include/encoding: add encoder helpers for sized ints

When the raw type may not match the required encoded size, this helper makes
intent clear and avoids a common verbose pattern:

    intX_t t = val;
    encode(t, bl);

and

    intX_t t;
    decode(t, p);
    val = t;

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: add health checks for insecure keys

This commit prompted the previous refactor as it was inconvenient to check for
health warnings as part of AuthMonitor::tick and then pass those up via
PaxosService::encode_health.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: cleanup for loop

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/HealthMonitor: refactor quorum_checks/leader_checks as PaxosMap

To codify protocol and catch bugs.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: refactor health check map through PaxosMap

This was motivated by confusing persistence of some health warnings during
testing of health warnings for cephx upgrades. Some services are only doing
health checks during ::encode_pending and others during ::tick. Make it
consistent.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/PaxosMap: add map template for managing Paxos structures

To protect access and codify protocol. Based loosely on PaxosFSMap which can be
refactored to use this later.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: improve programmability of key dumps

Notably:

- improve names (avoid repeated "keys")
- output type_str

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common/entity_name: dump type name as string

For easier selection without hard-coded constants.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common/entity_name: remove dead method

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common/entity_name: cleanup entity_name::type

This should use the entity_type_t from the msg headers. The only awkwardness is
that the encode/decode of the type needs to continue using a uint32_t.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

cephx: add note to address technical debt

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: check service key is valid before decryption

CryptoKey::empty is the correct mechanism to check for an invalid key (and this
is codified elsewhere, fixed in this commit). Decryption would fail with an
abort if the key handler was unset. This would happen after rotating the "mon."
key and then restarting one of the mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: add more debugging for service tickets

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: set error message when decryption fails

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: provide more debugging when sig checks fail

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: provide emergency mechanism to use mon keyring

If they key is lost for the `mon.` credential, it's very inconvenient to get it
out of the "auth" database in the mon store. So, allow the operator to create a
new keyring for the mons and use it instead to get mons in quorum again.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: cycle through keyring or key_server for auth with mons

After commit `mon: use key_server for looking up mon key`, the mons will now
use the key_server to lookup the `mon.` key when a mon connects.  We need to
make the mons prefer using that key with authenticating during probing other
mons. However, the protocol doesn't allow falling back to another key. This is
necessary if what's in the key_server database is out-of-date due to an earlier
loss of quorum. In that case, the operator should update the local keyring file
and the mon should give that a try if auth fails.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: use key_server for looking up mon key

Note: the key_server is already configured to fallback (via
KeyServerData::extra_secrets) to the Monitor::keyring which is sourced from the
mon's keyring file.

Using the Monitor::key_server allows us to maintain the mon's secret in the
auth database alongside all other secrets. This makes rotating the mons' keys
the same as all other entities in Ceph. Before this, to rotate the mons' key
you would need to turn off all montitors and then rotate the key files
manually. This is obviously disruptive since it's not a rolling upgrade.

If the key is sourced from the Monitor::key_server, then the key can be rotated
and all mons are aware of the new key. The mons can then proceed to restart as
needed in a non-disruptive fashion.

A followup commit will cleanup the monitor to try either its local keyring key
or the key in the key_server (if present) when authenticating with other mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: dout chosen addrs after startup

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/MonClient: improve error message when failing to auth

Currently you just see:

    2025-05-14T23:07:37.244+0000 7f00dedd1640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2]

which is terrible at communicating the problem.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth,mon: add _exit config when auth fails

This is largely for testing: we want a client to exit immediately if auth
failures occur. Presently, those clients will try to reconnect forever.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

tools/ceph_authtool: allow configuring a preferred cipher

This makes testing easier as we can configure all keys in the cluster to be the
given "old" type without modifying each location that ceph-authtool is used.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/AuthMonitor: shutdown session connection on auth failure

Currently the mons will allow the session to persist even though an auth
failure has occurred, probably while trying to obtain new tickets.

A sequence to easily trigger this:

    ceph auth rotate osd.0
    ceph auth wipe-rotating-service-keys

The osd.0 will continue interacting with the mons until restart or a network
interruption occurs.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

msg: add interface to shutdown Connection

Unfortunately this doesn't work as-is because I couldn't find primitives to
flush the out_queue. It's left as a to-do for now.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: call _wipe_secrets_and_tickets when needed

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: refacor Client::handle_monmap

Use coroutines, should help with future changes.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: introduce handle_auth_failure

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: add asock TODO comment

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/osd/MonClient: Introduce Client::_wipe_secrets_and_tickets())

Similar to MonClient::_wipe_secrets_and_tickets())

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: imitate Classic's _check_auth_tickets

Imitating this interface from Classicals MonClient::_check_auth_tickets()
should make it easier to understand Crimson's counterpart.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: cleanup redundant private

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/MonClient: wipe secrets and invalidate tickets on auth epoch change

* This causes service daemons to drop all known service tickets and request new
  ones from the auth server.

* This causes the clients (and service daemons) to request new tickets from the
  auth server which will include tickets signed with the new service keys.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/AuthMonitor: bump auth epoch when wiping service keys

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/MonmapMonitor: wire up interface to bump auth epoch

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/MonMap: add auth epoch

This will be used to indicate to clients / service daemons that the auth
service keys have been rotated. Clients and service daemons are expected to
invalidate their tickets and reauth. Service daemons should wipe their service
keys.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/AuthMonitor: add dump-keys and wipe-rotating-service-keys

`auth dump-keys` allows examining the key types for each entity and also the
rotating session keys. This lets us confirm key upgrades are done as expected.

`wipe-rotating-service-keys` clears out existing non-auth service keys so that we do not
need to wait for the rotating key expiration. It is not disruptive so long as clients
renew their tickets when prompted by the auth epoch change.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/AuthMonitor: add key-type switch

So it's possible to test with various key-types.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common/cmdparse: add another template cmd_getval_or helper

To mimic the conventional signature where you pass the lvalue you want to set.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/Monitor: perfect forward universal ref of lambda

This method doesn't currently work for std::move of a lambda.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/Monitor: add debugging for monmap handling

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: notify_new_monmap via MonmapMonitor::init

Otherwise, configurations are not updated during startup.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

doc/man: document new --key-type option for ceph-authtool

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

tools/ceph_authtool: add help message for key-type switch

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common/buffer: accept "-" as stdin

These methods are used for reading files from tools like "authtool". Read from
stdin if the conventional "-" filename is passed.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: make some parameters const

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: cleanup error message formatting

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth,mon: lookup ticket ttl at runtime

and improve debugging.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: add API to invalidate all tickets

This will prompt the client to request new ones from the auth server.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: add API to wipe rotating secrets

This is for the service daemon's store of rotating service secrets.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: enforce sorted config keys

Makes future additions avoid conflicts.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: update get_tracked_keys signature

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: fix return type

key type is an unsigned.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common: break print template into separate header

To avoid pulling in all the debug includes for some primitive headers.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common: remove dead option

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

test: fix compiler error

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth,*: remove conflicting fwd declarations

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

include/common_fwd: Include Crypto classes

CryptoManager::cct is now used in CephContext ctor. To provide this
defintion
any ceph_context.cc target must also include Crypto.cc.

crimson-alien-common library which only had ceph_context.cc must now
also include Crypto.cc.
However, the fact that crimson-common also includes Crypto.cc would
cause multiple defintions
to any Crypto classes methods.

To resolve this, let's wrap all Crypto classes with TOPNSPC::common that
would be forwarded using common_fwd logic.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

cephx: sign messages using hmac_sha256

if key type is newer than the original AES, calculate message
hash by using HMAC-SHA256.
We cannot use plain aes256k like we do with the aes key because
of the confounder. The other option would be to inject a
confounder, but that would weaken the cipher.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: create slice api for calculating hmac_sha256

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

test/auth: more aes256krb5 tests

 - DecryptNoBl
 - multiple test vectos per each test

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: test slice interface for aes256k

AES256KRB5 uses the default slice encryption implementation, testing that
it works correctly.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

test/crypto: more aes256krb5 tests

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: add usage param to crypto handler

Allow different usage for crypto handler users. Currently being used
in the crypto unitest to match the test vectors.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: aes256krb5: add confounder config for unitests

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

cephx: add configurable to set allowed ciphers

cephx allowed ciphers: a list of ciphers that  sets what type
of keys are allowed to be used to authenticate

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: remove unused code

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: add a configurable to control rotating keys cipher type

auth_service_cipher: a mon configurable that determines what type of cipher
the rotating keys are using. The configurable can change at runtime. Note
that the change does not invalidate existing keys, these would expire
based on their ttl.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/cephx: session key type is set to client key type

This ensures that the client supports the specific key type.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/cephx: switch default cipher to AES256KRB5

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/cephx: modify client + server challenges hashing

This applies when using ciphers that are not the original
AES-128 one. Use the hmac-sha256 hash now. With AES256KRB5
the original method of encrypting the combined challenges
doesn't work as the confounder randomizes the result.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

ceph-authtool: support --key-type param

Also move the encryption handlers out of the ceph_context.
Handlers are now returned as a shared_ptr, to support the
creation of new handlers with different params (such as
the usage param).

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/crypto: add support for aes256-hmac384-192

Using the encryption standard set in RFC 8009. This is the
encryption that is used in Kerberos 5, so naming this variation
as AES256KRB5.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: propagate ceph context to encrypt/decrypt

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

Merge pull request #66092 from kshtsk/wip-fix-lua-kernel-check

qa/cephfs: lua to respect missing kernel in yaml

Merge pull request #66815 from bluikko/wip-doc-man-fix-directives

doc/man: fix invalid directive missing a second colon

Merge PR #64743 into main

* refs/pull/64743/head:

Reviewed-by: Anoop C S <anoopcs@cryptolab.net>
Reviewed-by: John Mulligan <jmulligan@redhat.com>

Merge pull request #66979 from idryomov/wip-73824

librbd: introduce RBD_LOCK_MODE_EXCLUSIVE_TRANSIENT

Reviewed-by: Ramana Raja <rraja@redhat.com>

Merge pull request #64819 from aclamk/aclamk-rocksdb-binned-cache-perf-counters

kv/RocksDB: Add instrumentation to BinnedLRUCache

Reviewed-by: Jaya Prakash <jayaprakash@ibm.com>

Merge pull request #67170 from afreen23/subsystem-step-3

mgr/dashboard: Step three subsystem creation form

Reviewed-by: pujaoshahu <pshahu@redhat.com>

Merge pull request #67217 from aliakseimakarau/main-s390x-fixexecstack

Mark s390x CRC assembly code as not requiring ELF execstack

Reviewed-by: Ilya Dryomov <idryomov@gmail.com>

Merge pull request #67261 from Matan-B/wip-matanb-crimson-66488-revert

Revert "crimson/os/seastore/cache: TRIM_DIRTY/CLEANER_* transactions won't invalidate other transactions anymore"

Reviewed-by: Xuehan Xu <xuxuehan@qianxin.com>

Merge pull request #67266 from gbregman/main

mgr/cephadm: Change the default value of omap_file_lock_duration in  NVMEoF spec file

Merge PR #67251 into main

* refs/pull/67251/head:
qa: set column for insertion
qa: bail sqlite3 on any error
qa: use actual sqlite3 blob instead of string
test: use json_extract instead of awkward json_tree

Reviewed-by: Nitzan Mordechai <nmordech@redhat.com>

Merge pull request #66552 from Jayaprakash-ibm/wip-add-scrub-flag

osd: Add flag to Identify Scrub IO

Reviewed-by: Adam Kupczyk <akupczyk@ibm.com>
Reviewed-by: Igor Fedotov <igor.fedotov@croit.io>

Merge pull request #67024 from amathuria/wip-amat-fix-73791

crimson/os/seastore: Add progress logging to transaction processing

Reviewed-by: Matan Breizman <mbreizma@redhat.com>

Merge pull request #65814 from amathuria/wip-amat-crimson-add-pg-num-testing

qa/suites/crimson-rados: Add pg splitting tests to crimson thrash tes…

Reviewed-by: Matan Breizman <mbreizma@redhat.com>

qa/suites/crimson-rados/thrash: Modify osd_target_transaction_size

We observed in Seastore, deletion of a large batch (default osd_target_transaction_size=30)
can take a significant amount of time.

Because this happens inside the peering_pp.process stage, it blocks the PG's peering pipeline.
During this block, any incoming OSDMap updates (PGAdvanceMap) are stalled behind the deletion work.
This eventually causes a global OSD-wide map progression hang because
the OSD cannot advance past an epoch until all PGs have processed
it.

To fix this, we are reducing osd_target_transaction_size to 5 to lower
conflict rates and allow deletion transactions to complete.

Fixes: https://tracker.ceph.com/issues/73791
Signed-off-by: Aishwarya Mathuria <amathuri@redhat.com>

mgr/cephadm: Change the default value of omap_file_lock_duration in NVMEoF spec file

Fixes: https://tracker.ceph.com/issues/74822
Signed-off-by: Gil Bregman <gbregman@il.ibm.com>

Revert "crimson/os/seastore/lba_mapping: don't allow classes above"

This reverts commit 45726996d65ec07b2c35a420c3ee0e42f0bf6cb4.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/btree_types: BtreeCursors don't hold local copies of"

This reverts commit 5a24cac63a676f0a4641257286f1d1f4f7377ce3.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/async_cleaner: avoid its header dependence on"

This reverts commit 1aae6f34b68faf15a8691f599420f23d5a84943e.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/lba_manager: make sure alloc_extents return viewable"

This reverts commit e6fd2e87a18ed25845e5ba5f6d03ebb20818e583.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/async_cleaner: renew backref cursors when they are"

This reverts commit a9c17a2c0912064f51492c2b012cd5608c6a57c1.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/seastore_types: define rewriting transactions"

This reverts commit 1696011379dfa5f1558b3119d4936ef4943ecedf.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: add facilities to synchronize data and states"

This reverts commit 2fc047c51f37cbdfd3952f616cc07f99cf2483d7.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: unlink mutated extents from the stable"

This reverts commit bfc1231e3716f7b780fb1362a76e13078e767f4c.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: since extent committer will also set"

This reverts commit 7e72a79af75d24119c094c533ec4101358aa258d.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: drop unused last_commit"

This reverts commit 33e63bc85fafc057974142071318a32121a62a59.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: rewrite transactions don't invalidate other"

This reverts commit 5ba464e6050a03c8d618728a0bb214ef63d4c944.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore: disable linked tree node operations when committing"

This reverts commit 21d76b9673264ac5817d01e9e11401fbba20e895.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>