Open Stack

Hi,

I was also hitting this issue and currently using a workaround written in Ceph document[1]

ceph config set mon auth_allow_insecure_global_id_reclaim true
ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 4w
ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 4w

Thanks for the suggestion by yoctozepto
I've found out that Ceph does provide an official source for debian packages [2]
If it's ok I'll work on a patch to use the official repo for installation source.

Regards,
Gene Kuo

[1] https://docs.ceph.com/en/latest/security/CVE-2021-20288/
[2] https://docs.ceph.com/en/latest/install/get-packages/#debian-packages

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

在 2021年7月16日 星期五 下午 3:42，Radosław Piliszek <radoslaw.piliszek at gmail.com> 寫道：

> On Fri, Jul 16, 2021 at 1:45 AM J-P Methot jp.methot at planethoster.info wrote:
>
> > Hi,
>
> Hello,
>
> > We've been using Kolla to provision a production cluster and we've
> >
> > noticed that the ceph-client version provided in the Kolla images is
> >
> > severely outdated as it doesn't support the fix to CVE-2021-20288 that
> >
> > was added in Pacific 16.2.1 (installed version in image is 16.2.0). As a
> >
> > result, the installed ceph-client can't connect to ceph clusters where
> >
> > the patch is active.
> >
> > Is there any Kolla image where more recent versions of ceph-client is
> >
> > installed? How would I be able to get them?
>
> This is a known issue. We are depending on the upstream (the Ubuntu
>
> distribution in here) to provide Ceph client libraries.
>
> They are, as you noticed, quite outdated in Focal.
>
> If you know of a reliable, official source of newer Ubuntu Ceph client
>
> packages, then let us know.
>
> Otherwise, there are no Kolla Ubuntu images at the moment which have newer Ceph.
>
> -yoctozepto