Questions about Ceph Nautilus Security Update "insecure global_id reclaim"

A

avbuuren

Member
Feb 3, 2020
16
1
23
36
Hello,

I am running two Promox clusters, one PVE only for the benefit of having a Ceph cluster running the RBD pool, so no VMs on that one. Plus, my actual VM cluster connected to this RBD pool.

I update my PVE Vm'cluster to 6.4.13 , now i want to update my Pve Ceph Cluster( 3nodes) . I am running PVE 6.2.15 and Ceph Nautilus 14.2.11.
By updating to 14.2.20 I will be concerned by the Security Update for "insecure global_id reclaim" :

I feel a bit insecure about the process ( ive read carefully the official post) , is it ok if :

1- I Update my ceph cluster with a dist-upgrade and reboot server on my Three nodes.
2- check if the ceph cluster is : HEALTH OK . ( if not , what i have to do more ? )
3- execute the command : ceph config set mon auth_allow_insecure_global_id_reclaim false

Question:
1- I ve read that we need to migrate all the vm on an updated node but i have no vm on the ceph cluster, am i concern by this?
2- Do i Need to add the ceph nautilus repository on the Vm' Cluster side ? "/etc/apt/sources.list.d/ceph.list" deb http://download.proxmox.com/debian/ceph-nautilus buster main"

Thank you

 
There are two warnings you can expect, one warning about clients still using it, and one about mons still allowing insecure global_id_reclaim. See https://pve.proxmox.com/wiki/Ceph_Nautilus_to_Octopus#Addressing_the_Health_Warnings

You should only set the config option for it to false, if you have no client warning anymore, as otherwise you would lock out that client.

Adding the Ceph repositories on the VM cluster nodes can be a good idea. You don't need to install all of Ceph, but it will detect a newer version for the client packages, which does not hurt to keep in sync.
 
Hello ,

Thank you. i ve just update my 3 CEPH Cluster nodes to 14.2.22.
I ve only the warning : mons are allowing insecure global_id reclaim. ( no clients warning , because i use external rdb pool certainly?)

At this step , can i set the : ceph config set mon auth_allow_insecure_global_id_reclaim false ?

Thanks

1645026213263.png
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom