mon/MonClient: wipe secrets and invalidate tickets on auth epoch change
* This causes service daemons to drop all known service tickets and request new
ones from the auth server.
* This causes the clients (and service daemons) to request new tickets from the
auth server which will include tickets signed with the new service keys.
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
This will be used to indicate to clients / service daemons that the auth
service keys have been rotated. Clients and service daemons are expected to
invalidate their tickets and reauth. Service daemons should wipe their service
keys.
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
Patrick Donnelly [Wed, 26 Mar 2025 01:59:34 +0000 (21:59 -0400)]
mon/AuthMonitor: add dump-keys and wipe-rotating-service-keys
`auth dump-keys` allows examining the key types for each entity and also the
rotating session keys. This lets us confirm key upgrades are done as expected.
`wipe-rotating-service-keys` clears out existing non-auth service keys so that we do not
need to wait for the rotating key expiration. It is not disruptive so long as clients
renew their tickets when prompted by the auth epoch change.
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
Matan Breizman [Mon, 9 Jun 2025 12:07:49 +0000 (12:07 +0000)]
include/common_fwd: Include Crypto classes
CryptoManager::cct is now used in CephContext ctor. To provide this
defintion
any ceph_context.cc target must also include Crypto.cc.
crimson-alien-common library which only had ceph_context.cc must now
also include Crypto.cc.
However, the fact that crimson-common also includes Crypto.cc would
cause multiple defintions
to any Crypto classes methods.
To resolve this, let's wrap all Crypto classes with TOPNSPC::common that
would be forwarded using common_fwd logic.
Yehuda Sadeh [Wed, 28 May 2025 19:51:19 +0000 (15:51 -0400)]
cephx: sign messages using hmac_sha256
if key type is newer than the original AES, calculate message
hash by using HMAC-SHA256.
We cannot use plain aes256k like we do with the aes key because
of the confounder. The other option would be to inject a
confounder, but that would weaken the cipher.
Yehuda Sadeh [Fri, 7 Mar 2025 18:20:58 +0000 (13:20 -0500)]
auth: add a configurable to control rotating keys cipher type
auth_service_cipher: a mon configurable that determines what type of cipher
the rotating keys are using. The configurable can change at runtime. Note
that the change does not invalidate existing keys, these would expire
based on their ttl.
Yehuda Sadeh [Thu, 27 Feb 2025 21:14:06 +0000 (16:14 -0500)]
auth/cephx: modify client + server challenges hashing
This applies when using ciphers that are not the original
AES-128 one. Use the hmac-sha256 hash now. With AES256KRB5
the original method of encrypting the combined challenges
doesn't work as the confounder randomizes the result.
Yehuda Sadeh [Thu, 27 Feb 2025 16:55:37 +0000 (11:55 -0500)]
ceph-authtool: support --key-type param
Also move the encryption handlers out of the ceph_context.
Handlers are now returned as a shared_ptr, to support the
creation of new handlers with different params (such as
the usage param).
Ville Ojamo [Mon, 5 Jan 2026 06:10:45 +0000 (13:10 +0700)]
doc: Remove sphinxcontrib-seqdiag Python package from RTD builds
This is a proactive PR to avoid breaking docs builds when Setuptools 81
starts to be used in the RTD builds process.
The sphnixcontrib-seqdiag Python package is not compatible with
Setuptools 81 or later due to use of pkg_resources:
https://setuptools.pypa.io/en/latest/pkg_resources.html
Setuptools 81 release should be imminent, with the Python deprecation
warning stating pkg_resources "removal as early as 2025-11-30".
Seqdiag seems to be unmaintained with the latest update at Pypi in
the year 2021 and also no updates to the seqdiag git repo.
There are no seqdiag directives left in the docs after last seqdiags
were removed in PR #52308.
Two other options would exist for fixing the situation (see PR for
discussion) but this seems to be the suitable one.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Ville Ojamo [Mon, 5 Jan 2026 05:46:08 +0000 (12:46 +0700)]
doc/rados: Fix Sphinx warnings in troubleshooting/log-and-debug.rst
Possibly controversial Sphinx fixes:
Fix two Sphinx warnings about more than one confval directive.
Remove the dupe confval directives from log-and-debug.rst and leave only
in mon-config-ref.rst because it has the only copy of a related clog
configuration value mon_health_to_clog_tick_interval.
Signed-off-by: Ville Ojamo <14869000+bluikko@users.noreply.github.com>
Kefu Chai [Wed, 31 Dec 2025 09:01:43 +0000 (17:01 +0800)]
common/options: document log_to_stderr's conditional default value
The default value of `log_to_stderr` varies depending on whether Ceph
runs as a daemon or a library. Previously, this was only documented via
the `default` property, which led to confusion when debugging client
applications.
For example, when debugging a CephFS client, setting `debug <subsystem> = 5`
in the configuration file doesn't produce visible debug logs as expected.
This occurs because `common_preinit()` overrides `log_to_stderr` to `false`
when Ceph runs as a library, preventing logs from appearing on stderr.
This commit adds clarification to the `long_desc` field to document this
conditional behavior and help users understand why debug output may not
appear in client scenarios.
Aashish Sharma [Wed, 10 Dec 2025 10:41:50 +0000 (16:11 +0530)]
mgr/dashboard: fix multi-cluster context switcher
The multi-cluster context switcher stopped working because of a
regression caused by this PR https://github.com/ceph/ceph/pull/66034.
This PR tends to fix this issue
Afreen Misbah [Mon, 15 Dec 2025 15:53:44 +0000 (21:23 +0530)]
'mgr/dashboard: Fix display of IP address in host page
- Hosts data is getting merged with hosts' facts which is not sending address hence not getting displayed in UI
- The value is empty hence in the API
- Caused by https://github.com/ceph/ceph/pull/65102
rgw/dedup: Prevent the dup-counter from wrapping around after it reaches 64K of identical copies.
Limit dedup from a single SRC to 128 Target copies to prevent OMAP size
from growing out of control
Tests cleanup
Kefu Chai [Wed, 24 Dec 2025 08:57:12 +0000 (16:57 +0800)]
test/run-cli-tests: install wheel before cram to fix build failure
Fix the run-cli-tests failure that occurs when installing cram from git.
The error happens because the fresh venv lacks build dependencies, causing
pip to fall back to legacy setup.py install which fails:
Using legacy 'setup.py install' for cram, since package 'wheel' is not installed.
Installing collected packages: cram
Running setup.py install for cram: started
error: subprocess-exited-with-error
× Running setup.py install for cram did not run successfully.
│ exit code: 1
╰─> See above for output.
note: This error originates from a subprocess, and is likely not a problem with pip.
Running setup.py install for cram: finished with status 'error'
error: legacy-install-failure
× Encountered error while trying to install package.
╰─> cram
The issue became visible after commit 70880723eaa updated the pip URL
format to the new PEP 440 style, which exposed the missing build tools.
Solution: Upgrade pip, setuptools, and wheel before installing cram to
ensure proper wheel-based installation works correctly with Python 3.13
and modern pip versions.
Kefu Chai [Wed, 24 Dec 2025 05:55:26 +0000 (13:55 +0800)]
debian/control: add iproute2 to build dependencies
Test scripts like qa/tasks/cephfs/mount.py expect the ip command to be
available in the container environment. Without it, tests fail with:
```
/bin/bash: line 1: ip: command not found
File "/ceph/qa/tasks/cephfs/mount.py", line 96, in cleanup_stale_netnses_and_bridge
p = remote.run(args=['ip', 'netns', 'list'],
...
teuthology.exceptions.CommandFailedError: Command failed with status 127: 'ip netns list'
```
Add iproute2 to the debian package build dependencies when the
<pkg.ceph.check> build profile is enabled. This ensures the package is
available during container-based builds, since buildcontainer-setup.sh
→ script/run-make.sh → install-deps.sh → debian/control → generated
dependency package chain respects build profiles configured via
`FOR_MAKE_CHECK` and `WITH_CRIMSON` environment variables set in
Dockerfile.build.
Imran Imtiaz [Mon, 8 Dec 2025 07:59:03 +0000 (07:59 +0000)]
mgr/dashboard: add CRUD API endpoints for consistency group snapshots
Signed-off-by: Imran Imtiaz <imran.imtiaz@uk.ibm.com> Fixes: https://tracker.ceph.com/issues/74258
Create a set of consistency group dashboard API endpoints to:
- List group snapshots
- Get details about a particular snapshot
- Create a snapshot
- Delete a snapshot
Nizamudeen A [Mon, 22 Dec 2025 08:49:00 +0000 (14:19 +0530)]
mgr/dashboard: upgrade angular to 19
* bump nodejs to 22.21.1
* remove swagger-ui from the package.json and import the bundled version
of it which is `swagger-ui-dist`. This removes the dependencies to the
react redux which is bought by the swagger-ui and also reduces the build
assets and build warnings. we really don't need the whole swagger-ui
package to be present here. Also importing the swagger-ui.css inside the
api-docs component lazily.
since our project is now under nx, upgraded using the nx migrate
command. It took care of the changes where it added the `standalone:
false` to all our files since we are still on modular architecture.
Other changes include
- adding `flush()` to fakeAsync mock test
- fixing some complaints raised by tsc linter as per the new typescript
type checks
- removed `this` from html components
- fixed jest config for newer presets
projects / ceph-ci.git / log