[ceph.git] / ceph / doc / dev / cephadm / host-maintenance.rst

================
Host Maintenance
================

All hosts that support Ceph daemons need to support maintenance activity, whether the host
is physical or virtual. This means that management workflows should provide
a simple and consistent way to support this operational requirement. This document defines
the maintenance strategy that could be implemented in cephadm and mgr/cephadm.


High Level Design
=================
Placing a host into maintenance, adopts the following workflow;

#. confirm that the removal of the host does not impact data availability (the following
   steps will assume it is safe to proceed)

   * ``orch host ok-to-stop <host>`` would be used here

#. if the host has osd daemons, apply noout to the host subtree to prevent data migration
   from triggering during the planned maintenance slot.
#. Stop the ceph target (all daemons stop)
#. Disable the ceph target on that host, to prevent a reboot from automatically starting
   ceph services again)


Exiting Maintenance, is basically the reverse of the above sequence

Admin Interaction
=================
The ceph orch command will be extended to support maintenance. 

.. code-block::

    ceph orch host enter-maintenance <host> [ --check ]
    ceph orch host exit-maintenance <host> 

.. note:: In addition, the host's status should be updated to reflect whether it
   is in maintenance or not. 

The 'check' Option 
__________________
The orch host ok-to-stop command focuses on ceph daemons (mon, osd, mds), which
provides the first check. However, a ceph cluster also uses other types of daemons
for monitoring, management and non-native protocol support which means the 
logic will need to consider service impact too. The 'check' option provides 
this additional layer to alert the user of service impact to *secondary*
daemons.

The list below shows some of these additional daemons.

* mgr (not included in ok-to-stop checks) 
* prometheus, grafana, alertmanager
* rgw
* haproxy
* iscsi gateways
* ganesha gateways

By using the --check option first, the Admin can choose whether to proceed. This 
workflow is obviously optional for the CLI user, but could be integrated into the
UI workflow to help less experienced Administators manage the cluster.

By adopting this two-phase approach, a UI based workflow would look something
like this.

#. User selects a host to place into maintenance
 
   * orchestrator checks for data **and** service impact
#. If potential impact is shown, the next steps depend on the impact type
   
   * **data availability** : maintenance is denied, informing the user of the issue
   * **service availability** : user is provided a list of affected services and 
     asked to confirm


Components Impacted
===================
Implementing this capability will require changes to the following; 

* cephadm

  * Add maintenance subcommand with the following 'verbs'; enter, exit, check

* mgr/cephadm

  * add methods to CephadmOrchestrator for enter/exit and check
  * data gathering would be skipped for hosts in a maintenance state

* mgr/orchestrator

  * add CLI commands to OrchestratorCli which expose the enter/exit and check interaction


Ideas for Future Work
=====================
#. When a host is placed into maintenance, the time of the event could be persisted. This
   would allow the orchestrator layer to establish a maintenance window for the task and 
   alert if the maintenance window has been exceeded.
#. The maintenance process could support plugins to allow other integration tasks to be
   initiated as part of the transition to and from maintenance. This plugin capability could
   support actions like; 
   
   * alert suppression to 3rd party monitoring framework(s)
   * service level reporting, to record outage windows
Commit	Line	Data
adb31ebb TL	1	================
	2	Host Maintenance
	3	================
	4
	5	All hosts that support Ceph daemons need to support maintenance activity, whether the host
	6	is physical or virtual. This means that management workflows should provide
	7	a simple and consistent way to support this operational requirement. This document defines
	8	the maintenance strategy that could be implemented in cephadm and mgr/cephadm.
	9
	10
	11	High Level Design
	12	=================
	13	Placing a host into maintenance, adopts the following workflow;
	14
	15	#. confirm that the removal of the host does not impact data availability (the following
	16	steps will assume it is safe to proceed)
	17
20effc67	18	* ``orch host ok-to-stop <host>`` would be used here
adb31ebb TL	19
	20	#. if the host has osd daemons, apply noout to the host subtree to prevent data migration
	21	from triggering during the planned maintenance slot.
	22	#. Stop the ceph target (all daemons stop)
	23	#. Disable the ceph target on that host, to prevent a reboot from automatically starting
	24	ceph services again)
	25
	26
	27	Exiting Maintenance, is basically the reverse of the above sequence
	28
	29	Admin Interaction
	30	=================
	31	The ceph orch command will be extended to support maintenance.
	32
	33	.. code-block::
	34
	35	ceph orch host enter-maintenance <host> [ --check ]
	36	ceph orch host exit-maintenance <host>
	37
	38	.. note:: In addition, the host's status should be updated to reflect whether it
	39	is in maintenance or not.
	40
	41	The 'check' Option
	42	__________________
	43	The orch host ok-to-stop command focuses on ceph daemons (mon, osd, mds), which
	44	provides the first check. However, a ceph cluster also uses other types of daemons
	45	for monitoring, management and non-native protocol support which means the
	46	logic will need to consider service impact too. The 'check' option provides
	47	this additional layer to alert the user of service impact to secondary
	48	daemons.
	49
	50	The list below shows some of these additional daemons.
	51
	52	* mgr (not included in ok-to-stop checks)
	53	* prometheus, grafana, alertmanager
	54	* rgw
	55	* haproxy
	56	* iscsi gateways
	57	* ganesha gateways
	58
	59	By using the --check option first, the Admin can choose whether to proceed. This
	60	workflow is obviously optional for the CLI user, but could be integrated into the
	61	UI workflow to help less experienced Administators manage the cluster.
	62
	63	By adopting this two-phase approach, a UI based workflow would look something
	64	like this.
	65
	66	#. User selects a host to place into maintenance
	67
	68	* orchestrator checks for data and service impact
	69	#. If potential impact is shown, the next steps depend on the impact type
	70
	71	* data availability : maintenance is denied, informing the user of the issue
	72	* service availability : user is provided a list of affected services and
	73	asked to confirm
	74
	75
	76	Components Impacted
	77	===================
	78	Implementing this capability will require changes to the following;
	79
	80	* cephadm
	81
	82	* Add maintenance subcommand with the following 'verbs'; enter, exit, check
83
84	* mgr/cephadm
85
86	* add methods to CephadmOrchestrator for enter/exit and check
87	* data gathering would be skipped for hosts in a maintenance state
88
89	* mgr/orchestrator
90
91	* add CLI commands to OrchestratorCli which expose the enter/exit and check interaction
92
93
94	Ideas for Future Work
95	=====================
96	#. When a host is placed into maintenance, the time of the event could be persisted. This
97	would allow the orchestrator layer to establish a maintenance window for the task and
98	alert if the maintenance window has been exceeded.
99	#. The maintenance process could support plugins to allow other integration tasks to be
100	initiated as part of the transition to and from maintenance. This plugin capability could
101	support actions like;
102
103	* alert suppression to 3rd party monitoring framework(s)
104	* service level reporting, to record outage windows