Re: BUG #51821 - client is using insecure global_id reclaim

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi again.

I've now solved my issue with help from people in this group. Thank you for
helping out.
I thought the process was a bit complicated so I created a short video
describing the process.

https://youtu.be/Ds4Wvvo79-M

I hope this helps someone else, and again thank you.

Best regards
Daniel


On Mon, Aug 9, 2021 at 5:43 PM Ilya Dryomov <idryomov@xxxxxxxxx> wrote:

> On Mon, Aug 9, 2021 at 5:14 PM Robert W. Eckert <rob@xxxxxxxxxxxxxxx>
> wrote:
> >
> > I have had the same issue with the windows client.
> > I had to issue
> >         ceph config set mon auth_expose_insecure_global_id_reclaim false
> > Which allows the other clients to connect.
> > I think you need to restart the monitors as well, because the first few
> times I tried this, I still couldn't connect.
>
> For archive's sake, I'd like to mention that disabling
> auth_expose_insecure_global_id_reclaim isn't right and it wasn't
> intended for this.  Enabling auth_allow_insecure_global_id_reclaim
> should be enough to allow all (however old) clients to connect.
> The fact that it wasn't enough for the available Windows build
> suggests that there is some subtle breakage in it because all "expose"
> does is it forces the client to connect twice instead of just once.
> It doesn't actually refuse old unpatched clients.
>
> (The breakage isn't surprising given that the available build is
> more or less a random development snapshot with some pending at the
> time Windows-specific patches applied.  I'll try to escalate issue
> and get the linked MSI bundle updated.)
>
> Thanks,
>
>                 Ilya
>
> >
> > -----Original Message-----
> > From: Richard Bade <hitrich@xxxxxxxxx>
> > Sent: Sunday, August 8, 2021 8:27 PM
> > To: Daniel Persson <mailto.woden@xxxxxxxxx>
> > Cc: Ceph Users <ceph-users@xxxxxxx>
> > Subject:  Re: BUG #51821 - client is using insecure
> global_id reclaim
> >
> > Hi Daniel,
> > I had a similar issue last week after upgrading my test cluster from
> > 14.2.13 to 14.2.22 which included this fix for Global ID reclaim in .20.
> My issue was a rados gw that I was re-deploying on the latest version. The
> problem seemed to be related with cephx authentication.
> > It kept displaying the error message you have and the service wouldn't
> start.
> > I ended up stopping and removing the old rgw service, deleting all the
> keys in /etc/ceph/ and all data in /var/lib/ceph/radosgw/ and re-deploying
> the radosgw. This used the new rgw bootstrap keys and new key for this
> radosgw.
> > So, I would suggest you double and triple check which keys your clients
> are using and that cephx is enabled correctly on your cluster.
> > Check your admin key in /etc/ceph as well, as that's what's being used
> for ceph status.
> >
> > Regards,
> > Rich
> >
> > On Sun, 8 Aug 2021 at 05:01, Daniel Persson <mailto.woden@xxxxxxxxx>
> wrote:
> > >
> > > Hi everyone.
> > >
> > > I suggested asking for help here instead of in the bug tracker so that
> > > I will try it.
> > >
> > > https://tracker.ceph.com/issues/51821?next_issue_id=51820&prev_issue_i
> > > d=51824
> > >
> > > I have a problem that I can't seem to figure out how to resolve the
> issue.
> > >
> > > AUTH_INSECURE_GLOBAL_ID_RECLAIM: client is using insecure global_id
> > > reclaim
> > > AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED: mons are allowing insecure
> > > global_id reclaim
> > >
> > >
> > > Both of these have to do with reclaiming ID and securing that no
> > > client could steal or reuse another client's ID. I understand the
> > > reason for this and want to resolve the issue.
> > >
> > > Currently, I have three different clients.
> > >
> > > * One Windows client using the latest Ceph-Dokan build. (ceph version
> > > 15.0.0-22274-g5656003758 (5656003758614f8fd2a8c49c2e7d4f5cd637b0ea)
> > > pacific
> > > (rc))
> > > * One Linux Debian build using the built packages for that kernel. (
> > > 4.19.0-17-amd64)
> > > * And one client that I've built from source for a raspberry PI as
> > > there is no arm build for the Pacific release. (5.11.0-1015-raspi)
> > >
> > > If I switch over to not allow global id reclaim, none of these clients
> > > could connect, and using the command "ceph status" on one of my nodes
> > > will also fail.
> > >
> > > All of them giving the same error message:
> > >
> > > monclient(hunting): handle_auth_bad_method server allowed_methods [2]
> > > but i only support [2]
> > >
> > >
> > > Has anyone encountered this problem and have any suggestions?
> > >
> > > PS. The reason I have 3 different hosts is that this is a test
> > > environment where I try to resolve and look at issues before we
> > > upgrade our production environment to pacific. DS.
> > >
> > > Best regards
> > > Daniel
> > > _______________________________________________
> > > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> > > email to ceph-users-leave@xxxxxxx
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> email to ceph-users-leave@xxxxxxx
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx
> > To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux