"ceph : command not allowed" in syslog

S

sidereus

Member
Jul 25, 2019
45
7
13
54
What is a reason of following error messages in the syslog every night? Proxmox 6.3, Ceph 15.2.
Code: 
Apr 14 03:00:49 asr2 sudo[181953]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/sdb
Apr 14 03:00:49 asr2 sudo[181953]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:00:49 asr2 sudo[181953]: pam_unix(sudo:session): session closed for user root
Apr 14 03:00:49 asr2 sudo[181973]: pam_unix(sudo:auth): conversation failed
Apr 14 03:00:49 asr2 sudo[181973]: pam_unix(sudo:auth): auth could not identify password for [ceph]
Apr 14 03:00:49 asr2 sudo[181973]:     ceph : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=nvme wdc_wd2000fyyz-01ul1b2 smart-log-add --json /dev/sdb
Apr 14 03:00:50 asr2 sudo[182065]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/sdc
Apr 14 03:00:50 asr2 sudo[182065]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:00:50 asr2 sudo[182065]: pam_unix(sudo:session): session closed for user root
Apr 14 03:00:51 asr2 sudo[182068]: pam_unix(sudo:auth): conversation failed
Apr 14 03:00:51 asr2 sudo[182068]: pam_unix(sudo:auth): auth could not identify password for [ceph]
Apr 14 03:00:51 asr2 sudo[182068]:     ceph : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=nvme wdc_wd2000fyyz-01ul1b2 smart-log-add --json /dev/sdc
Apr 14 03:00:52 asr2 sudo[182070]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/sdd
Apr 14 03:00:52 asr2 sudo[182070]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:00:52 asr2 sudo[182070]: pam_unix(sudo:session): session closed for user root
Apr 14 03:00:52 asr2 sudo[182073]: pam_unix(sudo:auth): conversation failed
Apr 14 03:00:52 asr2 sudo[182073]: pam_unix(sudo:auth): auth could not identify password for [ceph]
Apr 14 03:00:52 asr2 sudo[182073]:     ceph : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=nvme wdc_wd2000fyyz-01ul1b2 smart-log-add --json /dev/sdd
Apr 14 03:00:53 asr2 sudo[182075]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/sde
Apr 14 03:00:53 asr2 sudo[182075]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:00:53 asr2 sudo[182075]: pam_unix(sudo:session): session closed for user root
Apr 14 03:00:54 asr2 sudo[182078]: pam_unix(sudo:auth): conversation failed
Apr 14 03:00:54 asr2 sudo[182078]: pam_unix(sudo:auth): auth could not identify password for [ceph]
Apr 14 03:00:54 asr2 sudo[182078]:     ceph : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=nvme wdc_wd2000fyyz-01ul1b2 smart-log-add --json /dev/sde
Apr 14 03:00:54 asr2 sudo[182080]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/sdf
Apr 14 03:00:54 asr2 sudo[182080]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:00:55 asr2 sudo[182080]: pam_unix(sudo:session): session closed for user root
Apr 14 03:00:55 asr2 sudo[182083]: pam_unix(sudo:auth): conversation failed
Apr 14 03:00:55 asr2 sudo[182083]: pam_unix(sudo:auth): auth could not identify password for [ceph]
Apr 14 03:00:55 asr2 sudo[182083]:     ceph : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=nvme wdc_wd2000fyyz-01ul1b2 smart-log-add --json /dev/sdf
Apr 14 03:00:56 asr2 sudo[182085]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/sdg
Apr 14 03:00:56 asr2 sudo[182085]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:00:56 asr2 sudo[182085]: pam_unix(sudo:session): session closed for user root
Apr 14 03:00:57 asr2 sudo[182094]: pam_unix(sudo:auth): conversation failed
Apr 14 03:00:57 asr2 sudo[182094]: pam_unix(sudo:auth): auth could not identify password for [ceph]
Apr 14 03:00:57 asr2 sudo[182094]:     ceph : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=nvme wdc_wd2000fyyz-01ul1b2 smart-log-add --json /dev/sdg
Apr 14 03:00:57 asr2 sudo[182096]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/sdh
Apr 14 03:00:57 asr2 sudo[182096]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:00:57 asr2 sudo[182096]: pam_unix(sudo:session): session closed for user root
Apr 14 03:00:58 asr2 sudo[182099]: pam_unix(sudo:auth): conversation failed
Apr 14 03:00:58 asr2 sudo[182099]: pam_unix(sudo:auth): auth could not identify password for [ceph]
Apr 14 03:00:58 asr2 sudo[182099]:     ceph : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=nvme wdc_wd2000fyyz-01ul1b2 smart-log-add --json /dev/sdh
Apr 14 03:01:00 asr2 systemd[1]: Starting Proxmox VE replication runner...
Apr 14 03:01:00 asr2 sudo[182187]:     ceph : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -a --json=o /dev/
Apr 14 03:01:00 asr2 sudo[182187]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 03:01:00 asr2 sudo[182187]: pam_unix(sudo:session): session closed for user root
 
You seem to be missing the file /etc/sudoers.d/ceph-osd-smartctl or it is corrupt on (at least) that node. It should contain:
Code: 
## allow ceph-osd (which runs as user ceph) to collect device health metrics

ceph ALL=NOPASSWD: /usr/sbin/smartctl -a --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*

[as of Nautilus (14.2) -- not aware of a change for Octopus]
 
After recent upgrade to PVE7 and Ceph Pacific we started receiving emails with the same errors.
After checking the logs we have concluded that the issues was definitely there prior to the upgrade.

Code: 
Jul 10 00:04:30 pve21 sudo: pam_unix(sudo:auth): auth could not identify password for [ceph]
Jul 10 00:04:30 pve21 sudo:     ceph : command not allowed ; PWD=/ ; USER=root ; COMMAND=nvme samsung smart-log-add --json /dev/nvme2n1
Jul 10 00:04:31 pve21 sudo:     ceph : PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -x --json=o /dev/nvme3n1
Jul 10 00:04:32 pve21 sudo: pam_unix(sudo:auth): auth could not identify password for [ceph]
Jul 10 00:04:32 pve21 sudo:     ceph : command not allowed ; PWD=/ ; USER=root ; COMMAND=nvme samsung smart-log-add --json /dev/nvme3n1
Jul 10 00:04:44 pve21 sudo:     ceph : PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -x --json=o /dev/

The content of /etc/sudoers.d/ceph-osd-smartctl appears correct

Code: 
## allow ceph-osd (which runs as user ceph) to collect device health metrics

ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*

It looks that the binaries (/usr/sbin/nvme) are missing and need to be installed i.e. apt install nvme-cli

Anyone with advise?
 
Hi,
yes, installing the nvme-cli package is the recommended solution. New Ceph setups in Proxmox VE 7.0 will install that package by default too, see.
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom