Bug 1953494 - Upgrade from 4.x to 5.x - Cluster warns of mon and clients are allowing insecure global_id reclaim [NEEDINFO]
Summary: Upgrade from 4.x to 5.x - Cluster warns of mon and clients are allowing insec...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RADOS
Version: 5.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 5.0
Assignee: Neha Ojha
QA Contact: skanta
Ranjini M N
URL:
Whiteboard:
Depends On:
Blocks: 1959686
TreeView+ depends on / blocked
 
Reported: 2021-04-26 09:06 UTC by Vasishta
Modified: 2021-09-03 04:55 UTC (History)
22 users (show)

Fixed In Version: ceph-16.2.0-84.el8cp
Doc Type: Bug Fix
Doc Text:
.Upgrading storage cluster from {storage-product} 4 to 5 completes with HEALTH_WARN state When upgrading a {storage-product} cluster from a previously supported version to {storage-product} 5, the upgrade completes with the storage cluster in a HEALTH_WARN state stating that monitors are allowing insecure `global_id` reclaim. This is due to a patched CVE, the details of which are available in the link:https://access.redhat.com/security/cve/cve-2021-20288[_CVE-2021-20288_]. Recommendations to mute health warnings: . Identify clients that are not updated by checking the `ceph health detail` output for the `AUTH_INSECURE_GLOBAL_ID_RECLAIM` alert. . Upgrade all clients to {storage-product} 5.0 release. . If all the clients are not upgraded immediately, mute health alerts temporarily: + .Syntax ---- ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 1w # 1 week ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 1w # 1 week ---- . After validating all clients have been updated and the _AUTH_INSECURE_GLOBAL_ID_RECLAIM_ alert is no longer present for a client, set `auth_allow_insecure_global_id_reclaim` to `false` + .Syntax ---- ceph config set mon auth_allow_insecure_global_id_reclaim false ---- . Ensure that no clients are listed with the `AUTH_INSECURE_GLOBAL_ID_RECLAIM` alert.
Clone Of:
Environment:
Last Closed: 2021-08-30 08:29:54 UTC
Embargoed:
rmandyam: needinfo?

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-246 0 None None None 2021-08-19 16:44:35 UTC
Red Hat Product Errata RHBA-2021:3294 0 None None None 2021-08-30 08:30:16 UTC

Description Vasishta 2021-04-26 09:06:37 UTC 
Description of problem:
Cluster has warnings saying "mon and clients are allowing insecure global_id reclaim"

Version-Release number of selected component (if applicable):
ceph version 16.2.0-13

How reproducible:
Tried Once

Steps to Reproduce:
1. Configure 4.x cluster
2. Upgrade cluster to 5.x


Actual results:
        health: HEALTH_WARN
                clients are using insecure global_id reclaim
                mons are allowing insecure global_id reclaim

Expected results:


Additional info:
Comment 3 Heðin 2021-06-16 23:04:49 UTC 
Same warning is present after upgrading rhcs-4 cluster to 14.2.11-181
Comment 33 errata-xmlrpc 2021-08-30 08:29:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3294
Note You need to log in before you can comment on or make changes to this bug.