Note
Before proceeding with the manual steps below, verify that you have performed the steps described in Apply maintenance updates.
Updated the Ceph Nautilus package to version 14.2.22 to fix the CVE-2021-20288 security vulnerability. To apply the issue resolution, perform the steps below.
Warning
To avoid issues with cluster connection, perform the following procedure only after applying the MCP maintenance update 2019.2.16 as described in Apply maintenance updates.
To apply the issue resolution:
Open your Git project repository with the Reclass model on the cluster level.
In ceph/common.yml
, add the following pillar:
ceph:
common:
config:
mon:
auth_allow_insecure_global_id_reclaim: false
Log in to the Salt Master node.
Refresh pillars:
salt '*' saltutil.refresh_pillar
Apply the following state:
salt -I ceph:common state.apply ceph.common
Warning
Once you perform this step, some services can lose connection to the Ceph cluster. Known services that can be affected include:
ctl*
nodes: glance-api
, cinder-backup
, cinder-scheduler
,
cinder-volume
, apache2
cmp*
nodes: nova-compute
mdb*
nodes: gnocchi-metricd
, apache2
Restart all ceph-mon
one by one:
salt -C "I@ceph:mon" -b 1 service.restart,test.sleep ceph-mon.target , 10
Restart the following services one by one. Wait for at least one minute between each command run:
salt -C "I@apache:server:enabled" -b 1 service.restart,test.sleep apache2 , 5
salt -C "I@glance:server" -b 1 service.restart,test.sleep glance-api , 5
salt -C "I@cinder:server" -b 1 service.restart,test.sleep cinder-backup , 5
salt -C "I@cinder:server" -b 1 service.restart,test.sleep cinder-scheduler , 5
salt -C "I@cinder:volume" -b 1 service.restart,test.sleep cinder-volume , 5
salt -C "I@nova:compute" -b 1 service.restart,test.sleep nova-compute , 5
salt -C "I@gnocchi:server" -b 1 service.restart,test.sleep gnocchi-metricd , 5