On Fri, Jul 16, 2021 at 1:45 AM J-P Methot <jp.methot@planethoster.info> wrote:
>
> Hi,
Hello,
> We've been using Kolla to provision a production cluster and we've
> noticed that the ceph-client version provided in the Kolla images is
> severely outdated as it doesn't support the fix to CVE-2021-20288 that
> was added in Pacific 16.2.1 (installed version in image is 16.2.0). As a
> result, the installed ceph-client can't connect to ceph clusters where
> the patch is active.
>
> Is there any Kolla image where more recent versions of ceph-client is
> installed? How would I be able to get them?
This is a known issue. We are depending on the upstream (the Ubuntu
distribution in here) to provide Ceph client libraries.
They are, as you noticed, quite outdated in Focal.
If you know of a reliable, official source of newer Ubuntu Ceph client
packages, then let us know.
Otherwise, there are no Kolla Ubuntu images at the moment which have newer Ceph.
-yoctozepto
When I build ubuntu-binary-cinder-volume locally, I get 16.2.4 packages which come from the Ubuntu Cloud Archive:
Logs from periodic publish jobs show that the last weekly build from Sunday [1] installed 16.2.0, while the last daily build [2] from yesterday installed 16.2.4.
Either UCA was outdated or the OpenDev mirrors were not synced?