Ceph driver hangs with HEALTH_WARN

[felixonmars]

The ceph driver currently hangs in tests, repeating HEALTH_WARN:

EBUG [pifpaf.drivers] executing: ['ceph', '-c', '/home/felix/tmp/pifpaf/tmpbu55u6xd/ceph.conf', 'health']
DEBUG [pifpaf.drivers] ceph-mon[567946] output: 2021-05-20T13:25:08.553+0800 7f61b56bd640  0 mon.a@0(leader) e1 handle_command mon_command({"prefix": "health"} v 0) v1
DEBUG [pifpaf.drivers] ceph[568474] output: HEALTH_WARN mon is allowing insecure global_id reclaim; 1 pool(s) have no replicas configured
DEBUG [pifpaf.drivers] ceph-mon[567946] output: 2021-05-20T13:25:08.553+0800 7f61b56bd640  0 log_channel(audit) log [DBG] : from='client.? 127.0.0.1:0/1611198311' entity='client.admin' cmd=[{"prefix": "health"}]: dispatch

I am not familiar at all with ceph though. @tobias-urdin @chungg do you have any ideas here? (Whether we should allow HEALTH_WARN, or somehow make it HEALTH_OK?)

[tobias-urdin]

This depends on the Ceph version being used. This CVE [1] introduces the behaviour.

For these versions:
Pacific v16.2.1 (and later)
Octopus v15.2.11 (and later)
Nautilus v14.2.20 (and later)

If the clients are running the same or a newer version that above the monitors should disable insecure global_id reclaim by either during runtime with ceph config or in config set [mon]/auth_expose_insecure_global_id_reclaim=false

I would assume the easiest thing here would be setting that configuration value directly, given that versions prior to that existing can start with an invalid configuration option.

[1] https://docs.ceph.com/en/latest/security/CVE-2021-20288/

[tobias-urdin]

See the above fix, it's untested so I suggest somebody verify it with a newer and pre CVE-fix version.

[tobias-urdin]

This is merged but not released yet.