Issues resolutions requiring manual application

Issues resolutions requiring manual application

Note

Before proceeding with the manual steps below, verify that you have performed the steps described in Apply maintenance updates.


[CVE-2021-20288] Unauthorized global_id reuse in cephx

Updated the Ceph Nautilus package to version 14.2.22 to fix the CVE-2021-20288 security vulnerability. To apply the issue resolution, perform the steps below.

Warning

To avoid issues with cluster connection, perform the following procedure only after applying the MCP maintenance update 2019.2.16 as described in Apply maintenance updates.

To apply the issue resolution:

  1. Open your Git project repository with the Reclass model on the cluster level.

  2. In ceph/common.yml, add the following pillar:

    ceph:
      common:
        config:
          mon:
            auth_allow_insecure_global_id_reclaim: false
    
  3. Log in to the Salt Master node.

  4. Refresh pillars:

    salt '*' saltutil.refresh_pillar
    
  5. Apply the following state:

    salt -I ceph:common state.apply ceph.common
    

    Warning

    Once you perform this step, some services can lose connection to the Ceph cluster. Known services that can be affected include:

    • On ctl* nodes: glance-api, cinder-backup, cinder-scheduler, cinder-volume, apache2
    • On cmp* nodes: nova-compute
    • On mdb* nodes: gnocchi-metricd, apache2
  6. Restart all ceph-mon one by one:

    salt -C "I@ceph:mon" -b 1 service.restart,test.sleep ceph-mon.target , 10
    
  7. Restart the following services one by one. Wait for at least one minute between each command run:

    salt -C "I@apache:server:enabled" -b 1 service.restart,test.sleep apache2 , 5
    salt -C "I@glance:server" -b 1 service.restart,test.sleep glance-api , 5
    salt -C "I@cinder:server" -b 1 service.restart,test.sleep cinder-backup , 5
    salt -C "I@cinder:server" -b 1 service.restart,test.sleep cinder-scheduler , 5
    salt -C "I@cinder:volume" -b 1 service.restart,test.sleep cinder-volume , 5
    salt -C "I@nova:compute" -b 1 service.restart,test.sleep nova-compute , 5
    salt -C "I@gnocchi:server" -b 1 service.restart,test.sleep gnocchi-metricd , 5