Re: How to verify the use of wire encryption?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2022-08-19 at 14:03 +0200, Ilya Dryomov wrote:
> On Fri, Aug 19, 2022 at 1:21 PM Martin Traxl <martin.traxl@xxxxxxxx>
> wrote:
> > Hi Ilya,
> > 
> > On Thu, 2022-08-18 at 13:27 +0200, Ilya Dryomov wrote:
> > > On Tue, Aug 16, 2022 at 12:44 PM Martin Traxl <
> > > martin.traxl@xxxxxxxx>
> > > wrote:
> > 
> > [...]
> > 
> > > > 
> > > 
> > > Hi Martin,
> > > 
> > > For obscure backwards compatibility reasons, the kernel client
> > > defaults
> > > to messenger v1.  You would need to specify "ms_mode=secure"
> > > option
> > > when
> > > mapping your block devices to enable messenger v2 secure mode
> > > [1].
> > 
> > This helped, setting the "ms_mode=secure" option on the client side
> > did
> > the trick.
> > 
> > Out of curiosity, do you know if I disable messenger v1 on the ceph
> > cluster, would the kernel client without setting "ms_mode=secure"
> > use
> > messenger v2 or would I still have to set this option?
> 
> Hi Martin,
> 
> Yes, you would still need to set this option.
> 
> > Until now I was not able to disable msgr1 on my monitor nodes.
> > Although in my ceph.conf I configured this
> > -----
> >   mon host = [v2:10.88.32.11],[v2:10.88.32.12],[v2:10.88.32.20]
> >   ms bind msgr1 = false
> > -----
> > the monitor node still binds to the msgr1 default port 6789.
> 
> I don't think monitors respect "ms bind msgr1" or "ms bind msgr2".
> By default their addresses come from the monmap, so as long as "ceph
> mon dump" shows both v1 and v2 addresses, it would bind to both.

Hi Ilya,

you are right, I had still both addresses in the monmap. I had to
bootstrap the monitor nodes to disable v1. I also could verify that the
kernel client does not automatically use v2 if v1 is not available. As
you told I still had to set the "ms_mode=secure" option.

Thank you,
Martin
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux