Description of problem: When deploying OSP with OSPd (3 controllers, 2 computes, 3 ceph) and subscribing to Satellite 6 the Ceph nodes consumed OSP SKUs even though they had both "Red Hat Ceph Storage (RS00036) and "Smart Management" subs assigned to them via activation key. Version-Release number of selected component (if applicable): How reproducible: Create an activation key for Ceph nodes that has "Red Hat Ceph Storage (RS00036)" and "Smart Management" subs for allocation. Deploy OSP with OSPd and subscribe Ceph nodes to Satellite 6 Ceph key. Steps to Reproduce: 1. create activation key in satellite with auto-attach off that allocated Ceph Storage subs 2. deploy OSP with OSPd 3. subscribe ceph node to activation key for ceph subs. Actual results: The ceph nodes get awarded the subs for Ceph and Smart Management. But Satellite also allocated them an OSP SKU from outside the allocated key. This is the correct behavior from satellite as there are certs on the overcloud nodes for ceph AND OSP: # ls -l /etc/pki/product total 16 -rw-r--r--. 1 root root 2151 Dec 2 20:32 286.pem -rw-r--r--. 1 root root 2151 Dec 2 20:32 288.pem -rw-r--r--. 1 root root 2195 Dec 2 20:50 326.pem -rw-r--r--. 1 root root 2244 Dec 2 20:50 83.pem Expected results: I'd expect to NOT need an OSP sub for a Ceph node and for a standard ceph node to only need Ceph. Additional info: Conversation has shown that perhaps the OSP SKU is supposed to provide the mon and osd components for the ceph nodes (and controllers) as this is OSPd.
As the OSPd-deployed overcloud nodes are all the same software I do think they need some kind of OSP subs on them for security purposes. Without them if there is an exploit in an OSP component it won't get patched. Even though it's not used, it is a risk so I think the storage nodes also need OSP repos somehow. But in general it needs to be clarified if the Ceph nodes need both OSP and Ceph?
I dont understand why the Ceph OSD nodes would need any OSP software or channels. It purely runs Ceph, no OSP. Having OSP software on there increases the surface attack space and risk.
(In reply to Andrew Hatfield from comment #2) > I dont understand why the Ceph OSD nodes would need any OSP software or > channels. > > It purely runs Ceph, no OSP. Having OSP software on there increases the > surface attack space and risk. All overcloud nodes use the same base image and that image has all the OpenStack rpms on them; the role of "ceph node" is simply the enabling of the ceph components. OSP components are not removed, just not used. So while it purely runs ceph there are all the other packages present. If one of those packages has an exploit I'd prefer it was patched to ensure no one can use it in an unpatched state after compromising the box.
I observe similar issue in pervious cases, but vince-versa. Customer needs to update OSP controller nodes but requires Ceph repo to go through the yum update. As the pre-built image contains both osp and ceph packages. in that case we followed https://access.redhat.com/solutions/2196011. Provided a temp subscription to get over the issue. BZ https://bugzilla.redhat.com/show_bug.cgi?id=1405881
(In reply to James Biao from comment #4) > I observe similar issue in pervious cases, but vince-versa. Customer needs > to update OSP controller nodes but requires Ceph repo to go through the yum > update. As the pre-built image contains both osp and ceph packages. > > in that case we followed https://access.redhat.com/solutions/2196011. > Provided a temp subscription to get over the issue. > > BZ https://bugzilla.redhat.com/show_bug.cgi?id=1405881 Same for us. We have OSP eval subs now attached to the ceph nodes and removed the smart management and everything is happy. we preferred not to alter the image and remove the pems on it, so the eval cert "solves" this for the moment but we need a long term solution.
RFE for Ceph-only OSP overcloud nodes: https://bugzilla.redhat.com/show_bug.cgi?id=1435500
Any progress on this issue ? Thanks,
Any updates here?
Verified Verification steps: 1) Created activation key for ceph storage node 2) deployed a overcloud with 13 3) activated the key within the ceph storage node got the following: # ls -l /etc/pki/product total 4 -rw-r--r--. 1 root root 2244 Nov 7 21:05 83.pe
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0071