Actions
Bug #65717
opencephadm: iscsi and nvme auth keyring are not cleaned up
% Done:
0%
Source:
Tags:
backport_processed
Backport:
squid, reef, quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Description
If you move/remove an iscsi daemon, the keyring for the removed daemon is left behind unless the user cleans up the key manually
Here is an example where the spec placement was modified to move an iscsi daemon from vm-00 to vm-02. We can see a new vm-02 keyring get made, but the vm-00 keyring was never cleaned up.
[ceph: root@vm-00 /]# ceph auth ls | grep iscsi client.iscsi.foo.vm-00.awllyd caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" client.iscsi.foo.vm-01.mmilla caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" client.iscsi.foo.vm-02.ejxnyh caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" [ceph: root@vm-00 /]# [ceph: root@vm-00 /]# vi iscsi.yaml [ceph: root@vm-00 /]# [ceph: root@vm-00 /]# ceph orch apply -i iscsi.yaml Scheduled iscsi.foo update... [ceph: root@vm-00 /]# [ceph: root@vm-00 /]# ceph auth ls | grep iscsi client.iscsi.foo.vm-00.awllyd caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" client.iscsi.foo.vm-01.mmilla caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" client.iscsi.foo.vm-02.ejxnyh caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" client.iscsi.foo.vm-02.jsxgdd caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/"
NVMEoF has the same issue
Updated by Backport Bot 11 days ago
- Copied to Backport #65950: quincy: cephadm: iscsi and nvme auth keyring are not cleaned up added
Updated by Backport Bot 11 days ago
- Copied to Backport #65951: squid: cephadm: iscsi and nvme auth keyring are not cleaned up added
Updated by Backport Bot 11 days ago
- Copied to Backport #65952: reef: cephadm: iscsi and nvme auth keyring are not cleaned up added
Actions