Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-20288 - ceph-csi is using insecure global_id reclaim #2063

Closed
dredwilliams opened this issue May 8, 2021 · 4 comments
Closed

CVE-2021-20288 - ceph-csi is using insecure global_id reclaim #2063

dredwilliams opened this issue May 8, 2021 · 4 comments
Labels
component/build Issues and PRs related to compiling Ceph-CSI dependency/ceph depends on core Ceph functionality question Further information is requested

Comments

@dredwilliams
Copy link

dredwilliams commented May 8, 2021

Describe the bug

Whey trying to deploy ceph-csi to use a recently upgraded ceph cluster, the provisioner (RBD, in my case) cannot connect to the ceph cluster -- logs say "permission denied", but in digging in the ceph logs, it trips on the global_id reclaim issue mentioned in the subject CVE:

https://docs.ceph.com/en/latest/security/CVE-2021-20288/

With the ceph cluster properly secured to prevent insecure global_id reuse, ceph-csi cannot connect. When I disabled the protection in the cluster (using the information at the bottom of the above web page), PVCs were appropriately processed and PVs allocated.

Environment details

My Ceph cluster is currently sitting at v16.2.3, but it also occurred when it was at v15.2.11.

I was using the canary image of ceph-csi, then backed down to v3.3.0 in case it was a recent development issue. I'm installing from manifests (no helm charts).

My Kubernetes clusters:

  • 1.21.0 (raw upstream)
  • 1.20.6 (k3s)

Steps to reproduce

Secure ceph cluster according to instructions in the CVE

Deploy manifests as described in documentation

  • configmap properly points to ceph cluster mons
  • moved entire deployment to its own namespace

Deploy StorageClass using standard manifest

  • namespaces updated to reflect deployment
  • ceph cluster ID provided

Deploy sample PVC from distribution

  • PVC remains in pending state

Actual results

logs from csi-rbd-provisioner module show repeated retries, all of which result in "rados permission denied" errors

logs from ceph mon show this whenever the provisioner tries to connect:

cephx server client.admin: attempt to reclaim global_id xxxxxx without presenting ticket
cephx server client.admin: could not verify old ticket

The reference to "global_id" recalled the CVE and the ceph config change I had to make to get the warnings to be quiet (i.e. prevent insecure global_id reuse). When I reverted the config back to the insecure state, the PVC was immediately resolved and the PV created.

Expected behavior

ceph-csi properly reclaims global_id so that I can properly secure my ceph cluster.

Logs

Log snippets included above

@Rakshith-R
Copy link
Contributor

Hey @dredwilliams ,Please upgrade to Cephcsi v3.3.1 https://github.com/ceph/ceph-csi/releases/tag/v3.3.1 and check rook/rook#7746 (comment) on how to fix this issue.

@humblec
Copy link
Collaborator

humblec commented May 10, 2021

Hey @dredwilliams ,Please upgrade to Cephcsi v3.3.1 https://github.com/ceph/ceph-csi/releases/tag/v3.3.1 and check rook/rook#7746 (comment) on how to fix this issue.

Yep and if you are on 3.2.x upgrade to Ceph CSI v3.2.2 Release https://github.com/ceph/ceph-csi/releases/tag/v3.2.2

@nixpanic nixpanic added component/build Issues and PRs related to compiling Ceph-CSI dependency/ceph depends on core Ceph functionality question Further information is requested labels May 10, 2021
@nixpanic
Copy link
Member

This is a duplicate of #1995

@dredwilliams
Copy link
Author

That took care of it -- thanks for the help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/build Issues and PRs related to compiling Ceph-CSI dependency/ceph depends on core Ceph functionality question Further information is requested
Projects
None yet
Development

No branches or pull requests

4 participants