mon/AuthMonitor: shutdown session connection on auth failure

Currently the mons will allow the session to persist even though an auth
failure has occurred, probably while trying to obtain new tickets.

A sequence to easily trigger this:

    ceph auth rotate osd.0
    ceph auth wipe-rotating-service-keys

The osd.0 will continue interacting with the mons until restart or a network
interruption occurs.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

msg: add interface to shutdown Connection

Unfortunately this doesn't work as-is because I couldn't find primitives to
flush the out_queue. It's left as a to-do for now.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: call _wipe_secrets_and_tickets when needed

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: refacor Client::handle_monmap

Use coroutines, should help with future changes.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: introduce handle_auth_failure

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: add asock TODO comment

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/osd/MonClient: Introduce Client::_wipe_secrets_and_tickets())

Similar to MonClient::_wipe_secrets_and_tickets())

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: imitate Classic's _check_auth_tickets

Imitating this interface from Classicals MonClient::_check_auth_tickets()
should make it easier to understand Crimson's counterpart.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

crimson/mon/MonClient: cleanup redundant private

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/MonClient: wipe secrets and invalidate tickets on auth epoch change

* This causes service daemons to drop all known service tickets and request new
  ones from the auth server.

* This causes the clients (and service daemons) to request new tickets from the
  auth server which will include tickets signed with the new service keys.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/AuthMonitor: bump auth epoch when wiping service keys

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/MonmapMonitor: wire up interface to bump auth epoch

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/MonMap: add auth epoch

This will be used to indicate to clients / service daemons that the auth
service keys have been rotated. Clients and service daemons are expected to
invalidate their tickets and reauth. Service daemons should wipe their service
keys.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/AuthMonitor: add dump-keys and wipe-rotating-service-keys

`auth dump-keys` allows examining the key types for each entity and also the
rotating session keys. This lets us confirm key upgrades are done as expected.

`wipe-rotating-service-keys` clears out existing non-auth service keys so that we do not
need to wait for the rotating key expiration. It is not disruptive so long as clients
renew their tickets when prompted by the auth epoch change.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/AuthMonitor: add key-type switch

So it's possible to test with various key-types.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common/cmdparse: add another template cmd_getval_or helper

To mimic the conventional signature where you pass the lvalue you want to set.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/Monitor: perfect forward universal ref of lambda

This method doesn't currently work for std::move of a lambda.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon/Monitor: add debugging for monmap handling

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

mon: notify_new_monmap via MonmapMonitor::init

Otherwise, configurations are not updated during startup.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

doc/man: document new --key-type option for ceph-authtool

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

tools/ceph_authtool: add help message for key-type switch

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common/buffer: accept "-" as stdin

These methods are used for reading files from tools like "authtool". Read from
stdin if the conventional "-" filename is passed.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: make some parameters const

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: cleanup error message formatting

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth,mon: lookup ticket ttl at runtime

and improve debugging.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: add API to invalidate all tickets

This will prompt the client to request new ones from the auth server.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: add API to wipe rotating secrets

This is for the service daemon's store of rotating service secrets.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: enforce sorted config keys

Makes future additions avoid conflicts.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth/cephx: update get_tracked_keys signature

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth: fix return type

key type is an unsigned.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common: break print template into separate header

To avoid pulling in all the debug includes for some primitive headers.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

common: remove dead option

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

test: fix compiler error

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

auth,*: remove conflicting fwd declarations

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

include/common_fwd: Include Crypto classes

CryptoManager::cct is now used in CephContext ctor. To provide this
defintion
any ceph_context.cc target must also include Crypto.cc.

crimson-alien-common library which only had ceph_context.cc must now
also include Crypto.cc.
However, the fact that crimson-common also includes Crypto.cc would
cause multiple defintions
to any Crypto classes methods.

To resolve this, let's wrap all Crypto classes with TOPNSPC::common that
would be forwarded using common_fwd logic.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

cephx: sign messages using hmac_sha256

if key type is newer than the original AES, calculate message
hash by using HMAC-SHA256.
We cannot use plain aes256k like we do with the aes key because
of the confounder. The other option would be to inject a
confounder, but that would weaken the cipher.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: create slice api for calculating hmac_sha256

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

test/auth: more aes256krb5 tests

 - DecryptNoBl
 - multiple test vectos per each test

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: test slice interface for aes256k

AES256KRB5 uses the default slice encryption implementation, testing that
it works correctly.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

test/crypto: more aes256krb5 tests

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: add usage param to crypto handler

Allow different usage for crypto handler users. Currently being used
in the crypto unitest to match the test vectors.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: aes256krb5: add confounder config for unitests

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

cephx: add configurable to set allowed ciphers

cephx allowed ciphers: a list of ciphers that  sets what type
of keys are allowed to be used to authenticate

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: remove unused code

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: add a configurable to control rotating keys cipher type

auth_service_cipher: a mon configurable that determines what type of cipher
the rotating keys are using. The configurable can change at runtime. Note
that the change does not invalidate existing keys, these would expire
based on their ttl.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/cephx: session key type is set to client key type

This ensures that the client supports the specific key type.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/cephx: switch default cipher to AES256KRB5

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/cephx: modify client + server challenges hashing

This applies when using ciphers that are not the original
AES-128 one. Use the hmac-sha256 hash now. With AES256KRB5
the original method of encrypting the combined challenges
doesn't work as the confounder randomizes the result.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

ceph-authtool: support --key-type param

Also move the encryption handlers out of the ceph_context.
Handlers are now returned as a shared_ptr, to support the
creation of new handlers with different params (such as
the usage param).

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth/crypto: add support for aes256-hmac384-192

Using the encryption standard set in RFC 8009. This is the
encryption that is used in Kerberos 5, so naming this variation
as AES256KRB5.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

auth: propagate ceph context to encrypt/decrypt

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

Merge pull request #66092 from kshtsk/wip-fix-lua-kernel-check

qa/cephfs: lua to respect missing kernel in yaml

Merge pull request #66815 from bluikko/wip-doc-man-fix-directives

doc/man: fix invalid directive missing a second colon

Merge PR #64743 into main

* refs/pull/64743/head:

Reviewed-by: Anoop C S <anoopcs@cryptolab.net>
Reviewed-by: John Mulligan <jmulligan@redhat.com>

Merge pull request #66979 from idryomov/wip-73824

librbd: introduce RBD_LOCK_MODE_EXCLUSIVE_TRANSIENT

Reviewed-by: Ramana Raja <rraja@redhat.com>

Merge pull request #64819 from aclamk/aclamk-rocksdb-binned-cache-perf-counters

kv/RocksDB: Add instrumentation to BinnedLRUCache

Reviewed-by: Jaya Prakash <jayaprakash@ibm.com>

Merge pull request #67170 from afreen23/subsystem-step-3

mgr/dashboard: Step three subsystem creation form

Reviewed-by: pujaoshahu <pshahu@redhat.com>

Merge pull request #67217 from aliakseimakarau/main-s390x-fixexecstack

Mark s390x CRC assembly code as not requiring ELF execstack

Reviewed-by: Ilya Dryomov <idryomov@gmail.com>

Merge pull request #67261 from Matan-B/wip-matanb-crimson-66488-revert

Revert "crimson/os/seastore/cache: TRIM_DIRTY/CLEANER_* transactions won't invalidate other transactions anymore"

Reviewed-by: Xuehan Xu <xuxuehan@qianxin.com>

Merge pull request #67266 from gbregman/main

mgr/cephadm: Change the default value of omap_file_lock_duration in  NVMEoF spec file

Merge PR #67251 into main

* refs/pull/67251/head:
qa: set column for insertion
qa: bail sqlite3 on any error
qa: use actual sqlite3 blob instead of string
test: use json_extract instead of awkward json_tree

Reviewed-by: Nitzan Mordechai <nmordech@redhat.com>

Merge pull request #66552 from Jayaprakash-ibm/wip-add-scrub-flag

osd: Add flag to Identify Scrub IO

Reviewed-by: Adam Kupczyk <akupczyk@ibm.com>
Reviewed-by: Igor Fedotov <igor.fedotov@croit.io>

Merge pull request #67024 from amathuria/wip-amat-fix-73791

crimson/os/seastore: Add progress logging to transaction processing

Reviewed-by: Matan Breizman <mbreizma@redhat.com>

Merge pull request #65814 from amathuria/wip-amat-crimson-add-pg-num-testing

qa/suites/crimson-rados: Add pg splitting tests to crimson thrash tes…

Reviewed-by: Matan Breizman <mbreizma@redhat.com>

qa/suites/crimson-rados/thrash: Modify osd_target_transaction_size

We observed in Seastore, deletion of a large batch (default osd_target_transaction_size=30)
can take a significant amount of time.

Because this happens inside the peering_pp.process stage, it blocks the PG's peering pipeline.
During this block, any incoming OSDMap updates (PGAdvanceMap) are stalled behind the deletion work.
This eventually causes a global OSD-wide map progression hang because
the OSD cannot advance past an epoch until all PGs have processed
it.

To fix this, we are reducing osd_target_transaction_size to 5 to lower
conflict rates and allow deletion transactions to complete.

Fixes: https://tracker.ceph.com/issues/73791
Signed-off-by: Aishwarya Mathuria <amathuri@redhat.com>

mgr/cephadm: Change the default value of omap_file_lock_duration in NVMEoF spec file

Fixes: https://tracker.ceph.com/issues/74822
Signed-off-by: Gil Bregman <gbregman@il.ibm.com>

Revert "crimson/os/seastore/lba_mapping: don't allow classes above"

This reverts commit 45726996d65ec07b2c35a420c3ee0e42f0bf6cb4.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/btree_types: BtreeCursors don't hold local copies of"

This reverts commit 5a24cac63a676f0a4641257286f1d1f4f7377ce3.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/async_cleaner: avoid its header dependence on"

This reverts commit 1aae6f34b68faf15a8691f599420f23d5a84943e.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/lba_manager: make sure alloc_extents return viewable"

This reverts commit e6fd2e87a18ed25845e5ba5f6d03ebb20818e583.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/async_cleaner: renew backref cursors when they are"

This reverts commit a9c17a2c0912064f51492c2b012cd5608c6a57c1.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/seastore_types: define rewriting transactions"

This reverts commit 1696011379dfa5f1558b3119d4936ef4943ecedf.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: add facilities to synchronize data and states"

This reverts commit 2fc047c51f37cbdfd3952f616cc07f99cf2483d7.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: unlink mutated extents from the stable"

This reverts commit bfc1231e3716f7b780fb1362a76e13078e767f4c.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: since extent committer will also set"

This reverts commit 7e72a79af75d24119c094c533ec4101358aa258d.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: drop unused last_commit"

This reverts commit 33e63bc85fafc057974142071318a32121a62a59.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cache: rewrite transactions don't invalidate other"

This reverts commit 5ba464e6050a03c8d618728a0bb214ef63d4c944.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore: disable linked tree node operations when committing"

This reverts commit 21d76b9673264ac5817d01e9e11401fbba20e895.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/cached_extent: treat extents under rewrite io as"

This reverts commit ec66079995e8c32771ecd42c5f3c386c5c4c2022.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/transaction_manager: block client transactions if"

This reverts commit a156475f3f8139f2a0b31b9176438cee224da4bd.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Revert "crimson/os/seastore/extent_pinboard: reset 2q_state when removing"

This reverts commit ee2d2fb2ff3435fc8f7108c5724da2d7f80d52fe.

Signed-off-by: Matan Breizman <mbreizma@redhat.com>

Merge pull request #66644 from rhcs-dashboard/fix-doc-controller-reponses

mgr/dashboard: Add application/json content type to api doc respones

Reviewed-by: Nizamudeen A <nia@redhat.com>

s390x CRC assembly not requiring ELF execstack

ceph-osd and libceph-common.so.2 are marked as execstack ELFs.
This PR does add the GCCs noexecstack option.

Fixes: https://tracker.ceph.com/issues/74751
Signed-off-by: Aliaksei Makarau <aliaksei.makarau@ibm.com>

Merge pull request #67254 from tchaikov/wip-doc-build-mgr-module-command

doc/_ext: fix ceph_commands.py for new decorator-based command system

Reviewed-by: Anthony D'Atri <anthony.datri@gmail.com>

Merge pull request #67186 from perezjosibm/wip-perezjos-tracker74642

crimson: fix dump_metrics skipping metrics argument.

qa: set column for insertion

    2026-02-08T13:02:24.439 INFO:tasks.workunit.client.0.trial031.stderr:Parse error near line 2: no such column: "start" - should this be a string literal in single-quotes?

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

qa: bail sqlite3 on any error

Otherwise it will wrongly proceed executing the next SQL statement.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

qa: use actual sqlite3 blob instead of string

No functional change.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

test: use json_extract instead of awkward json_tree

Ideally this should be port better across sqlite3 versions. The sqlite3
on rocky10 failed because it started requiring components of the keys
to be quoted:

    sqlite> select * from p as a, p as b where a.i=1 and b.i = 2 and a.fullkey = '$."libcephsqlite_vfs"."opf_sync".avgcount' and b.fullkey = '$."libcephsqlite_vfs"."opf_sync".avgcount';
    i  key       value  type     atom  id   parent  fullkey                                    path                              i  key       value  type     atom  id   parent  fullkey
    -  --------  -----  -------  ----  ---  ------  -----------------------------------------  --------------------------------  -  --------  -----  -------  ----  ---  ------  ------------------
    1  avgcount  4      integer  4     581  570     $."libcephsqlite_vfs"."opf_sync".avgcount  $."libcephsqlite_vfs"."opf_sync"  2  avgcount  5      integer  5     581  570     $."libcephsqlite_v

Fixes: https://tracker.ceph.com/issues/74755
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

Merge PR #67086 into main

* refs/pull/67086/head:
qa/suites/upgrade: Exclude ceph-osd-classic/crimson when installing LTS releases
qa/suites/fs/upgrade: Exclude ceph-osd-classic/crimson when installing LTS releases

Reviewed-by: Kefu Chai <k.chai@proxmox.com>
Reviewed-by: Patrick Donnelly <pdonnell@ibm.com>

Merge PR #67145 into main

* refs/pull/67145/head:
src/script/build-with-container.py: fix a few spelling errors

Reviewed-by: Patrick Donnelly <pdonnell@ibm.com>

mgr/dashboard: Add application/json content type to api doc respones

This will fix the sphinx documentation generated and properly display endpoint documentation responses.
Also adds a doc link to the openapi swagger

Fixes: https://tracker.ceph.com/issues/73413
Signed-off-by: Pedro Gonzalez Gomez <pegonzal@ibm.com>

doc/_ext: fix ceph_commands.py for new decorator-based command system

After commit 4aa9e246f, mgr modules migrated from using a class-level
COMMANDS list to decorator-based command registration using per-module
CLICommand instances (e.g., @BalancerCLICommand.Read('balancer status')).

This broke the ceph_commands.py Sphinx extension which was hardcoded to
expect m.COMMANDS to be a list, causing documentation builds to fail.

But not all modules are using this per-module CLICommand. Some modules are
fully migrated (balancer, hello, etc.) and use decorators, while others
are partially migrated (volumes, progress, stats, influx, k8sevents,
osd_perf_query, osd_support) - they have CLICommand defined but still
use the old COMMANDS list.

This fix updates _collect_module_commands() to handle three scenarios:

1. Fully migrated modules: Check CLICommand.dump_cmd_list() and use it
   if it returns commands
2. Partially migrated modules: Fall back to the old COMMANDS list if
   dump_cmd_list() returns empty
3. Legacy modules: Use COMMANDS list if CLICommand doesn't exist

This ensures the Sphinx extension works with modules in any migration
state, maintaining backwards compatibility while supporting the new
decorator pattern.

Signed-off-by: Kefu Chai <k.chai@proxmox.com>

Merge pull request #67247 from ivancich/wip-fix-versioning-test-fix

rgw/test: fix rgw versioning test fix

Reviewed-by: Ilya Dryomov <idryomov@gmail.com>

Merge pull request #67243 from anthonyeleven/updateslink

doc/start: Update Slack invite link in doc/start/get-involved.rst

rgw/test: fix rgw versioning test fix

Removing parentheses that are problematic.

Signed-off-by: J. Eric Ivancich <ivancich@redhat.com>

Merge pull request #66467 from athanatos/wip-sjust-mgr-cli-command-74042

pybind/mgr: update modules to use independent CLICommand subtypes with distinct COMMAND attributes

doc/start: Update Slack invite link in doc/start/get-involved.rst

Signed-off-by: Anthony D'Atri <anthonyeleven@users.noreply.github.com>

Merge pull request #67220 from shraddhaag/wip-shraddhaag-74753

doc: add instructions for deploying crimson with cephadm

Merge pull request #67180 from afreen23/fix-notif-panel

mgr/dashboard: Fix footer of notification panel

Reviewed-by: Pedro Gonzalez Gomez <pegonzal@redhat.com>