Proxmox 6.4 with auth_allow_insecure_global_id_reclaim=true causes backup problems

MMartinez

Active Member
Dec 11, 2014
42
5
28
Hello,

We updated our cluster from 6.2 to 6.4 a few months ago. After that, we had the warning message "mons are allowing insecure global_id reclaim". We found information about this issue in the forum (https://forum.proxmox.com/threads/c...ecure-global_id-reclaim-cve-2021-20288.88038/) but, as everything seemed to be ok, we didn't solve it.

Twenty days ago I followed the recommendations from the post in the forum and I changed the Ceph parameter mon auth_allow_insecure_global_id_reclaim to false.

After that, we have started to have problems with some backups, they didn't end and we didn't know the cause. Yesterday I realized that the problem were on all the backup jobs on nodes that use Ceph Storage but are not Ceph servers (We've got many servers with Ceph installed and serving OSD and others that just use that Ceph Storage).

On the afected nodes, the first backup job that needed to include a Ceph disk got blocked for hours waiting for it, until I stop the backup job next morning.

Yesterday I changed back the Ceph parameter mon auth_allow_insecure_global_id_reclaim to true and last night the backups have ended OK as usual.

We are using Ceph 14.2.20 and we plan to upgrade Ceph and Proxmox on November. Meanwhile, is there any way to solve this?

Kind Regards,

Manuel Martínez
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,619
1,432
164
it sounds like you either didn't upgrade ceph on all nodes, or didn't follow the instructions (you need to ensure no outdated clients remain, that includes all PVE service accessing Ceph, and all VMs using Ceph started before the upgrade!)
 

MMartinez

Active Member
Dec 11, 2014
42
5
28
I can ensure that I upgraded Ceph on all Ceph nodes. Some of the afected VM were stopped during the backup so the only possibility left is that there is some PVE service accessing Ceph on the failing nodes that I have not restarted.

I'll try again and check it.

Thanks
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!