph Manager modules, manage module-specific configuration settings.

Dashboard 登录页面概述

The landing page of Ceph Dashboard serves as the home page and features metrics such as the overall cluster status, performance, and capacity. It provides real-time updates on any changes in the cluster and allows quick access to other sections of the dashboard.

../../_images/dashboard-landing-page.png

Note

You can change the landing page to the previous version from: Cluster >> Manager Modules >> Dashboard >> Edit. Editing the FEATURE_TOGGLE_DASHBOARD option will change the landing page, from one view to another.

Note that the previous version of the landing page will be disabled in future releases.

详细信息

Provides an overview of the cluster configuration, displaying various critical aspects of the cluster.

状态

Provides a visual indication of cluster health, and displays cluster alerts grouped by severity.

容量

Used: Displays the used capacity out of the total physical capacity provided by storage nodes (OSDs)
警告: Displays the nearfull threshold of the OSDs
Danger: Displays the full threshold of the OSDs

库存

An inventory for all assets within the cluster. Provides direct access to subpages of the dashboard from each item of this card.

集群利用率

Used Capacity: Total capacity used of the cluster. The maximum value of the chart is the maximum capacity of the cluster.
IOPS (Input/Output Operations Per Second): Number of read and write operations.
Latency: Amount of time that it takes to process a read or a write request.
Client Throughput: Amount of data that clients read or write to the cluster.
Recovery Throughput: Amount of recovery data that clients read or write to the cluster.

../../_images/cluster-utilization-card.png

支持的浏览器

Ceph Dashboard is primarily tested and developed using the following web browsers:

Browser	Versions
Chrome和Chromium based browsers	latest 2 major versions
Firefox	latest 2 major versions
Firefox ESR	latest major version

While Ceph Dashboard might work in older browsers, we cannot guarantee compatibility and recommend keeping your browser up to date.

启用

If you have installed ceph-mgr-dashboard from distribution packages, the package management system should take care of installing all required dependencies.

If you’re building Ceph from source and want to start the dashboard from your development environment, please see the files README.rst和HACKING.rst in the source directory src/pybind/mgr/dashboard.

Within a running Ceph cluster, the Ceph Dashboard is enabled with:

ceph mgr module enable dashboard

配置

SSL/TLS 支持

All HTTP connections to the dashboard are secured with SSL/TLS by default.

To get the dashboard up and running quickly, you can generate and install a self-signed certificate:

ceph dashboard create-self-signed-cert

Note that most web browsers will complain about self-signed certificates and require explicit confirmation before establishing a secure connection to the dashboard.

To properly secure a deployment and to remove the warning, a certificate that is issued by a certificate authority (CA) should be used.

For example, a key pair can be generated with a command similar to:

openssl req -new -nodes -x509 \
-subj "/O=IT/CN=ceph-mgr-dashboard" -days 3650 \
-keyout dashboard.key -out dashboard.crt -extensions v3_ca

The dashboard.crt file should then be signed by a CA. Once that is done, you can enable it for Ceph manager instances by running the following commands:

ceph dashboard set-ssl-certificate -i dashboard.crt
ceph dashboard set-ssl-certificate-key -i dashboard.key

If unique certificates are desired for each manager instance, the name of the instance can be included as follows (where $name is the name of the ceph-mgr instance, usually the hostname):

ceph dashboard set-ssl-certificate $name -i dashboard.crt
ceph dashboard set-ssl-certificate-key $name -i dashboard.key

SSL can also be disabled by setting this configuration value:

ceph config set mgr mgr/dashboard/ssl false

This might be useful if the dashboard will be running behind a proxy which does not support SSL for its upstream servers or other situations where SSL is not wanted or required. See 代理配置 for more details.

警告

Use caution when disabling SSL as usernames and passwords will be sent to the dashboard unencrypted.

Note

You must restart Ceph manager processes after changing the SSL certificate and key. This can be accomplished by either running ceph mgr fail mgr or by disabling and re-enabling the dashboard module (which also triggers the manager to respawn itself):

ceph mgr module disable dashboard
ceph mgr module enable dashboard

主机名和端口

Like most web applications, the dashboard binds to a TCP/IP address and TCP port.

默认情况下，ceph-mgr daemon hosting the dashboard (i.e., the currently active manager) will bind to TCP port 8443 or 8080 when SSL is disabled.

If no specific address has been configured, the web app will bind to ::, which corresponds to all available IPv4 and IPv6 addresses.

These defaults can be changed via the configuration key facility on a cluster-wide level (so they apply to all manager instances) as follows:

ceph config set mgr mgr/dashboard/server_addr $IP
ceph config set mgr mgr/dashboard/server_port $PORT
ceph config set mgr mgr/dashboard/ssl_server_port $PORT

Since each ceph-mgr hosts its own instance of the dashboard, it may be necessary to configure them separately. The IP address and port for a specific manager instance can be changed with the following commands:

ceph config set mgr mgr/dashboard/$name/server_addr $IP
ceph config set mgr mgr/dashboard/$name/server_port $PORT
ceph config set mgr mgr/dashboard/$name/ssl_server_port $PORT

将$name with the ID of the ceph-mgr instance hosting the dashboard.

Note

The command ceph mgr services will show you all endpoints that are currently configured. Look for the dashboard key to obtain the URL for accessing the dashboard.

用户名和密码

In order to be able to log in, you need to create a user account and associate it with at least one role. We provide a set of predefined 系统角色 that you can use. For more details please refer to the 用户和角色管理部分。

To create a user with the administrator role you can use the following commands:

ceph dashboard ac-user-create <username> -i <file-containing-password> administrator

账户锁定

It disables a user account if a user repeatedly enters the wrong credentials for multiple times. It is enabled by default to prevent brute-force or dictionary attacks. The user can get or set the default number of lock-out attempts using these commands respectively:

ceph dashboard get-account-lockout-attempts
ceph dashboard set-account-lockout-attempts <value:int>

警告

This feature can be disabled by setting the default number of lock-out attempts to 0. However, by disabling this feature, the account is more vulnerable to brute-force or dictionary based attacks. This can be disabled by:

ceph dashboard set-account-lockout-attempts 0

启用被锁定的用户

If a user account is disabled as a result of multiple invalid login attempts, then it needs to be manually enabled by the administrator. This can be done by the following command:

ceph dashboard ac-user-enable <username>

访问 Dashboard

You can now access the dashboard using your (JavaScript-enabled) web browser, by pointing it to any of the host names or IP addresses and the selected TCP port where a manager instance is running: e.g., http(s)://<$IP>:<$PORT>/.

The dashboard page displays and requests a previously defined username and password.

启用对象网关管理前端

When RGW is deployed with cephadm, the RGW credentials used by the dashboard will be automatically configured. You can also manually force the credentials to be set up with:

ceph dashboard set-rgw-credentials

This will create an RGW user with uid dashboard for each realm in the system.

If you’ve configured a custom ‘admin’ resource in your RGW admin API, you should set it here also:

ceph dashboard set-rgw-api-admin-resource <admin_resource>

If you are using a self-signed certificate in your Object Gateway setup, you should disable certificate verification in the dashboard to avoid refused connections, e.g. caused by certificates signed by unknown CA or not matching the host name:

ceph dashboard set-rgw-api-ssl-verify False

To set a custom hostname or address for an RGW gateway, set the value of RGW_HOSTNAME_PER_DAEMON accordingly:

ceph dashboard set-rgw-hostname <gateway_name> <hostname>

The setting can be unset using:

ceph dashboard unset-rgw-hostname <gateway_name>

If the Object Gateway takes too long to process requests and the dashboard runs into timeouts, you can set the timeout value to your needs:

ceph dashboard set-rest-requests-timeout <seconds>

The default value is 45 seconds.

启用 iSCSI 管理

The Ceph Dashboard can manage iSCSI targets using the REST API provided by the rbd-target-api service of the Ceph iSCSI Gateway. Please make sure that it is installed and enabled on the iSCSI gateways.

Note

The iSCSI management functionality of Ceph Dashboard depends on the latest version 3 of the ceph-iscsi project. Make sure that your operating system provides the correct version, otherwise the dashboard will not enable the management features.

如果未设置ceph-iscsi REST API is configured in HTTPS mode and its using a self-signed certificate, you need to configure the dashboard to avoid SSL certificate verification when accessing ceph-iscsi API.

To disable API SSL verification run the following command:

ceph dashboard set-iscsi-api-ssl-verification false

The available iSCSI gateways must be defined using the following commands:

ceph dashboard iscsi-gateway-list
# Gateway URL format for a new gateway: <scheme>://<username>:<password>@<host>[:port]
ceph dashboard iscsi-gateway-add -i <file-containing-gateway-url> [<gateway_name>]
ceph dashboard iscsi-gateway-rm <gateway_name>

启用 Grafana 仪表板的嵌入

Grafana pulls data from Prometheus. Although Grafana can use other data sources, the Grafana dashboards we provide contain queries that are specific to Prometheus. Our Grafana dashboards therefore require Prometheus as the data source. The Ceph Prometheus 模块 module exports its data in the Prometheus exposition format. These Grafana dashboards rely on metric names from the Prometheus module and 节点导出器. The Node exporter is a separate application that provides machine metrics.

Note

组成。Prometheus 的安全模型假定不受信任的用户可以访问 Prometheus HTTP 端点和日志。不受信任的用户可以访问 Prometheus 数据库中收集的所有（元）数据，以及各种操作和调试信息。

然而，Prometheus 的 HTTP API 仅限于只读操作。配置可以使用 API 进行更改，并且秘密不会被公开。此外，Prometheus 拥有一些内置措施来减轻拒绝服务攻击的影响。firefly 发布。Firefly 将延迟至少另一个冲刺，以便我们可以对新代码进行一些操作经验，并进行一些额外的测试，然后再承诺长期支持。 be changed using the API and secrets are not exposed. Moreover, Prometheus has some built-in measures to mitigate the impact of denial of service attacks.

请参阅Prometheus 的安全模型以获取更详细的信息。

使用 cephadm 进行安装和配置

Grafana and Prometheus can be installed using Cephadm. They will automatically be configured by cephadm. Please see 监控服务 documentation for more details on how to use cephadm for installing and configuring Prometheus and Grafana.

手动安装和配置

以下过程描述了如何手动配置 Grafana 和 Prometheus。在您在适当的主机上安装了 Prometheus、Grafana 和 Node exporter 后，请执行以下步骤。

启用作为 Ceph 管理器模块提供的 Ceph Exporter，通过运行：
```
ceph mgr module enable prometheus
```
更多详细信息可以在Prometheus 模块.
的文档中找到。
```
global:
  scrape_interval: 5s

scrape_configs:
  - job_name: 'prometheus'
    static_configs:
      - targets: ['localhost:9090']
  - job_name: 'ceph'
    static_configs:
      - targets: ['localhost:9283']
  - job_name: 'node-exporter'
    static_configs:
      - targets: ['localhost:9100']
```
Note

请注意，在上述示例中，Prometheus 配置为从自身（端口 9090）抓取数据，Ceph 管理器模块prometheus（端口 9283），它导出 Ceph 内部数据，以及 Node exporter（端口 9100），它为每个主机提供操作系统和硬件指标。34ca36: 根据您的配置，您可能需要更改

Depending on your configuration, you may need to change the hostname in or add additional configuration entries for the Node Exporter. It is unlikely that you will need to change the default TCP ports.

此外，您不需要need为 Ceph 特定数据设置多个目标，由prometheusmgr 模块提供。但建议配置 Prometheus 从所有现有的 Ceph 管理器抓取 Ceph 特定数据。这启用了一种内置的高可用机制，因此如果 Ceph 管理器宕机，则运行在管理器主机上的服务将自动在另一个管理器主机上重新启动。
将 Prometheus 作为数据源添加到 Grafana使用 Grafana Web UI.

重要

数据源必须命名为“Dashboard1”。

安装vonage-status-panel 和 grafana-piechart-panel 插件使用： plugins using:

grafana-cli plugins install vonage-status-panel
grafana-cli plugins install grafana-piechart-panel

添加 Dashboard 到 Grafana：

可以通过导入 Dashboard JSON 文件将 Dashboard 添加到 Grafana。使用以下命令下载 JSON 文件：
```
wget https://raw.githubusercontent.com/ceph/ceph/main/monitoring/ceph-mixin/dashboards_out/<Dashboard-name>.json
```
您可以在这里.

找到各种 Dashboard JSON 文件
```
wget https://raw.githubusercontent.com/ceph/ceph/main/monitoring/ceph-mixin/dashboards_out/ceph-cluster.json
```
您也可以创建自己的 Dashboard。
在/etc/grafana/grafana.ini:
```
[auth.anonymous]
enabled = true
org_name = Main Org.
org_role = Viewer
```
中配置匿名模式allow_embedding的新设置。此设置必须显式设置为true才能启用 Ceph Dashboard 中的 Grafana 集成，因为默认值是false.
```
[security]
allow_embedding = true
```

启用 RBD-Image 监控

RBD 图像的监控默认情况下是禁用的，因为它可能会显著影响性能。更多信息请参阅Ceph 健康检查。

配置 Dashboard

在您设置好 Grafana 和 Prometheus 后，您需要配置 Ceph Dashboard 将用于访问 Grafana 的连接信息。

您需要告诉 Dashboard Grafana 实例正在运行的/部署的 URL：

ceph dashboard set-grafana-api-url <grafana-server-url>  # default: ''

URL 的格式为：<协议>:<IP 地址>:<端口>

Note

Ceph Dashboard 通过iframeHTML 元素嵌入 Grafana Dashboard。如果 Grafana 配置没有 SSL/TLS 支持，大多数浏览器将阻止嵌入不安全内容，如果 Dashboard 启用了 SSL 支持（默认情况下是如此）。如果您在启用上述功能后看不到嵌入的 Grafana Dashboard，请检查您的浏览器文档，了解如何取消阻止混合内容。或者，请考虑在 Grafana 中启用 SSL/TLS 支持。

如果您使用的是 Grafana 的自签名证书，请在 Dashboard 中禁用证书验证，以避免拒绝连接，这可能是由未知 CA 签署的证书或与主机名不匹配的证书引起的：

ceph dashboard set-grafana-api-ssl-verify False

您也可以直接访问 Grafana 来监控您的集群。

Note

Ceph Dashboard 配置信息也可以被取消设置。例如，要清除上面配置的 Grafana API URL：

ceph dashboard reset-grafana-api-url

浏览器替代 URL

Ceph Dashboard 后端需要 Grafana URL 才能在前端加载它们之前验证 Grafana Dashboard 的存在。由于 Grafana 在 Ceph Dashboard 中的实现方式，这意味着需要两个工作连接才能在 Ceph Dashboard 中看到 Grafana 图表：

后端（Ceph Mgr 模块）需要验证请求图表的存在。如果此请求成功，它会让前端知道它可以安全地访问 Grafana。
前端然后使用 iframe 直接从用户的浏览器请求 Grafana 图表。直接访问 Grafana 实例，没有任何通过 Ceph Dashboard 的中转。

现在，可能的情况是您的环境使得用户的浏览器难以直接访问 Ceph Dashboard 中配置的 URL。为了解决这个问题，可以配置一个单独的 URL，它将仅用于告诉前端（用户的浏览器）它应该使用哪个 URL 来访问 Grafana。此设置永远不会自动更改，与Cephadm设置的 GRAFANA_API_URL 不同（仅当使用 cephadm 部署监控服务时才会设置）。

要更改返回给前端的有效 URL，请发出以下命令：

ceph dashboard set-grafana-frontend-api-url <grafana-server-url>

如果未为此选项设置值，它将简单地回退到

启用单点登录 (SSO)

Ceph Dashboard 支持通过SAML 2.0协议对外部身份提供者进行用户身份验证。您需要首先创建用户账户并将它们与所需的角色相关联，因为授权由 Dashboard 执行。但是，身份验证过程可以由现有的身份提供者 (IdP) 执行。

Note

Ceph Dashboard SSO 支持依赖于 onelogin 的python-saml库。请确保此库已安装在您的系统上，可以使用您的发行版的包管理器或通过 Python 的pip安装程序。

要在 Ceph Dashboard 中配置 SSO，您应该使用以下命令：

ceph dashboard sso setup saml2 <ceph_dashboard_base_url> <idp_metadata> {<idp_username_attribute>} {<idp_entity_id>} {<sp_x_509_cert>} {<sp_private_key>}

参数：

<ceph_dashboard_base_url>: Ceph Dashboard 可访问的基 URL（例如，https://cephdashboard.local)
<idp_metadata>: IdP 元数据 XML 的 URL 到远程 (http://, https://) 或本地 (file://) 路径或内容（例如，https://myidp/metadata, file:///home/myuser/metadata.xml).
<idp_username_attribute> （可选）: 用于从身份验证响应中获取用户名的属性。默认值为uid.
<idp_entity_id> （可选）: 当 IdP 元数据中存在多个实体 ID 时使用此参数。
<sp_x_509_cert> / <sp_private_key> （可选）: Ceph Dashboard（服务提供者）应使用的证书文件路径（这些文件路径应可由活动的 ceph-mgr 实例访问）。

Note

SAML 请求的发布者值将遵循此模式：<ceph_dashboard_base_url>/auth/saml2/metadata

要显示当前的 SAML 2.0 配置，请使用以下命令：

ceph dashboard sso show saml2

Note

更多关于onelogin_settings的信息，请查看onelogin 文档.

要禁用 SSO：

ceph dashboard sso disable

要检查 SSO 是否启用：

ceph dashboard sso status

要启用 SSO：

ceph dashboard sso enable saml2

启用 Prometheus 警报

要使用 Prometheus 进行告警，您必须定义告警规则这些由Alertmanager管理。安装它，因为它接收并管理来自 Prometheus 的告警。

Alertmanager 功能可以通过三种不同的方式被 Dashboard 消费：

使用 Dashboard 的通知接收器。
使用 Prometheus Alertmanager API。
同时使用这两种来源。

这三种方法都会通知您有关告警的信息。如果您同时使用这两种来源，您不会收到两次通知，但您至少需要消费 Alertmanager API 才能管理静默。

使用 Dashboard 的通知接收器

这允许您从 Alertmanager 获取通知，例如配置。一旦发送通知，您就会在 Dashboard 中收到通知，但您无法管理告警。

在 Alertmanager 配置中添加 Dashboard 接收器和新路由。这应该看起来像这样：
route:
  receiver: 'ceph-dashboard'
...
receivers:
  - name: 'ceph-dashboard'
    webhook_configs:
    - url: '<url-to-dashboard>/api/prometheus_receiver'
确保 Alertmanager 将您的 SSL 证书视为 Dashboard 有效。有关正确配置的更多信息，请查看<http_config> 文档.

使用 Prometheus 和 Alertmanager 的 API

这允许您管理告警和静默，并将启用“活动告警”、“所有告警”以及“静默”选项卡，位于“集群”菜单条目的“监控”部分。

告警可以按名称、作业、严重性、状态和开始时间排序。不幸的是，无法根据您的配置通过 Alertmanager 的通知来知道告警何时被发送出去，因此 Dashboard 将在告警的任何可见更改时通知用户，并将更改后的告警通知用户。

静默可以按 ID、创建者、状态、开始、更新和结束时间排序。静默可以以多种方式创建，也可以过期。9127be: 从头开始创建

Create from scratch

基于选定的告警

重新创建过期的静默

更新静默（这将重新创建并过期（默认 Alertmanager 行为））

要使用它，请指定 Alertmanager 服务器的主机名和端口：
ceph dashboard set-alertmanager-api-host <alertmanager-host:port>  # default: ''
例如：
ceph dashboard set-alertmanager-api-host 'http://localhost:9093'
要查看所有配置的告警，您需要配置到 Prometheus API 的 URL。使用此 API，UI 还将帮助您验证新静默是否与相应的告警匹配。
ceph dashboard set-prometheus-api-host <prometheus-host:port>  # default: ''
例如：
ceph dashboard set-prometheus-api-host 'http://localhost:9090'
设置好主机后，请刷新您的浏览器 Dashboard 窗口或选项卡。

同时使用这两种方法

这两种方法的配置方式是它们不应该相互干扰，通过烦人的重复通知可能会出现。

如果您使用 Prometheus 或 Alertmanager 设置中的自签名证书，您应该在 Dashboard 中禁用证书验证，以避免拒绝连接，这可能是由未知 CA 签署的证书或与主机名不匹配的证书引起的。

对于 Prometheus：

ceph dashboard set-prometheus-api-ssl-verify False

对于 Alertmanager：

ceph dashboard set-alertmanager-api-ssl-verify False

用户和角色管理

密码策略

默认情况下密码策略功能是启用的，它包括以下检查：

密码是否比 N 个字符长？
旧密码和新密码是否相同？

密码策略功能可以完全开启或关闭：

ceph dashboard set-pwd-policy-enabled <true|false>

以下单独的检查也可以开启或关闭：

ceph dashboard set-pwd-policy-check-length-enabled <true|false>
ceph dashboard set-pwd-policy-check-oldpwd-enabled <true|false>
ceph dashboard set-pwd-policy-check-username-enabled <true|false>
ceph dashboard set-pwd-policy-check-exclusion-list-enabled <true|false>
ceph dashboard set-pwd-policy-check-complexity-enabled <true|false>
ceph dashboard set-pwd-policy-check-sequential-chars-enabled <true|false>
ceph dashboard set-pwd-policy-check-repetitive-chars-enabled <true|false>

此外，以下选项可用于配置密码策略。

最小密码长度（默认为 8）：

ceph dashboard set-pwd-policy-min-length <N>

最小密码复杂度（默认为 10）：
```
ceph dashboard set-pwd-policy-min-complexity <N>
```
密码复杂度是通过将密码中的每个字符分类来计算的。复杂度计数从 0 开始。根据以下规则对密码中的每个字符进行评级，按给定顺序。
- 如果字符是数字，则增加 1。
- 如果字符是 ASCII 小写字符，则增加 1。
- 如果字符是 ASCII 大写字符，则增加 2。
- 如果字符是特殊字符，则增加 3。!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~.
- 如果字符没有通过前面的规则分类，则增加 5。
一个逗号分隔的单词列表，不允许在密码中使用：
```
ceph dashboard set-pwd-policy-exclusion-list <word>[,...]
```

用户账户

Ceph Dashboard 支持多个用户账户。每个用户账户由用户名、密码（使用bcrypt加密形式存储）组成，可选名称和可选电子邮件地址。

如果通过 Web UI 创建新用户，则可以设置一个选项，要求用户在首次登录时必须分配新密码。

用户账户存储在监视器的配置数据库中，并且对所有ceph-mgr实例都可用。

我们提供了一套用于管理用户账户的 CLI 命令：

显示用户(s):

ceph dashboard ac-user-show [<username>]

创建用户:

ceph dashboard ac-user-create [--enabled] [--force-password] [--pwd_update_required] <username> -i <file-containing-password> [<rolename>] [<name>] [<email>] [<pwd_expiration_date>]

要绕过密码策略检查，请使用force-password选项。pwd_update_required这样，新创建的用户在首次登录后必须更改密码。

删除用户:

ceph dashboard ac-user-delete <username>

更改密码:

ceph dashboard ac-user-set-password [--force-password] <username> -i <file-containing-password>

更改密码哈希:
```
ceph dashboard ac-user-set-password-hash <username> -i <file-containing-password-hash>
```
哈希必须是 bcrypt 哈希和盐，例如$2b$12$Pt3Vq/rDt2y9glTPSV.VFegiLkQeIpddtkhoFetNApYmIJOY8gau2。这可以用于从外部数据库导入用户。

修改用户（名称和电子邮件）:

ceph dashboard ac-user-set-info <username> <name> <email>

禁用用户:

ceph dashboard ac-user-disable <username>

启用用户:

ceph dashboard ac-user-enable <username>

用户角色和权限

用户账户与一组角色相关联，这些角色定义了可以访问 Dashboard 功能。

Dashboard 功能/模块按security scope安全范围

hosts: 包括与Hosts菜单条目相关的所有功能。
config-opt: 包括与 Ceph 配置选项管理相关的所有功能。
pool: 包括与池管理相关的所有功能。
osd: 包括与 OSD 管理相关的所有功能。
monitor: 包括与监视器管理相关的所有功能。
rbd-image: 包括与 RBD 图像管理相关的所有功能。
rbd-mirroring: 包括与 RBD 镜像管理相关的所有功能。
iscsi: 包括与 iSCSI 管理相关的所有功能。
rgw: 包括与 RADOS Gateway (RGW) 管理相关的所有功能。
cephfs: 包括与 CephFS 管理相关的所有功能。
nfs-ganesha: 包括与 NFS Ganesha 管理相关的所有功能。
manager: 包括与 Ceph 管理器管理相关的所有功能。
log: 包括与 Ceph 日志管理相关的所有功能。
grafana: 包括与 Grafana 代理相关的所有功能。
prometheus: 包括与 Prometheus 告警管理相关的所有功能。
dashboard-settings: 允许更改 Dashboard 设置。

A role指定一组在security scope与一组权限之间的映射。权限有四种类型：

读取
创建
更新
删除

以下是一个角色规范的示例，以 Python 字典的形式：

# example of a role
{
  'role': 'my_new_role',
  'description': 'My new role',
  'scopes_permissions': {
    'pool': ['read', 'create'],
    'rbd-image': ['read', 'create', 'update', 'delete']
  }
}

该角色规定用户具有读取和创建权限，用于与池管理相关的功能，并且具有与 RBD 图像管理相关的功能的完全权限。

Dashboard 提供了一组预定义的角色，我们称之为系统角色，这些角色可以立即由全新的 Ceph Dashboard 安装使用。

系统角色的列表是：

administrator: 允许对所有安全范围具有完全权限。
read-only: 允许读取权限，除 Dashboard 设置之外的所有安全范围。
block-manager: 允许对rbd-image, rbd-mirroring, and iscsi范围具有完全权限。
rgw-manager: 允许对rgw范围具有完全权限。
cluster-manager: 允许对hosts, osd, monitor, manager, and config-opt范围具有完全权限。
pool-manager: 允许对pool范围具有完全权限。
cephfs-manager: 允许对cephfs范围具有完全权限。

可用角色的列表可以使用以下命令检索：

ceph dashboard ac-role-show [<rolename>]

您也可以使用 CLI 创建新的角色。可用的命令如下：

创建角色:

ceph dashboard ac-role-create <rolename> [<description>]

删除角色:

ceph dashboard ac-role-delete <rolename>

向角色添加范围权限:

ceph dashboard ac-role-add-scope-perms <rolename> <scopename> <permission> [<permission>...]

从角色删除范围权限:

ceph dashboard ac-role-del-scope-perms <rolename> <scopename>

要将角色分配给用户，以下命令可用：

设置用户角色:

ceph dashboard ac-user-set-roles <username> <rolename> [<rolename>...]

向用户添加角色:

ceph dashboard ac-user-add-roles <username> <rolename> [<rolename>...]

从用户删除角色:

ceph dashboard ac-user-del-roles <username> <rolename> [<rolename>...]

用户和自定义角色创建示例

在本节中，我们展示了创建用户账户的完整命令，该账户可以管理 RBD 图像、查看和创建 Ceph 池，并对其他范围具有只读访问权限。

创建用户:

ceph dashboard ac-user-create bob -i <file-containing-password>

创建角色并指定范围权限:

ceph dashboard ac-role-create rbd/pool-manager
ceph dashboard ac-role-add-scope-perms rbd/pool-manager rbd-image read create update delete
ceph dashboard ac-role-add-scope-perms rbd/pool-manager pool read create

将角色关联到用户:

ceph dashboard ac-user-set-roles bob rbd/pool-manager read-only

代理配置

In a Ceph cluster with multiple ceph-mgr instances, only the dashboard running on the currently active ceph-mgr daemon will serve incoming requests. Connections to the dashboard’s TCP port on standby ceph-mgr instances will receive an HTTP redirect (303) to the active manager’s dashboard URL. This enables you to point your browser to any ceph-mgr instance in order to access the dashboard.

If you want to establish a fixed URL to reach the dashboard or if you don’t want to allow direct connections to the manager nodes, you could set up a proxy that automatically forwards incoming requests to the active ceph-mgr instance.

配置 URL 前缀

If you are accessing the dashboard via a reverse proxy, you may wish to service it under a URL prefix. To get the dashboard to use hyperlinks that include your prefix, you can set the url_prefix设置：

ceph config set mgr mgr/dashboard/url_prefix $PREFIX

so you can access the dashboard at http://$IP:$PORT/$PREFIX/.

禁用重定向

If the dashboard is behind a load-balancing proxy like HAProxy you might want to disable redirection to prevent situations in which internal (unresolvable) URLs are published to the frontend client. Use the following command to get the dashboard to respond with an HTTP error (500 by default) instead of redirecting to the active dashboard:

ceph config set mgr mgr/dashboard/standby_behaviour "error"

To reset the setting to default redirection, use the following command:

ceph config set mgr mgr/dashboard/standby_behaviour "redirect"

配置错误状态代码

When redirection is disabled, you may want to customize the HTTP status code of standby dashboards. To do so you need to run the command:

ceph config set mgr mgr/dashboard/standby_error_status_code 503

重定向之前将 IP 地址解析为主机名

Redirection from a standby dashboard to the active dashboard is done via the manager’s IP address, not via the manager’s hostname. In virtualized environments, IP-address-based redirection reduces the incidence of error as compared to hostname-based resolution. Because of the increased risk of error due to hostname-based resolution, the option for hostname resolution is disabled by default.

However, in some situations it might be helpful to redirect via the hostname. For example, if the configured TLS certificate matches only the hostnames and not the IP addresses of those hosts, hostname redirection would be preferable.

To activate redirection from standby dashboards to active dashboards via the manager’s hostname, run the following command:

ceph config set mgr mgr/dashboard/redirect_resolve_ip_addr True

Disable hostname redirection by running the following command:

ceph config set mgr mgr/dashboard/redirect_resolve_ip_addr False

警告

If you attempt to activate redirection by using the command above and you get the error message EINVAL: unrecognized config option 'mgr/dashboard/redirect_resolve_ip_addr', then you might be running a release of Ceph prior to version 17.2.6. This feature was introduced in 17.2.6, in this commit: https://github.com/ceph/ceph/pull/48219.

HAProxy 示例配置

Below you will find an example configuration for SSL/TLS passthrough using HAProxy.

Please note that this configuration works under the following conditions. If the dashboard fails over, the front-end client might receive a HTTP redirect (303) response and will be redirected to an unresolvable host. This happens when failover occurs between two HAProxy health checks. In this situation the previously active dashboard node will now respond with a 303 which points to the new active node. To prevent that situation you should consider disabling redirection on standby nodes.

defaults
  log global
  option log-health-checks
  timeout connect 5s
  timeout client 50s
  timeout server 450s

frontend dashboard_front
  mode http
  bind *:80
  option httplog
  redirect scheme https code 301 if !{ ssl_fc }

frontend dashboard_front_ssl
  mode tcp
  bind *:443
  option tcplog
  default_backend dashboard_back_ssl

backend dashboard_back_ssl
  mode tcp
  option httpchk GET /
  http-check expect status 200
  server x <HOST>:<PORT> check check-ssl verify none
  server y <HOST>:<PORT> check check-ssl verify none
  server z <HOST>:<PORT> check check-ssl verify none

审计 API 请求

The REST API can log PUT, POST and DELETE requests to the Ceph audit log. This feature is disabled by default, but can be enabled with the following command:

ceph dashboard set-audit-api-enabled <true|false>

If enabled, the following parameters are logged per each request:

from - The origin of the request, e.g. https://[::1]:44410
path - The REST API path, e.g. /api/auth
method - e.g. PUT, POST or DELETE
user - The name of the user, otherwise ‘None’

The logging of the request payload (the arguments and their values) is enabled by default. Execute the following command to disable this behaviour:

ceph dashboard set-audit-api-log-payload <true|false>

A log entry may look like this:

2018-10-22 15:27:01.302514 mgr.x [INF] [DASHBOARD] from='https://[::ffff:127.0.0.1]:37022' path='/api/rgw/user/klaus' method='PUT' user='admin' params='{"max_buckets": "1000", "display_name": "Klaus Mustermann", "uid": "klaus", "suspended": "0", "email": "klaus.mustermann@ceph.com"}'

NFS-Ganesha 管理

The dashboard requires enabling the NFS module which will be used to manage NFS clusters and NFS exports. For more information check CephFS 和 RGW 导出 over NFS.

插件

Plug-ins extend the functionality of the Ceph Dashboard in a modular and loosely coupled fashion.

功能开关

This plug-in allows to enable or disable some features from the Ceph Dashboard on-demand. When a feature becomes disabled:

Its front-end elements (web pages, menu entries, charts, etc.) will become hidden.
Its associated REST API endpoints will reject any further requests (404, Not Found Error).

The main purpose of this plug-in is to allow ad-hoc customizations of the workflows exposed by the dashboard. Additionally, it could allow for dynamically enabling experimental features with minimal configuration burden and no service impact.

The list of features that can be enabled/disabled is:

Block (RBD):
- Image Management: rbd
- Mirroring: mirroring
- iSCSI: iscsi
Filesystem (Cephfs): cephfs
Objects (RGW): rgw (including daemon, user and bucket management).
NFS: nfs-ganesha exports.

By default all features come enabled.

To retrieve a list of features and their current statuses:

ceph dashboard feature status

Feature 'cephfs': 'enabled'
Feature 'iscsi': 'enabled'
Feature 'mirroring': 'enabled'
Feature 'rbd': 'enabled'
Feature 'rgw': 'enabled'
Feature 'nfs': 'enabled'

To enable or disable the status of a single or multiple features:

ceph dashboard feature disable iscsi mirroring

Feature 'iscsi': disabled
Feature 'mirroring': disabled

After a feature status has changed, the API REST endpoints immediately respond to that change, but it make take up to twenty (20) seconds for the front-end UI elements seconds to reflect the change.

调试

This plugin allows to customize the behaviour of the dashboard according to the debug mode. It can be enabled, disabled or checked with the following command:

ceph dashboard debug status

Debug: 'disabled'

ceph dashboard debug enable

Debug: 'enabled'

ceph dashboard debug disable

Debug: 'disabled'

By default, it’s disabled. This is the recommended setting for production deployments. If required, debug mode can be enabled without need of restarting. Currently, disabled debug mode equals to CherryPy production environment, while when enabled, it uses test_suite defaults (please refer to CherryPy Environments for more details).

It also adds request uuid (unique_id) to Cherrypy on versions that don’t support this. It additionally prints the unique_id to error responses and log messages.

每日信息 (MOTD)

Displays a configured message of the day at the top of the Ceph Dashboard.

The importance of a MOTD can be configured by its severity, which is info, warning或danger. The MOTD can expire after a given time, this means it will not be displayed in the UI anymore. Use the following syntax to specify the expiration time: Ns|m|h|d|w for seconds, minutes, hours, days and weeks. If the MOTD should expire after 2 hours, use 2h或5w for 5 weeks. Use 0 to configure a MOTD that does not expire.

To configure a MOTD, run the following command:

ceph dashboard motd set <severity:info|warning|danger> <expires> <message>

To show the configured MOTD:

ceph dashboard motd get

To clear the configured MOTD run:

ceph dashboard motd clear

A MOTD with a info或warning severity can be closed by the user. The info MOTD is not displayed anymore until the local storage cookies are cleared or a new MOTD with a different severity is displayed. A MOTD with a ‘warning’ severity will be displayed again in a new session.

解决 Dashboard 问题

定位 Dashboard

If you are unsure of the location of the Ceph Dashboard, run the following command:

ceph mgr services | jq .dashboard

"https://host:port"

The command returns the URL where the Ceph Dashboard is located: https://<host>:<port>/

Note

Many Ceph tools return results in JSON format. We suggest that you install the jq command-line utility to facilitate working with JSON data.

访问 Dashboard

If you are unable to access the Ceph Dashboard, run the following commands:

Verify the Ceph Dashboard module is enabled:
```
ceph mgr module ls | jq .enabled_modules
```
Ensure the Ceph Dashboard module is listed in the return value of the command. Example snipped output from the command above:
```
[
  "dashboard",
  "iostat",
  "restful"
]
```
If it is not listed, activate the module with the following command:
```
ceph mgr module enable dashboard
```
Check the Ceph Dashboard and/or ceph-mgr log files for any errors.
- Check if ceph-mgr log messages are written to a file by:
```
ceph config get mgr log_to_file
```
```
true
```
- Get the location of the log file (it’s /var/log/ceph/<cluster-name>-<daemon-name>.log by default):
```
ceph config get mgr log_file
```
```
/var/log/ceph/$cluster-$name.log
```
Ensure the SSL/TLS support is configured properly:
- Check if the SSL/TLS support is enabled:
```
ceph config get mgr mgr/dashboard/ssl
```
- If the command returns true, verify a certificate exists by:
```
ceph config-key get mgr/dashboard/crt
```
  and:
```
ceph config-key get mgr/dashboard/key
```
- If it doesn’t return true, run the following command to generate a self-signed certificate or follow the instructions outlined in SSL/TLS 支持:
```
ceph dashboard create-self-signed-cert
```

登录 Dashboard 出现问题

If you are unable to log into the Ceph Dashboard and you receive the following error, run through the procedural checks below:

Check that your user credentials are correct. If you are seeing the notification message above when trying to log into the Ceph Dashboard, it is likely you are using the wrong credentials. Double check your username and password, and ensure that your keyboard’s caps lock is not enabled by accident.
If your user credentials are correct, but you are experiencing the same error, check that the user account exists:
```
ceph dashboard ac-user-show <username>
```
This command returns your user data. If the user does not exist, it will print:
```
Error ENOENT: User <username> does not exist
```

Check if the user is enabled:

ceph dashboard ac-user-show <username> | jq .enabled

true

Check if enabled被设置为true for your user. If not the user is not enabled, run:

ceph dashboard ac-user-enable <username>

请参阅用户和角色管理 for more information.

Dashboard 功能无法正常工作

When an error occurs on the backend, you will usually receive an error notification on the frontend. Run through the following scenarios to debug.

Check the Ceph Dashboard and ceph-mgr logfile(s) for any errors. These can found by searching for keywords, such as 500 Internal Server Error, followed by traceback. The end of a traceback contains more details about what exact error occurred.
Check your web browser’s JavaScript Console for any errors.

Ceph Dashboard 日志

Dashboard 调试标志

启用此标志后，错误跟踪将包含在后台响应中。

通过 Ceph Dashboard 启用此标志，导航到集群to管理器模块。选择仪表板模块并点击编辑按钮。点击调试复选框并更新。

通过 CLI 启用此标志，运行以下命令：

ceph dashboard debug enable

设置 Dashboard 模块的日志级别

将日志级别设置为调试会使日志更详细，有助于调试。

增加管理器守护程序的日志级别：
```
ceph tell mgr config set debug_mgr 20
```
通过 Dashboard 或 CLI 调整 Ceph Dashboard 模块的日志级别：
- 导航到集群to管理器模块。选择仪表板模块并点击编辑按钮。修改log_levelconfiguration.
- 通过 CLI 调整它，运行以下命令：
```
bin/ceph config set mgr mgr/dashboard/log_level debug
```

3. 高日志级别会导致大量日志，这可能会很快填满您的文件系统。设置一个日历提醒，在未来的一小时、一天或一周内恢复此临时日志增加。这看起来像这样：

ceph config log

...
--- 11 --- 2020-11-07 11:11:11.960659 --- mgr.x/dashboard/log_level = debug ---
...

ceph config reset 11

在仪表板中启用集中式日志记录

要了解更多关于集中式日志记录的信息，请查看Ceph 中的集中式日志记录

在任何特定主机上创建 Loki 服务，使用“创建服务”选项。70f553: 同样创建 Promtail 服务，它将默认部署在所有运行的主机上。
Similarly create the Promtail service which will be by default deployed on all the running hosts.
要查看调试级消息以及 info 级事件，请通过 CLI 运行以下命令：
```
ceph config set mgr mgr/cephadm/log_to_cluster_level debug
```

要启用文件日志记录，请通过 CLI 运行以下命令：

ceph config set global log_to_file true
ceph config set global mon_cluster_log_to_file true

点击集群 -> 日志下的 Daemon Logs 选项卡。
您可以在点击 Log 浏览器按钮时找到一些预定义的标签，例如文件名、作业等，这些标签可以帮助您一次性查询日志。
您可以使用 LogQL 进行高级搜索并执行一些计算，以及 -https://grafana.com/docs/loki/latest/logql/.

从 Dashboard 报告问题

Ceph-Dashboard 提供了两种创建 Ceph 问题跟踪器中问题的方法，使用 Ceph 命令行界面或使用 Ceph Dashboard 用户界面。

要在 Ceph 问题跟踪器中创建问题，用户需要在问题跟踪器上有一个账户。在 Ceph 问题跟踪器中的my account标签页，用户可以看到他们的 API 访问密钥。此密钥用于创建新问题时进行身份验证。要将 Ceph API 访问密钥存储在 CLI 中，请运行：

``ceph dashboard set-issue-tracker-api-key -i <file-containing-key>``

然后，在成功更新后，您可以使用以下命令创建问题：

``ceph dashboard create issue <project> <tracker_type> <subject> <description>``

可创建问题的可用项目是：

可用跟踪器类型是：

主题和描述由用户设置。

用户也可以使用 Dashboard 用户界面创建问题。导航栏右上角的设置图标下拉菜单中有Raise an issue选项。点击它，将打开一个模态对话框，其中可以选择项目和跟踪器从各自的下拉菜单。主题和多行描述由用户添加。然后用户可以提交问题。

由 Ceph 基金会带给您

Ceph 文档是一个社区资源，由非盈利的 Ceph 基金会资助和托管Ceph Foundation. 如果您想支持这一点和我们的其他工作，请考虑加入现在加入.