Project

General

Profile

Actions
Copy link

Bug #65717

open

cephadm: iscsi and nvme auth keyring are not cleaned up

Added by Adam King 21 days ago. Updated 11 days ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Adam King
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
backport_processed
Backport:
squid, reef, quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
57181
Crash signature (v1):
Crash signature (v2):

Description

If you move/remove an iscsi daemon, the keyring for the removed daemon is left behind unless the user cleans up the key manually

Here is an example where the spec placement was modified to move an iscsi daemon from vm-00 to vm-02. We can see a new vm-02 keyring get made, but the vm-00 keyring was never cleaned up.

[ceph: root@vm-00 /]# ceph auth ls | grep iscsi
client.iscsi.foo.vm-00.awllyd
    caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" 
client.iscsi.foo.vm-01.mmilla
    caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" 
client.iscsi.foo.vm-02.ejxnyh
    caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" 
[ceph: root@vm-00 /]# 
[ceph: root@vm-00 /]# vi iscsi.yaml 
[ceph: root@vm-00 /]# 
[ceph: root@vm-00 /]# ceph orch apply -i iscsi.yaml 
Scheduled iscsi.foo update...
[ceph: root@vm-00 /]#                                             
[ceph: root@vm-00 /]# ceph auth ls | grep iscsi
client.iscsi.foo.vm-00.awllyd
    caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" 
client.iscsi.foo.vm-01.mmilla
    caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" 
client.iscsi.foo.vm-02.ejxnyh
    caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/" 
client.iscsi.foo.vm-02.jsxgdd
    caps: [mon] profile rbd, allow command "osd blocklist", allow command "config-key get" with "key" prefix "iscsi/"

NVMEoF has the same issue

Related issues 3 (3 open0 closed)

Copied to Orchestrator - Backport #65950: quincy: cephadm: iscsi and nvme auth keyring are not cleaned upNewAdam KingActions
Copied to Orchestrator - Backport #65951: squid: cephadm: iscsi and nvme auth keyring are not cleaned upIn ProgressAdam KingActions
Copied to Orchestrator - Backport #65952: reef: cephadm: iscsi and nvme auth keyring are not cleaned upNewAdam KingActions
Actions
Copy link
 #1

Updated by Adam King 21 days ago

  • Pull request ID set to 57181
Actions
Copy link
 #2

Updated by Adam King 11 days ago

  • Status changed from In Progress to Pending Backport
Actions
Copy link
 #3

Updated by Backport Bot 11 days ago

  • Copied to Backport #65950: quincy: cephadm: iscsi and nvme auth keyring are not cleaned up added
Actions
Copy link
 #4

Updated by Backport Bot 11 days ago

  • Copied to Backport #65951: squid: cephadm: iscsi and nvme auth keyring are not cleaned up added
Actions
Copy link
 #5

Updated by Backport Bot 11 days ago

  • Copied to Backport #65952: reef: cephadm: iscsi and nvme auth keyring are not cleaned up added
Actions
Copy link
 #6

Updated by Backport Bot 11 days ago

  • Tags set to backport_processed
Actions
Copy link

Also available in: Atom PDF