Ubuntu
ceph package

Please do not enable the service ceph-create-keys by default

Bug #1563330 reported by Dr. Jens Harbott on 2016-03-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ceph (Ubuntu)	Opinion	Low	Unassigned

Bug Description

This may be useful for an unexperienced user trying to run ceph on a small setup, but for an automated deployment of a ceph cluster, it is pretty annoying that there may be daemons trying to create credentials that will allow access to the whole cluster if only the new machine gets compromised.

James Page (james-page) on 2016-04-05

Changed in ceph (Ubuntu):
status:	New → Fix Committed
importance:	Undecided → Medium

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-06:

This bug was fixed in the package ceph - 10.1.0-0ubuntu1

---------------
ceph (10.1.0-0ubuntu1) xenial; urgency=medium

  * New upstream release candidate for Ceph Jewel
    (see http://pad.lv/1563714 for FFe):
    - d/control,rules,librgw*: Add new binary packages for librgw2.
    - d/p/fix-systemd-escaping.patch,pybind-flags.patch: Dropped,
      included upstream.
    - d/p/*: Refresh remaining patches.
    - d/control: Add BD on libldap2-dev for rados gateway.
    - d/p/disable-openssl-linking.patch: Disable build time linking
      with OpenSSL due to licensing incompatibilities.
    - d/*.symbols: Add new symbols for RC.
    - d/python-*.install: Correct wildcards for python module install.
    - d/p/32bit-compat.patch: Cherry pick upstream fix for 32 bit
      compatibility, resolving FTBFS on armhf/i386.
  * d/rules: Strip rbd-mirror package correctly.
  * d/rules: Install upstart and systemd configurations for rbd-mirror.
  * d/copyright: Ensure that jerasure and gf-complete are not stripped
    from the upstream release tarball.
  * d/p/drop-user-group-osd-prestart.patch: Drop --setuser/--setgroup
    arguments from call to ceph-osd-prestart.sh; they are not supported
    and generate spurious non-fatal warning messages (LP: #1557461).
  * d/p/tasksmax-infinity.patch: Drop systemd limitation of number of
    processes and threads to long running ceph processes; the default
    of 512 tasks is way to low for even a modest Ceph cluster
    (LP: #1564917).
  * d/rules: Ensure that dh_systemd_start does not insert maintainer
    script snippets for ceph-mon and ceph-create-keys - service restart
    should be handled outside of the packaging as it is under upstart
    and for all other systemd unit files installed (LP: #1563330).

-- James Page <email address hidden> Wed, 06 Apr 2016 09:17:59 +0100

Changed in ceph (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2016-04-07:

Download full text (3.5 KiB)

Sorry, but this is not fixed for me, maybe I wasn't expressing clearly enough my intentions:

root@controller-node13:~# systemctl status ceph-create-keys
* ceph-create-keys.service - Create Ceph client.admin key when possible
   Loaded: loaded (/lib/systemd/system/ceph-create-keys.service; static; vendor preset: enabled)
   Active: inactive (dead)
root@controller-node13:~# systemctl status ceph-mon
* ceph-mon.service - Ceph cluster monitor daemon
   Loaded: loaded (/lib/systemd/system/ceph-mon.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:ceph-mon
root@controller-node13:~# systemctl start ceph-mon
root@controller-node13:~# systemctl status ceph-mon
* ceph-mon.service - Ceph cluster monitor daemon
   Loaded: loaded (/lib/systemd/system/ceph-mon.service; disabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2016-04-07 06:25:40 UTC; 968ms ago
     Docs: man:ceph-mon
  Process: 11068 ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %H --setuser ceph --setgroup ceph (code=exited, status=1/FAILU
Main PID: 11068 (code=exited, status=1/FAILURE)

Apr 07 06:25:40 controller-node13 systemd[1]: ceph-mon.service: Unit entered failed state.
Apr 07 06:25:40 controller-node13 systemd[1]: ceph-mon.service: Failed with result 'exit-code'.
root@controller-node13:~# systemctl status ceph-create-keys
* ceph-create-keys.service - Create Ceph client.admin key when possible
   Loaded: loaded (/lib/systemd/system/ceph-create-keys.service; static; vendor preset: enabled)
   Active: active (running) since Thu 2016-04-07 06:25:40 UTC; 4s ago
Main PID: 11066 (ceph-create-key)
    Tasks: 1 (limit: 512)
   CGroup: /system.slice/ceph-create-keys.service
           `-11066 /usr/bin/python /usr/sbin/ceph-create-keys --cluster ceph --id controller-node13

Apr 07 06:25:40 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file
Apr 07 06:25:40 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:42 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file
Apr 07 06:25:42 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:43 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file
Apr 07 06:25:43 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:44 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file
Apr 07 06:25:44 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:45 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file
Apr 07 06:25:45 controller...

Sorry, but this is not fixed for me, maybe I wasn't expressing clearly enough my intentions:

root@controller-node13:~# systemctl status ceph-create-keys
* ceph-create-keys.service - Create Ceph client.admin key when possible
   Loaded: loaded (/lib/systemd/system/ceph-create-keys.service; static; vendor preset: enabled)
   Active: inactive (dead)
root@controller-node13:~# systemctl status ceph-mon        
* ceph-mon.service - Ceph cluster monitor daemon
   Loaded: loaded (/lib/systemd/system/ceph-mon.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:ceph-mon
root@controller-node13:~# systemctl start ceph-mon
root@controller-node13:~# systemctl status ceph-mon                                                                                     
* ceph-mon.service - Ceph cluster monitor daemon
   Loaded: loaded (/lib/systemd/system/ceph-mon.service; disabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2016-04-07 06:25:40 UTC; 968ms ago
     Docs: man:ceph-mon
  Process: 11068 ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %H --setuser ceph --setgroup ceph (code=exited, status=1/FAILU
 Main PID: 11068 (code=exited, status=1/FAILURE)

Apr 07 06:25:40 controller-node13 systemd[1]: ceph-mon.service: Unit entered failed state.
Apr 07 06:25:40 controller-node13 systemd[1]: ceph-mon.service: Failed with result 'exit-code'.
root@controller-node13:~# systemctl status ceph-create-keys                                                                             
* ceph-create-keys.service - Create Ceph client.admin key when possible
   Loaded: loaded (/lib/systemd/system/ceph-create-keys.service; static; vendor preset: enabled)
   Active: active (running) since Thu 2016-04-07 06:25:40 UTC; 4s ago
 Main PID: 11066 (ceph-create-key)
    Tasks: 1 (limit: 512)
   CGroup: /system.slice/ceph-create-keys.service
           `-11066 /usr/bin/python /usr/sbin/ceph-create-keys --cluster ceph --id controller-node13

Apr 07 06:25:40 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file 
Apr 07 06:25:40 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:42 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file 
Apr 07 06:25:42 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:43 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file 
Apr 07 06:25:43 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:44 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file 
Apr 07 06:25:44 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
Apr 07 06:25:45 controller-node13 ceph-create-keys[11066]: admin_socket: exception getting command descriptions: [Errno 2] No such file 
Apr 07 06:25:45 controller-node13 ceph-create-keys[11066]: INFO:ceph-create-keys:ceph-mon admin socket not ready yet.
root@controller-node13:~#

So whenever I start ceph-mon, it will trigger the start of ceph-create-keys and that will cause the creation of keys that are not wanted in an automated deployment. So the proper solution would be to remove this dependency and only run ceph-create-keys when explicitly called for by the admin.

Changed in ceph (Ubuntu):
status:	Fix Released → Confirmed

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2016-04-07:

Just found out there is also a discussion on this issue going on upstream:

http://permalink.gmane.org/gmane.comp.file-systems.ceph.devel/30552

Though that should be no argument not to fix it locally first.

Revision history for this message

James Page (james-page) wrote on 2017-01-06:

The ML thread did not appear to actually go anywhere, and I'm reticent to diverge from upstream in this area (as its a fairly fundamental part of ceph startup IMHO).

Changed in ceph (Ubuntu):
status:	Confirmed → Triaged
status:	Triaged → Opinion

Revision history for this message

James Page (james-page) wrote on 2017-01-06:

Marking as 'Opinion' for now; unless upstream decides to change approach, I don't want to diverge.

Changed in ceph (Ubuntu):
importance:	Medium → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuceph package

Please do not enable the service ceph-create-keys by default

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
ceph package