[kolla] Ceph client version in Kolla 12.0.0 Wallaby and ubuntu containers
Hi, We've been using Kolla to provision a production cluster and we've noticed that the ceph-client version provided in the Kolla images is severely outdated as it doesn't support the fix to CVE-2021-20288 that was added in Pacific 16.2.1 (installed version in image is 16.2.0). As a result, the installed ceph-client can't connect to ceph clusters where the patch is active. Is there any Kolla image where more recent versions of ceph-client is installed? How would I be able to get them? -- Jean-Philippe Méthot Senior Openstack system administrator Administrateur système Openstack sénior PlanetHoster inc.
On Fri, Jul 16, 2021 at 1:45 AM J-P Methot <jp.methot@planethoster.info> wrote:
Hi,
Hello,
We've been using Kolla to provision a production cluster and we've noticed that the ceph-client version provided in the Kolla images is severely outdated as it doesn't support the fix to CVE-2021-20288 that was added in Pacific 16.2.1 (installed version in image is 16.2.0). As a result, the installed ceph-client can't connect to ceph clusters where the patch is active.
Is there any Kolla image where more recent versions of ceph-client is installed? How would I be able to get them?
This is a known issue. We are depending on the upstream (the Ubuntu distribution in here) to provide Ceph client libraries. They are, as you noticed, quite outdated in Focal. If you know of a reliable, official source of newer Ubuntu Ceph client packages, then let us know. Otherwise, there are no Kolla Ubuntu images at the moment which have newer Ceph. -yoctozepto
On Fri, 16 Jul 2021 at 09:43, Radosław Piliszek <radoslaw.piliszek@gmail.com> wrote:
On Fri, Jul 16, 2021 at 1:45 AM J-P Methot <jp.methot@planethoster.info> wrote:
Hi,
Hello,
We've been using Kolla to provision a production cluster and we've noticed that the ceph-client version provided in the Kolla images is severely outdated as it doesn't support the fix to CVE-2021-20288 that was added in Pacific 16.2.1 (installed version in image is 16.2.0). As a result, the installed ceph-client can't connect to ceph clusters where the patch is active.
Is there any Kolla image where more recent versions of ceph-client is installed? How would I be able to get them?
This is a known issue. We are depending on the upstream (the Ubuntu distribution in here) to provide Ceph client libraries. They are, as you noticed, quite outdated in Focal. If you know of a reliable, official source of newer Ubuntu Ceph client packages, then let us know. Otherwise, there are no Kolla Ubuntu images at the moment which have newer Ceph.
-yoctozepto
When I build ubuntu-binary-cinder-volume locally, I get 16.2.4 packages which come from the Ubuntu Cloud Archive: INFO:kolla.common.utils.cinder-base:Get:24 http://ubuntu-cloud.archive.canonical.com/ubuntu focal-updates/wallaby/main amd64 python3-ceph-argparse amd64 16.2.4-0ubuntu0.21.04.1~cloud0 [57.1 kB] Logs from periodic publish jobs show that the last weekly build from Sunday [1] installed 16.2.0, while the last daily build [2] from yesterday installed 16.2.4. [1] https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/z... [2] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/z... Either UCA was outdated or the OpenDev mirrors were not synced?
Hi, I was also hitting this issue and currently using a workaround written in Ceph document[1] ceph config set mon auth_allow_insecure_global_id_reclaim true ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 4w ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 4w Thanks for the suggestion by yoctozepto I've found out that Ceph does provide an official source for debian packages [2] If it's ok I'll work on a patch to use the official repo for installation source. Regards, Gene Kuo [1] https://docs.ceph.com/en/latest/security/CVE-2021-20288/ [2] https://docs.ceph.com/en/latest/install/get-packages/#debian-packages ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ 在 2021年7月16日 星期五 下午 3:42,Radosław Piliszek <radoslaw.piliszek@gmail.com> 寫道:
On Fri, Jul 16, 2021 at 1:45 AM J-P Methot jp.methot@planethoster.info wrote:
Hi,
Hello,
We've been using Kolla to provision a production cluster and we've
noticed that the ceph-client version provided in the Kolla images is
severely outdated as it doesn't support the fix to CVE-2021-20288 that
was added in Pacific 16.2.1 (installed version in image is 16.2.0). As a
result, the installed ceph-client can't connect to ceph clusters where
the patch is active.
Is there any Kolla image where more recent versions of ceph-client is
installed? How would I be able to get them?
This is a known issue. We are depending on the upstream (the Ubuntu
distribution in here) to provide Ceph client libraries.
They are, as you noticed, quite outdated in Focal.
If you know of a reliable, official source of newer Ubuntu Ceph client
packages, then let us know.
Otherwise, there are no Kolla Ubuntu images at the moment which have newer Ceph.
-yoctozepto
On Fri, Jul 16, 2021 at 10:33 AM Gene Kuo <igene@igene.tw> wrote:
Hi,
I was also hitting this issue and currently using a workaround written in Ceph document[1]
ceph config set mon auth_allow_insecure_global_id_reclaim true ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 4w ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 4w
Thanks for the suggestion by yoctozepto I've found out that Ceph does provide an official source for debian packages [2] If it's ok I'll work on a patch to use the official repo for installation source.
Based on Pierre's input, it seems Ubuntu has finally already updated the packages so there is no real need to act on it. -yoctozepto
participants (4)
-
Gene Kuo
-
J-P Methot
-
Pierre Riteau
-
Radosław Piliszek