[SOLVED] Latest Ceph release 14.2.7

Alwin

Proxmox Retired Staff
Retired Staff
Aug 1, 2017
4,617
457
88
As always, after it passed our internal testing, we will release the packages to our public repository servers. First to our Ceph test repository and if the greater public tested the release with no issues popping up, it will be pushed to our Ceph main repository.
 

cmonty14

Active Member
Mar 4, 2014
338
4
38
Does this mean there's no roadmap available?
It could make sense to release new packages in your test repo close to the official release, in particular if there are security fixes.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,619
959
163
Does this mean there's no roadmap available?
It could make sense to release new packages in your test repo close to the official release, in particular if there are security fixes.

Thanks for your tips. We have a Ceph test repo and a Ceph stable repo since many years, seems you missed this.?

Before we upload packages to any public repo, internal tests will be done. We never release untested packages to the public.
 

cmonty14

Active Member
Mar 4, 2014
338
4
38
I understand, but my point is that Ceph releases new packages fixing a couple of security issues and I have to wait some days until this has passed your internal testing leaving my system vulnerable with these issues.
 

t.lamprecht

Proxmox Staff Member
Staff member
Jul 28, 2015
5,505
1,753
164
South Tyrol/Italy
shop.proxmox.com
There are two fixes in the 14.2.7 release,
  • one for ceph-dashboard, which we do not use or really support. An admin would need to enable the dashboard manually and an attacker would need to have access to the dashboard already to do anything here, at least the latter (exposing dashboards to the WAN) is not recommended in general.
  • a issue within a specific RGW frontend, namely the "beast" one (which we have no integration for).
Do you actively use one or even both of those two?
Because, just by using the Proxmox Integration you won't get in touch with those at all, FYI.
Due to the speciality of those two fixes, which are the only ones included in this release, and the possibility to reduce possible impact greatly, we do not see this as high priority.

We evaluate every release, it's impact and use it will have to Proxmox VE users, in this case it was clear that impact is not to be considered high as no default setup was affected and workarounds can be applied. The release will thus be done as normally, thoroughly tested and not rushed.
 
  • Like
Reactions: Alwin

cmonty14

Active Member
Mar 4, 2014
338
4
38
I have some doubts that this release only include the fixes mentioned above:
CVE-2020-1699
CVE-2020-1700

However, I don't understand how I can test this new release(s) if you don't provide it in your test repo.
Isn't this test repo for testing new releases?
 

t.lamprecht

Proxmox Staff Member
Staff member
Jul 28, 2015
5,505
1,753
164
South Tyrol/Italy
shop.proxmox.com
I have some doubts that this release only include the fixes mentioned above:
CVE-2020-1699
CVE-2020-1700
Those two CVEs are the exact two issues I describe. If you do not believe me then maybe the official release notes https://ceph.io/releases/v14-2-7-nautilus-released/ and/or the commit list between the 14.2.6 and the 14.2.7 release https://github.com/ceph/ceph/commits/v14.2.7 Just because there's a "CVE" it doesn't have to be bad for everyone, as said do you even use the ceph-mgr-dashboard, and is it available to the WAN? Same with RGW beast client? Because if not, that release will do absolutely nothing for you.

Isn't this test repo for testing new releases?

Yes, for publicly testing releases once we got done with internal testing and valued a release as important enough to start off the rumble of a new ceph release.
 

cmonty14

Active Member
Mar 4, 2014
338
4
38
I see.
But if several people involved and responsible for ceph-mgr tell me that the issue related to balancer will be fixed with 14.2.7, then I would trust these statements until someone proves that I'm wrong.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,619
959
163
I see.
But if several people involved and responsible for ceph-mgr tell me that the issue related to balancer will be fixed with 14.2.7, then I would trust these statements until someone proves that I'm wrong.

Read again the posts before and answer the question:

Do you even use the ceph-mgr-dashboard, and is it available to the WAN?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!