Bug 1953494

Summary: Upgrade from 4.x to 5.x - Cluster warns of mon and clients are allowing insecure global_id reclaim
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Vasishta <vashastr>
Component: RADOSAssignee: Neha Ojha <nojha>
Status: CLOSED ERRATA QA Contact: skanta
Severity: high Docs Contact: Ranjini M N <rmandyam>
Priority: unspecified    
Version: 5.0CC: akupczyk, amctagga, asriram, bhubbard, ceph-eng-bugs, hej, kdreyer, khartsoe, mmurthy, mreamy, nojha, pdhiran, rmandyam, rohgupta, rojoseph, rzarzyns, shan, skanta, sseshasa, tserlin, vereddy, vumrao
Target Milestone: ---Flags: rmandyam: needinfo?
Target Release: 5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-16.2.0-84.el8cp Doc Type: Bug Fix
Doc Text:
.Upgrading storage cluster from {storage-product} 4 to 5 completes with HEALTH_WARN state When upgrading a {storage-product} cluster from a previously supported version to {storage-product} 5, the upgrade completes with the storage cluster in a HEALTH_WARN state stating that monitors are allowing insecure `global_id` reclaim. This is due to a patched CVE, the details of which are available in the link:https://access.redhat.com/security/cve/cve-2021-20288[_CVE-2021-20288_]. Recommendations to mute health warnings: . Identify clients that are not updated by checking the `ceph health detail` output for the `AUTH_INSECURE_GLOBAL_ID_RECLAIM` alert. . Upgrade all clients to {storage-product} 5.0 release. . If all the clients are not upgraded immediately, mute health alerts temporarily: + .Syntax ---- ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 1w # 1 week ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 1w # 1 week ---- . After validating all clients have been updated and the _AUTH_INSECURE_GLOBAL_ID_RECLAIM_ alert is no longer present for a client, set `auth_allow_insecure_global_id_reclaim` to `false` + .Syntax ---- ceph config set mon auth_allow_insecure_global_id_reclaim false ---- . Ensure that no clients are listed with the `AUTH_INSECURE_GLOBAL_ID_RECLAIM` alert.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-30 08:29:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1959686    

Description Vasishta 2021-04-26 09:06:37 UTC 
Description of problem:
Cluster has warnings saying "mon and clients are allowing insecure global_id reclaim"

Version-Release number of selected component (if applicable):
ceph version 16.2.0-13

How reproducible:
Tried Once

Steps to Reproduce:
1. Configure 4.x cluster
2. Upgrade cluster to 5.x


Actual results:
        health: HEALTH_WARN
                clients are using insecure global_id reclaim
                mons are allowing insecure global_id reclaim

Expected results:


Additional info:
Comment 3 HeĆ°in 2021-06-16 23:04:49 UTC 
Same warning is present after upgrading rhcs-4 cluster to 14.2.11-181
Comment 33 errata-xmlrpc 2021-08-30 08:29:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3294