[ceph.git] / ceph / doc / cephadm / troubleshooting.rst

Troubleshooting
===============

You might need to investigate why a cephadm command failed
or why a certain service no longer runs properly.

Cephadm deploys daemons as containers. This means that
troubleshooting those containerized daemons might work
differently than you expect (and that is certainly true if
you expect this troubleshooting to work the way that
troubleshooting does when the daemons involved aren't
containerized). 

Here are some tools and commands to help you troubleshoot
your Ceph environment.

.. _cephadm-pause:

Pausing or disabling cephadm
----------------------------

If something goes wrong and cephadm is behaving badly, you can
pause most of the Ceph cluster's background activity by running
the following command: 

.. prompt:: bash #

  ceph orch pause

This stops all changes in the Ceph cluster, but cephadm will
still periodically check hosts to refresh its inventory of
daemons and devices.  You can disable cephadm completely by
running the following commands:

.. prompt:: bash #

  ceph orch set backend ''
  ceph mgr module disable cephadm

These commands disable all of the ``ceph orch ...`` CLI commands.
All previously deployed daemon containers continue to exist and
will start as they did before you ran these commands.

See :ref:`cephadm-spec-unmanaged` for information on disabling
individual services.


Per-service and per-daemon events
---------------------------------

In order to help with the process of debugging failed daemon
deployments, cephadm stores events per service and per daemon.
These events often contain information relevant to
troubleshooting
your Ceph cluster. 

Listing service events
~~~~~~~~~~~~~~~~~~~~~~

To see the events associated with a certain service, run a
command of the and following form:

.. prompt:: bash #

  ceph orch ls --service_name=<service-name> --format yaml

This will return something in the following form:

.. code-block:: yaml

  service_type: alertmanager
  service_name: alertmanager
  placement:
    hosts:
    - unknown_host
  status:
    ...
    running: 1
    size: 1
  events:
  - 2021-02-01T08:58:02.741162 service:alertmanager [INFO] "service was created"
  - '2021-02-01T12:09:25.264584 service:alertmanager [ERROR] "Failed to apply: Cannot
    place <AlertManagerSpec for service_name=alertmanager> on unknown_host: Unknown hosts"'

Listing daemon events
~~~~~~~~~~~~~~~~~~~~~

To see the events associated with a certain daemon, run a
command of the and following form:

.. prompt:: bash #

  ceph orch ps --service-name <service-name> --daemon-id <daemon-id> --format yaml

This will return something in the following form:

.. code-block:: yaml

  daemon_type: mds
  daemon_id: cephfs.hostname.ppdhsz
  hostname: hostname
  status_desc: running
  ...
  events:
  - 2021-02-01T08:59:43.845866 daemon:mds.cephfs.hostname.ppdhsz [INFO] "Reconfigured
    mds.cephfs.hostname.ppdhsz on host 'hostname'"


Checking cephadm logs
---------------------

To learn how to monitor the cephadm logs as they are generated, read :ref:`watching_cephadm_logs`.

If your Ceph cluster has been configured to log events to files, there will exist a
cephadm log file called ``ceph.cephadm.log`` on all monitor hosts (see
:ref:`cephadm-logs` for a more complete explanation of this).

Gathering log files
-------------------

Use journalctl to gather the log files of all daemons:

.. note:: By default cephadm now stores logs in journald. This means
   that you will no longer find daemon logs in ``/var/log/ceph/``.

To read the log file of one specific daemon, run::

    cephadm logs --name <name-of-daemon>

Note: this only works when run on the same host where the daemon is running. To
get logs of a daemon running on a different host, give the ``--fsid`` option::

    cephadm logs --fsid <fsid> --name <name-of-daemon>

where the ``<fsid>`` corresponds to the cluster ID printed by ``ceph status``.

To fetch all log files of all daemons on a given host, run::

    for name in $(cephadm ls | jq -r '.[].name') ; do
      cephadm logs --fsid <fsid> --name "$name" > $name;
    done

Collecting systemd status
-------------------------

To print the state of a systemd unit, run::

      systemctl status "ceph-$(cephadm shell ceph fsid)@<service name>.service";


To fetch all state of all daemons of a given host, run::

    fsid="$(cephadm shell ceph fsid)"
    for name in $(cephadm ls | jq -r '.[].name') ; do
      systemctl status "ceph-$fsid@$name.service" > $name;
    done


List all downloaded container images
------------------------------------

To list all container images that are downloaded on a host:

.. note:: ``Image`` might also be called `ImageID`

::

    podman ps -a --format json | jq '.[].Image'
    "docker.io/library/centos:8"
    "registry.opensuse.org/opensuse/leap:15.2"


Manually running containers
---------------------------

Cephadm writes small wrappers that run a containers. Refer to
``/var/lib/ceph/<cluster-fsid>/<service-name>/unit.run`` for the
container execution command.

.. _cephadm-ssh-errors:

ssh errors
----------

Error message::

  execnet.gateway_bootstrap.HostNotFound: -F /tmp/cephadm-conf-73z09u6g -i /tmp/cephadm-identity-ky7ahp_5 root@10.10.1.2
  ...
  raise OrchestratorError(msg) from e
  orchestrator._interface.OrchestratorError: Failed to connect to 10.10.1.2 (10.10.1.2).
  Please make sure that the host is reachable and accepts connections using the cephadm SSH key
  ...

Things users can do:

1. Ensure cephadm has an SSH identity key::

     [root@mon1~]# cephadm shell -- ceph config-key get mgr/cephadm/ssh_identity_key > ~/cephadm_private_key
     INFO:cephadm:Inferring fsid f8edc08a-7f17-11ea-8707-000c2915dd98
     INFO:cephadm:Using recent ceph image docker.io/ceph/ceph:v15 obtained 'mgr/cephadm/ssh_identity_key'
     [root@mon1 ~] # chmod 0600 ~/cephadm_private_key

 If this fails, cephadm doesn't have a key. Fix this by running the following command::

     [root@mon1 ~]# cephadm shell -- ceph cephadm generate-ssh-key

 or::

     [root@mon1 ~]# cat ~/cephadm_private_key | cephadm shell -- ceph cephadm set-ssk-key -i -

2. Ensure that the ssh config is correct::

     [root@mon1 ~]# cephadm shell -- ceph cephadm get-ssh-config > config

3. Verify that we can connect to the host::

     [root@mon1 ~]# ssh -F config -i ~/cephadm_private_key root@mon1

Verifying that the Public Key is Listed in the authorized_keys file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To verify that the public key is in the authorized_keys file, run the following commands::

     [root@mon1 ~]# cephadm shell -- ceph cephadm get-pub-key > ~/ceph.pub
     [root@mon1 ~]# grep "`cat ~/ceph.pub`"  /root/.ssh/authorized_keys

Failed to infer CIDR network error
----------------------------------

If you see this error::

   ERROR: Failed to infer CIDR network for mon ip ***; pass --skip-mon-network to configure it later

Or this error::

   Must set public_network config option or specify a CIDR network, ceph addrvec, or plain IP

This means that you must run a command of this form::

  ceph config set mon public_network <mon_network>

For more detail on operations of this kind, see :ref:`deploy_additional_monitors`

Accessing the admin socket
--------------------------

Each Ceph daemon provides an admin socket that bypasses the
MONs (See :ref:`rados-monitoring-using-admin-socket`).

To access the admin socket, first enter the daemon container on the host::

    [root@mon1 ~]# cephadm enter --name <daemon-name>
    [ceph: root@mon1 /]# ceph --admin-daemon /var/run/ceph/ceph-<daemon-name>.asok config show

Calling miscellaneous ceph tools
--------------------------------

To call miscellaneous like ``ceph-objectstore-tool`` or 
``ceph-monstore-tool``, you can run them by calling 
``cephadm shell --name <daemon-name>`` like so::

    root@myhostname # cephadm unit --name mon.myhostname stop
    root@myhostname # cephadm shell --name mon.myhostname
    [ceph: root@myhostname /]# ceph-monstore-tool /var/lib/ceph/mon/ceph-myhostname get monmap > monmap         
    [ceph: root@myhostname /]# monmaptool --print monmap
    monmaptool: monmap file monmap
    epoch 1
    fsid 28596f44-3b56-11ec-9034-482ae35a5fbb
    last_changed 2021-11-01T20:57:19.755111+0000
    created 2021-11-01T20:57:19.755111+0000
    min_mon_release 17 (quincy)
    election_strategy: 1
    0: [v2:127.0.0.1:3300/0,v1:127.0.0.1:6789/0] mon.myhostname

This command sets up the environment in a way that is suitable
for extended daemon maintenance and running the deamon interactively. 

.. _cephadm-restore-quorum:

Restoring the MON quorum
------------------------

In case the Ceph MONs cannot form a quorum, cephadm is not able
to manage the cluster, until the quorum is restored.

In order to restore the MON quorum, remove unhealthy MONs
form the monmap by following these steps:

1. Stop all MONs. For each MON host::

    ssh {mon-host}
    cephadm unit --name mon.`hostname` stop


2. Identify a surviving monitor and log in to that host::

    ssh {mon-host}
    cephadm enter --name mon.`hostname`

3. Follow the steps in :ref:`rados-mon-remove-from-unhealthy`

.. _cephadm-manually-deploy-mgr:

Manually deploying a MGR daemon
-------------------------------
cephadm requires a MGR daemon in order to manage the cluster. In case the cluster
the last MGR of a cluster was removed, follow these steps in order to deploy 
a MGR ``mgr.hostname.smfvfd`` on a random host of your cluster manually. 

Disable the cephadm scheduler, in order to prevent cephadm from removing the new 
MGR. See :ref:`cephadm-enable-cli`::

  ceph config-key set mgr/cephadm/pause true

Then get or create the auth entry for the new MGR::

  ceph auth get-or-create mgr.hostname.smfvfd mon "profile mgr" osd "allow *" mds "allow *"

Get the ceph.conf::

  ceph config generate-minimal-conf

Get the container image::

  ceph config get "mgr.hostname.smfvfd" container_image

Create a file ``config-json.json`` which contains the information neccessary to deploy
the daemon:

.. code-block:: json

  {
    "config": "# minimal ceph.conf for 8255263a-a97e-4934-822c-00bfe029b28f\n[global]\n\tfsid = 8255263a-a97e-4934-822c-00bfe029b28f\n\tmon_host = [v2:192.168.0.1:40483/0,v1:192.168.0.1:40484/0]\n",
    "keyring": "[mgr.hostname.smfvfd]\n\tkey = V2VyIGRhcyBsaWVzdCBpc3QgZG9vZi4=\n"
  }

Deploy the daemon::

  cephadm --image <container-image> deploy --fsid <fsid> --name mgr.hostname.smfvfd --config-json config-json.json
Commit	Line	Data
9f95a23c TL	1	Troubleshooting
	2	===============
	3
522d829b TL	4	You might need to investigate why a cephadm command failed
522d829b TL	5	or why a certain service no longer runs properly.
9f95a23c	6
522d829b TL	7	Cephadm deploys daemons as containers. This means that
	8	troubleshooting those containerized daemons might work
	9	differently than you expect (and that is certainly true if
	10	you expect this troubleshooting to work the way that
	11	troubleshooting does when the daemons involved aren't
	12	containerized).
	13
	14	Here are some tools and commands to help you troubleshoot
	15	your Ceph environment.
9f95a23c	16
f67539c2 TL	17	.. _cephadm-pause:
f67539c2 TL	18
801d1391 TL	19	Pausing or disabling cephadm
	20	----------------------------
	21
522d829b TL	22	If something goes wrong and cephadm is behaving badly, you can
	23	pause most of the Ceph cluster's background activity by running
	24	the following command:
	25
	26	.. prompt:: bash #
801d1391 TL	27
	28	ceph orch pause
	29
522d829b TL	30	This stops all changes in the Ceph cluster, but cephadm will
	31	still periodically check hosts to refresh its inventory of
	32	daemons and devices. You can disable cephadm completely by
	33	running the following commands:
	34
	35	.. prompt:: bash #
801d1391 TL	36
	37	ceph orch set backend ''
	38	ceph mgr module disable cephadm
	39
522d829b TL	40	These commands disable all of the ``ceph orch ...`` CLI commands.
	41	All previously deployed daemon containers continue to exist and
	42	will start as they did before you ran these commands.
801d1391	43
522d829b TL	44	See :ref:`cephadm-spec-unmanaged` for information on disabling
522d829b TL	45	individual services.
f67539c2 TL	46
	47
	48	Per-service and per-daemon events
	49	---------------------------------
	50
522d829b TL	51	In order to help with the process of debugging failed daemon
	52	deployments, cephadm stores events per service and per daemon.
	53	These events often contain information relevant to
	54	troubleshooting
	55	your Ceph cluster.
	56
	57	Listing service events
	58	~~~~~~~~~~~~~~~~~~~~~~
	59
	60	To see the events associated with a certain service, run a
	61	command of the and following form:
	62
	63	.. prompt:: bash #
f67539c2 TL	64
	65	ceph orch ls --service_name=<service-name> --format yaml
	66
522d829b	67	This will return something in the following form:
f67539c2 TL	68
	69	.. code-block:: yaml
	70
	71	service_type: alertmanager
	72	service_name: alertmanager
	73	placement:
	74	hosts:
	75	- unknown_host
	76	status:
	77	...
	78	running: 1
	79	size: 1
	80	events:
	81	- 2021-02-01T08:58:02.741162 service:alertmanager [INFO] "service was created"
	82	- '2021-02-01T12:09:25.264584 service:alertmanager [ERROR] "Failed to apply: Cannot
	83	place <AlertManagerSpec for service_name=alertmanager> on unknown_host: Unknown hosts"'
	84
522d829b TL	85	Listing daemon events
	86	~~~~~~~~~~~~~~~~~~~~~
	87
	88	To see the events associated with a certain daemon, run a
	89	command of the and following form:
	90
	91	.. prompt:: bash #
f67539c2 TL	92
	93	ceph orch ps --service-name <service-name> --daemon-id <daemon-id> --format yaml
	94
522d829b TL	95	This will return something in the following form:
522d829b TL	96
f67539c2 TL	97	.. code-block:: yaml
	98
	99	daemon_type: mds
	100	daemon_id: cephfs.hostname.ppdhsz
	101	hostname: hostname
	102	status_desc: running
	103	...
	104	events:
	105	- 2021-02-01T08:59:43.845866 daemon:mds.cephfs.hostname.ppdhsz [INFO] "Reconfigured
	106	mds.cephfs.hostname.ppdhsz on host 'hostname'"
	107
	108
801d1391 TL	109	Checking cephadm logs
	110	---------------------
	111
522d829b	112	To learn how to monitor the cephadm logs as they are generated, read :ref:`watching_cephadm_logs`.
801d1391	113
522d829b TL	114	If your Ceph cluster has been configured to log events to files, there will exist a
	115	cephadm log file called ``ceph.cephadm.log`` on all monitor hosts (see
	116	:ref:`cephadm-logs` for a more complete explanation of this).
801d1391	117
9f95a23c TL	118	Gathering log files
	119	-------------------
	120
	121	Use journalctl to gather the log files of all daemons:
	122
	123	.. note:: By default cephadm now stores logs in journald. This means
	124	that you will no longer find daemon logs in ``/var/log/ceph/``.
	125
	126	To read the log file of one specific daemon, run::
	127
	128	cephadm logs --name <name-of-daemon>
	129
	130	Note: this only works when run on the same host where the daemon is running. To
	131	get logs of a daemon running on a different host, give the ``--fsid`` option::
	132
	133	cephadm logs --fsid <fsid> --name <name-of-daemon>
	134
	135	where the ``<fsid>`` corresponds to the cluster ID printed by ``ceph status``.
	136
	137	To fetch all log files of all daemons on a given host, run::
	138
	139	for name in $(cephadm ls \| jq -r '.[].name') ; do
	140	cephadm logs --fsid <fsid> --name "$name" > $name;
	141	done
	142
	143	Collecting systemd status
	144	-------------------------
	145
	146	To print the state of a systemd unit, run::
	147
	148	systemctl status "ceph-$(cephadm shell ceph fsid)@<service name>.service";
	149
	150
	151	To fetch all state of all daemons of a given host, run::
	152
	153	fsid="$(cephadm shell ceph fsid)"
	154	for name in $(cephadm ls \| jq -r '.[].name') ; do
	155	systemctl status "ceph-$fsid@$name.service" > $name;
	156	done
	157
	158
	159	List all downloaded container images
	160	------------------------------------
	161
	162	To list all container images that are downloaded on a host:
	163
	164	.. note:: ``Image`` might also be called `ImageID`
	165
	166	::
	167
	168	podman ps -a --format json \| jq '.[].Image'
	169	"docker.io/library/centos:8"
	170	"registry.opensuse.org/opensuse/leap:15.2"
	171
	172
	173	Manually running containers
	174	---------------------------
	175
	176	Cephadm writes small wrappers that run a containers. Refer to
	177	``/var/lib/ceph/<cluster-fsid>/<service-name>/unit.run`` for the
	178	container execution command.
1911f103	179
f6b5b4d7	180	.. _cephadm-ssh-errors:
1911f103 TL	181
	182	ssh errors
	183	----------
	184
	185	Error message::
	186
f91f0fd5 TL	187	execnet.gateway_bootstrap.HostNotFound: -F /tmp/cephadm-conf-73z09u6g -i /tmp/cephadm-identity-ky7ahp_5 root@10.10.1.2
	188	...
	189	raise OrchestratorError(msg) from e
	190	orchestrator._interface.OrchestratorError: Failed to connect to 10.10.1.2 (10.10.1.2).
	191	Please make sure that the host is reachable and accepts connections using the cephadm SSH key
	192	...
1911f103 TL	193
	194	Things users can do:
	195
	196	1. Ensure cephadm has an SSH identity key::
f91f0fd5 TL	197
f91f0fd5 TL	198	[root@mon1~]# cephadm shell -- ceph config-key get mgr/cephadm/ssh_identity_key > ~/cephadm_private_key
1911f103 TL	199	INFO:cephadm:Inferring fsid f8edc08a-7f17-11ea-8707-000c2915dd98
1911f103 TL	200	INFO:cephadm:Using recent ceph image docker.io/ceph/ceph:v15 obtained 'mgr/cephadm/ssh_identity_key'
f91f0fd5	201	[root@mon1 ~] # chmod 0600 ~/cephadm_private_key
1911f103 TL	202
1911f103 TL	203	If this fails, cephadm doesn't have a key. Fix this by running the following command::
f91f0fd5	204
1911f103 TL	205	[root@mon1 ~]# cephadm shell -- ceph cephadm generate-ssh-key
	206
	207	or::
f91f0fd5 TL	208
f91f0fd5 TL	209	[root@mon1 ~]# cat ~/cephadm_private_key \| cephadm shell -- ceph cephadm set-ssk-key -i -
1911f103 TL	210
1911f103 TL	211	2. Ensure that the ssh config is correct::
f91f0fd5	212
1911f103 TL	213	[root@mon1 ~]# cephadm shell -- ceph cephadm get-ssh-config > config
	214
	215	3. Verify that we can connect to the host::
1911f103	216
f91f0fd5	217	[root@mon1 ~]# ssh -F config -i ~/cephadm_private_key root@mon1
1911f103 TL	218
1911f103 TL	219	Verifying that the Public Key is Listed in the authorized_keys file
522d829b TL	220	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
522d829b TL	221
1911f103 TL	222	To verify that the public key is in the authorized_keys file, run the following commands::
1911f103 TL	223
f91f0fd5 TL	224	[root@mon1 ~]# cephadm shell -- ceph cephadm get-pub-key > ~/ceph.pub
f91f0fd5 TL	225	[root@mon1 ~]# grep "`cat ~/ceph.pub`" /root/.ssh/authorized_keys
e306af50 TL	226
	227	Failed to infer CIDR network error
	228	----------------------------------
	229
	230	If you see this error::
	231
	232	ERROR: Failed to infer CIDR network for mon ip ***; pass --skip-mon-network to configure it later
	233
	234	Or this error::
	235
	236	Must set public_network config option or specify a CIDR network, ceph addrvec, or plain IP
	237
	238	This means that you must run a command of this form::
	239
	240	ceph config set mon public_network <mon_network>
	241
	242	For more detail on operations of this kind, see :ref:`deploy_additional_monitors`
	243
	244	Accessing the admin socket
	245	--------------------------
	246
	247	Each Ceph daemon provides an admin socket that bypasses the
	248	MONs (See :ref:`rados-monitoring-using-admin-socket`).
	249
	250	To access the admin socket, first enter the daemon container on the host::
	251
	252	[root@mon1 ~]# cephadm enter --name <daemon-name>
	253	[ceph: root@mon1 /]# ceph --admin-daemon /var/run/ceph/ceph-<daemon-name>.asok config show
f67539c2	254
a4b75251 TL	255	Calling miscellaneous ceph tools
	256	--------------------------------
	257
	258	To call miscellaneous like ``ceph-objectstore-tool`` or
	259	``ceph-monstore-tool``, you can run them by calling
	260	``cephadm shell --name <daemon-name>`` like so::
	261
	262	root@myhostname # cephadm unit --name mon.myhostname stop
	263	root@myhostname # cephadm shell --name mon.myhostname
	264	[ceph: root@myhostname /]# ceph-monstore-tool /var/lib/ceph/mon/ceph-myhostname get monmap > monmap
	265	[ceph: root@myhostname /]# monmaptool --print monmap
	266	monmaptool: monmap file monmap
	267	epoch 1
	268	fsid 28596f44-3b56-11ec-9034-482ae35a5fbb
	269	last_changed 2021-11-01T20:57:19.755111+0000
	270	created 2021-11-01T20:57:19.755111+0000
	271	min_mon_release 17 (quincy)
	272	election_strategy: 1
	273	0: [v2:127.0.0.1:3300/0,v1:127.0.0.1:6789/0] mon.myhostname
	274
	275	This command sets up the environment in a way that is suitable
	276	for extended daemon maintenance and running the deamon interactively.
	277
	278	.. _cephadm-restore-quorum:
f67539c2 TL	279
	280	Restoring the MON quorum
	281	------------------------
	282
	283	In case the Ceph MONs cannot form a quorum, cephadm is not able
	284	to manage the cluster, until the quorum is restored.
	285
	286	In order to restore the MON quorum, remove unhealthy MONs
	287	form the monmap by following these steps:
	288
	289	1. Stop all MONs. For each MON host::
	290
	291	ssh {mon-host}
	292	cephadm unit --name mon.`hostname` stop
	293
	294
	295	2. Identify a surviving monitor and log in to that host::
	296
	297	ssh {mon-host}
	298	cephadm enter --name mon.`hostname`
	299
	300	3. Follow the steps in :ref:`rados-mon-remove-from-unhealthy`
	301
a4b75251	302	.. _cephadm-manually-deploy-mgr:
f67539c2 TL	303
	304	Manually deploying a MGR daemon
	305	-------------------------------
	306	cephadm requires a MGR daemon in order to manage the cluster. In case the cluster
	307	the last MGR of a cluster was removed, follow these steps in order to deploy
	308	a MGR ``mgr.hostname.smfvfd`` on a random host of your cluster manually.
	309
	310	Disable the cephadm scheduler, in order to prevent cephadm from removing the new
	311	MGR. See :ref:`cephadm-enable-cli`::
	312
	313	ceph config-key set mgr/cephadm/pause true
	314
	315	Then get or create the auth entry for the new MGR::
	316
	317	ceph auth get-or-create mgr.hostname.smfvfd mon "profile mgr" osd "allow " mds "allow "
	318
	319	Get the ceph.conf::
	320
	321	ceph config generate-minimal-conf
	322
	323	Get the container image::
	324
	325	ceph config get "mgr.hostname.smfvfd" container_image
	326
	327	Create a file ``config-json.json`` which contains the information neccessary to deploy
	328	the daemon:
	329
	330	.. code-block:: json
	331
	332	{
	333	"config": "# minimal ceph.conf for 8255263a-a97e-4934-822c-00bfe029b28f\n[global]\n\tfsid = 8255263a-a97e-4934-822c-00bfe029b28f\n\tmon_host = [v2:192.168.0.1:40483/0,v1:192.168.0.1:40484/0]\n",
	334	"keyring": "[mgr.hostname.smfvfd]\n\tkey = V2VyIGRhcyBsaWVzdCBpc3QgZG9vZi4=\n"
	335	}
	336
	337	Deploy the daemon::
	338
	339	cephadm --image <container-image> deploy --fsid <fsid> --name mgr.hostname.smfvfd --config-json config-json.json
	340