mgr/cephadm: fix nvmeof TLS handling and add coverage for ssl/mTLS
This PR fixes the value of `ssl` field on `NvmeofServiceSpec` (was
always set to enable_auth) and add some UT to make sure both specs
with ssl only and with mTLS enabled (enable_auth) generate the
expected daemon configuration.
Gil Bregman [Sun, 12 Apr 2026 16:18:07 +0000 (19:18 +0300)]
mgr/dashboard: Add location to gateway info command in NVMeoF CLI Fixes: https://tracker.ceph.com/issues/75968 Signed-off-by: Gil Bregman <gbregman@il.ibm.com>
mgr/dashboard: replace deprecated codecs.open with open
codecs.open() was deprecated since Python 3.14, see
https://docs.python.org/3/library/codecs.html#codecs.open.
Let's use the builtin open() as recommended by the official
document.
Gil Bregman [Mon, 6 Apr 2026 22:08:15 +0000 (01:08 +0300)]
mgr/dashboard: Add namespace encryption support to NVMeoF CLI Fixes: https://tracker.ceph.com/issues/74965 Signed-off-by: Gil Bregman <gbregman@il.ibm.com>
qa/cephadm: fix NFS ganesha startup failure in containers
The test_cephadm.sh workunit deploys NFS using cephadm _orch deploy with
config_blobs sourced from src/cephadm/samples/nfs.json. The ganesha.conf
section in that sample has no NFS_CORE_PARAM block, so allow_set_io_flusher_fail
defaults to false.
On Rocky Linux 10 (the current base for ceph:main images), ganesha 7.0 calls
prctl(PR_SET_IO_FLUSHER) at startup. Containers lack the required capabilities
(CAP_SYS_ADMIN/CAP_SYS_RAWIO) for this syscall, so it returns EPERM. With
allow_set_io_flusher_fail unset, ganesha treats this as a fatal error and aborts
immediately, before even fetching the %url RADOS config.
The orchestrator path (ganesha.conf.j2) already has allow_set_io_flusher_fail = true
in its NFS_CORE_PARAM block. This fix brings the sample config used by the
standalone test path in line with it.
This commit fixes an issue when the image is not the base distro,
the debug suffix for it is overwritten. This is especially
required for crimson debug builds to work for rocky10.
Aashish Sharma [Tue, 31 Mar 2026 04:30:23 +0000 (10:00 +0530)]
mgr/dashboard: Add option to edit zone with keys/
argument like"sync_from" and "sync_from_all"
Currently, there is no option to configure the sync_from and sync_from_all keys directly while creating or editing a zone from the dashboard. These arguments are particularly important when setting up archive zones. In archive zones, duplicate objects appear when sync_from_all is set to true (which is the default). The fix is to:
1.Set sync_from_all to false
2.Set sync_from to point to the master zone only
This ensures that the archive zone syncs exclusively from the master zone, preventing duplicate object issues.
Leonid Chernin [Tue, 17 Mar 2026 15:40:16 +0000 (17:40 +0200)]
nvmeofgw: propagate quorum feature to the NVMeofMonClient,
reverted feature bit NVMEOF_BEACON_DIFF:
-NVMeofGwMon adds a quorum_features indication to the MonClient map.
-MonClient initially sends beacons without applying the BEACON_DIFF logic.
-MonClient begins applying the BEACON_DIFF logic only when the BEACON_DIFF bit
is set in the quorum_features field of the NVMeoF monitor map.
-added mon commands:
nvme-gw set beacon-diff disable
nvme-gw set beacon-diff enable
-performed changes in encode/decode of the BEACON_DIFF feature
-reverted NVMEOF_BEACON_DIFF bit
Signed-off-by: Leonid Chernin <leonidc@il.ibm.com>
qa/cephadm: derive container image from cephadm release
test_cephadm.sh hardcodes IMAGE_DEFAULT to ceph:main, which breaks
every stable branch whenever main is renamed to a new release. The
mismatch check in cephadm correctly rejects the container because its
release name doesn't match cephadm's own release. This has recurred on
every release transition (squid→tentacle, quincy→reef) without a fix.
Instead of always pulling ceph:main, derive IMAGE_DEFAULT from the
installed cephadm's version output. On stable builds (release type
"stable"), use ceph:<release> so the container matches cephadm. On dev
builds (main branch), fall back to ceph:main as before. The IMAGE_DEFAULT
env var can still be set externally to override.
Annmool [Sun, 15 Mar 2026 13:54:36 +0000 (19:24 +0530)]
mgr/dashboard: use border-subtle utility class in overview and tearsheet
Replace the remaining custom dashboard border classes in the overview alerts card and tearsheet with the shared border-subtle utility classes. Update the alerts-card unit test so it checks the shared utility class name used by the template. Stub Prometheus overview requests in the dashboard a11y Cypress test so the test does not fail on missing metrics in CI.
Bootstrap fails on v20.2.0 upgrade because of
cephadm binary and ceph image version mismatch.
This fixes following problem in bootstrap by using
tentacle cephadm binary:
```
Error: Container release tentacle != cephadm release umbrella; please use matching version of cephadm (pass --allow-mismatched-release to continue anyway)
```
debian: remove stale distutils override from py3dist-overrides
distutils was deprecated in Python 3.10 (PEP 632) and removed in
Python 3.12. The `python3-distutils` package no longer exists in
Debian Trixie (Python 3.13) or Ubuntu 24.04+ (Python 3.12).
The only runtime reference was in `debian/ceph-mgr.requires`, already
cleaned up by 3fb3f892aa3. This override is now dead code, hence no
installed file declares a runtime dependency on `distutils`, so
`dh_python3` never resolves it. Removing it prevents a latent
uninstallable-dependency bug if `distutils` were accidentally
reintroduced in a `.requires` file.
Fixes: https://tracker.ceph.com/issues/75901 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Signed-off-by: Max R. Carrara <m.carrara@proxmox.com> Signed-off-by: Kefu Chai <k.chai@proxmox.com>
libcephsqlite: ensure atexit handlers are registered after openssl
When the sqlite3 executable encounters an error with .bail=on, it will
make a call to exit(). The atexit() handlers will execute in LIFO order.
We need to ensure that openssl (before OpenSSL 4.0 [1]) atexit handlers are
registered before libcephsqlite.
[1] http://github.com/openssl/openssl/commit/31659fe32673a6bd66abf3f8a7d803e81c6ffeed (OpenSSL 4.0 no longer arms `OPENSSL_cleanup()` function as an `atexit(3)`)
Fixes: https://tracker.ceph.com/issues/59335 Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
Increase op_delay to pggrow to avoid rapid PG splits.
Excessive splitting with a low reactor count can leave many PGs in
snaptrim, causing tests to hit the (short) snap trimming timeout.
Crimson's pggrow keeps the OSDs clean thorugout the entire test,
which is against do_thrash expectations.
Increasing op_delay would reduce do_thrash "actions" back to a normal rate.
Use prompts that cannot be selected in CLI examples. Remove warnings
about selectable prompts.
Use privileged prompt for ceph commands.
Use inline formatting consistently.
Improve capitalization.
Signed-off-by: Ville Ojamo <git2233+ceph@ojamo.eu>
Reviewed-by: Patrick Donnelly <pdonnell@ibm.com> Reviewed-by: Redouane Kachach <rkachach@redhat.com> Reviewed-by: Adam C. Emerson <aemerson@redhat.com>
Kefu Chai [Sun, 29 Mar 2026 11:42:25 +0000 (19:42 +0800)]
crimson/osd: use O_CLOEXEC with pipe2() in get_early_config
Without O_CLOEXEC the pipe fds are inherited across any future exec()
calls. While the child in get_early_config does not exec, using
O_CLOEXEC is standard practice to prevent inadvertent fd leaks into
subprocesses spawned later in the OSD lifetime.
projects / ceph.git / log