Commit Graph

94764 Commits

Author SHA1 Message Date
Kefu Chai
8b144a1a5f
Merge pull request #26301 from tchaikov/wip-cxx17-aggre-init
changes to address FTBFS on fc30

Reviewed-by: Brad Hubbard <bhubbard@redhat.com>
Reviewed-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Adam C. Emerson <aemerson@redhat.com>
2019-02-08 16:09:11 +08:00
Kefu Chai
92a7a3f6f7
Merge pull request #26311 from tchaikov/wip-docker-fc-29
tests: update Dockerfile to support fc-29

Reviewed-By: Neha Ojha <nojha@redhat.com>
2019-02-08 14:37:51 +08:00
Kefu Chai
00989aa0a3
Merge pull request #26313 from tchaikov/wip-mgr-ansible-tox
mgr/ansible: add install tox==2.9.1

Reviewed-by: Sebastian Wagner <sebastian.wagner@suse.com>
2019-02-08 13:12:25 +08:00
David Zafman
690ff9a21f
Merge pull request #26213 from dzafman/wip-38041
osd: Fix recovery and backfill priority handling

Reviewed-by: Neha Ojha <nojha@redhat.com>
Reviewed-by: Josh Durgin <jdurgin@redhat.com>
2019-02-07 17:26:34 -08:00
David Zafman
ca5cf14fa8 test: Add scripts to test backfill/recovery priority handling
Signed-off-by: David Zafman <dzafman@redhat.com>
2019-02-07 15:46:23 -08:00
David Zafman
d088ffb09f osd: Add OSD_BACKFILL_PRIORITY_FORCED with lower priority
than OSD_RECOVERY_PRIORITY_FORCED

Signed-off-by: David Zafman <dzafman@redhat.com>
2019-02-07 15:46:23 -08:00
David Zafman
11097f1235 osd AsyncReserver: Update priority in AsyncReserver for force and cancel-force
Fixes: http://tracker.ceph.com/issues/38041

Signed-off-by: David Zafman <dzafman@redhat.com>
2019-02-07 15:46:23 -08:00
Sage Weil
d3766916a7 Merge PR #26059 into master
* refs/pull/26059/head:
	mon/MonClient: fix keepalive with v2 auth
	msg/async/ProtocolV2: reject peer_addrs of -
	msg/async/ProtocolV2: clean up feature management
	mon/MonClient: set up rotating_secrets, etc before msgr ready
	msg/async: let client specify preferred order of modes
	msg/async/ProtocolV2: include entity_name, features in reconnect
	msg/async/ProtocolV2: fix write_lock usage around AckFrame
	qa/suites/rados/verify/validator/valgrind: debug refs = 5
	qa/standalone/ceph-helpers: fix health_ok test
	auth/AuthRegistry: only complain about disabling cephx if cephx was enabled
	auth/AuthRegistry: fix locking for get_supported_methods()
	auth: remove AUTH_UNKNOWN weirdness, hardcoded defaults.
	msg/async/ProtocolV2: remove unused get_auth_allowed_methods
	osd: set up messener auth_* before setting dispatcher (and going 'ready')
	mon/AuthMonitor: request max_global_id increase from peon in tick
	mon: prime MgrClient only after messengers are initialized
	qa/suites/rados/workloads/rados_api_tests.yaml: debug mgrc = 20 on mon
	auth: document Auth{Client,Server} interfaces
	auth: future-proof AUTH_MODE_* a bit in case we need to change the encoding byte
	mon/MonClient: request monmap on open instead of ping
	mgr/PyModuleRegistry: add details for MGR_MODULE_{DEPENDENCY,ERROR}
	crimson: fix build
	mon/MonClient: finsih authenticate() only after we get monmap; fix 'tell mgr'
	mon: add auth_lock to protect auth_meta manipulation
	ceph-mon: set up auth before binding
	mon: defer initial connection auth attempts until initial quorum is formed
	mon/MonClient: make MonClientPinger an AuthCleint
	ceph_test_msgr: use DummyAuth
	auth/DummyAuth: dummy auth server and client for test code
	mon/Monitor: fix leak of auth_handler if we error out
	doc/dev/cephx: re-wordwrap
	doc/dev/cephx: document nautilus change to cephx
	vstart.sh: fix --msgr2 option
	msg/async/ProtocolV2: use shared_ptr to manage auth_meta
	auth/Auth{Client,Server}: pass auth_meta in explicitly
	mon/MonClient: behave if authorizer can't be built (yet)
	osd: set_auth_server on client_messenger
	common/ceph_context: get_moduel_type() for seastar cct
	auth: make connection_secret a std::string
	auth,msg/async/ProtocolV2: negotiate connection modes
	auth/AuthRegistry: refactor handling of auth_*_requred options
	osd,mgr,mds: remove unused authorize registries
	switch monc, daemons to use new msgr2 auth frame exchange
	doc/dev/msgr2: update docs to match implementation for auth frames
	auth/AuthClientHandler: add build_initial_request hook
	msg/Messenger: attach auth_client and/or auth_server to each Messenger
	auth: introduce AuthClient and AuthServer handlers
	auth: codify AUTH_MODE_AUTHORIZER
	msg/Connection: track peer_id (id portion of entity_name_t) for msgr2
	auth/AuthAuthorizeHandler: add get_supported_methods()
	auth/AuthAuthorizeHandler: fix args for verify_authorizer()
	auth: constify bufferlist arg to AuthAuthorizer::add_challenge()
	auth/cephx: share all tickets and connection_secret in initial reply
	msg/async,auth: add AuthConnectionMeta to Protocol
	auth/AuthClientHandler: pass in session_key, connection_secret pointers
	auth/AuthServiceHandler: take session_key and connection_secret as args
	auth/cephx: pass more specific type into build_session_auth_info
	mon/Session: separate session creation, peer ident, and registration
	mon/AuthMonitor: bump max_global_id from on_active() and tick()
	mon/AuthMonitor: be more careful with max_global_id
	mon: only all ms_handle_authentication() if auth method says we're done
	mon/AuthMonitor: fix "finished with auth" condition check
	auth: clean up AuthServiceHandler::handle_request() args
	auth: clean up AuthServiceHandler::start_session()
	mon/AuthMonitor: drop unused op arg to assign_global_id()
	msg/async: separate TAG_AUTH_REQUEST_MORE and TAG_AUTH_REPLY_MORE
	msg/async: consolidate authorizer checks
	msg/async: move get_auth_allowed into ProtocolV2.cc
	mon/MonClient: trivial cleanup

Reviewed-by: Greg Farnum <gfarnum@redhat.com>
2019-02-07 16:51:39 -06:00
Sage Weil
372b7aed8a mon/MonClient: fix keepalive with v2 auth
The old trick of queuing a keepalive sequenced before auth does not work
when auth happens earlier in the process.  Work around it.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:28:20 -06:00
Sage Weil
43b8a77ca4 msg/async/ProtocolV2: reject peer_addrs of -
This shouldn't happen and isn't valid.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
8fe78da5ea msg/async/ProtocolV2: clean up feature management
- check features on reconnect
- preserve features when connections are replaced
- require MSG_ADDR2 across the board

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
fea314ea3b mon/MonClient: set up rotating_secrets, etc before msgr ready
We need to have rotating_secrets non-null before we can accept
connections or else we will segfault in handle_auth_request.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
eaba5696fd msg/async: let client specify preferred order of modes
The server side has an allowed list, while the client has an ordered list
in order of preference.

Note that some of the options are used as both (e.g., cluster_modes) as they
are used at both connecting and accepting ends of the connection.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
91a888ecb4 msg/async/ProtocolV2: include entity_name, features in reconnect
- A connects to B
- A sends client_ident
- fault before A gets server_ident, so A doesn't know B's features or name
- B reconnects to A
- connection established

A thinks B is unknown.0 and has not idea what the featurs are.

Fix this by including id and featurs in reconnect.  We don't know the type, but that is
included in TAG_HELLO in another branch, which will be merged separately; add a

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
5d84f11934 msg/async/ProtocolV2: fix write_lock usage around AckFrame
If we are calling _try_send or touching outcoming_bl we must be holding
write_lock.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
65e81e6eb4 qa/suites/rados/verify/validator/valgrind: debug refs = 5
If we detect a leak, let's include logging so we can find it.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
dcdca44aa4 qa/standalone/ceph-helpers: fix health_ok test
Stopping the osd daemon won't reliably get you HEALTH_WARN or ERR; you have
to make sure it is also marked down.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
eb4af28be4 auth/AuthRegistry: only complain about disabling cephx if cephx was enabled
This gets rid of some warnings when auth_supported=none.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
7ba8ee2e04 auth/AuthRegistry: fix locking for get_supported_methods()
The other read-side accessors all consume this method and don't
need their own locking.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
028f1af996 auth: remove AUTH_UNKNOWN weirdness, hardcoded defaults.
This is what the old code does so I kept it but I don't think it makes any sense.
Same with the defaults; let's just set the config option to something valid.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
ecf41b1a3c msg/async/ProtocolV2: remove unused get_auth_allowed_methods
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
fa44155acc osd: set up messener auth_* before setting dispatcher (and going 'ready')
The messenger doesn't activate until you set the dispatcher.  Set up the auth_client
and auth_server values before that.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
524f26d7a9 mon/AuthMonitor: request max_global_id increase from peon in tick
For authv2, we only increase max_global_id from tick, not via prep_auth(), so we
need to ask the leader for more IDs here as we do there.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
869d43d982 mon: prime MgrClient only after messengers are initialized
If we do it earlier we may crash due to an uninitialised messenger
auth_client.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
ee59743a1a qa/suites/rados/workloads/rados_api_tests.yaml: debug mgrc = 20 on mon
Seeing some hangs when the mon is forwarding mgr commands (pg deep-scrub)
to the mgr.  This is a buggy test (it should send it to the mgr directly)
but it is helpful to verify the mon forwarding behavior works.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
e1f6eb8a7a auth: document Auth{Client,Server} interfaces
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
771682aad0 auth: future-proof AUTH_MODE_* a bit in case we need to change the encoding byte
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
e48301c5cf mon/MonClient: request monmap on open instead of ping
The ping is useless.  The MMonGetMap ensures we get a monmap (and finish
authenticate()) before we get any other maps/messages, like mgr_map.
Getting other maps sooner rather than later can be confuse to MonClient
users because they will get dispatched MMgrMap before the authenticate()
call has returned.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
4a7aca7737 mgr/PyModuleRegistry: add details for MGR_MODULE_{DEPENDENCY,ERROR}
We want to know what modules failed and why.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
09b1c44f27 crimson: fix build
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
42b5c4dd8f mon/MonClient: finsih authenticate() only after we get monmap; fix 'tell mgr'
We used to get a valid monmap before we finished the MAuth exchange and
returned from authenticate().  Now, we finish authenticating before we even
send or receive a message, so authenticate() returns quickly.  This
confuses many callers, and is probably a bad idea.  So, rejigger the
_finish_auth and _finish_hunting callers so that we finish hunting as soon
as we have picked a mon but don't finish_auth if we have not gotten our
first monmap.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
574e6bf6ad mon: add auth_lock to protect auth_meta manipulation
In particular, we could be handling a get_auth_request() on a reconnect
while also running handle_auth_request() on a racing connection between
monitors.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
766df9f740 ceph-mon: set up auth before binding
Otherwise initial connections will fail because they lack the auth_server.


Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
f1b917c2cc mon: defer initial connection auth attempts until initial quorum is formed
Otherwise e.g. a client.admin connectin will fail because the mon doesn't
have the key in the database yet.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
d532e1ef1a mon/MonClient: make MonClientPinger an AuthCleint
Reuse MonConnection to do the authentication.

Note this is a change in behavior: ceph ping mon* now requires
authentication.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
07b00a06e6 ceph_test_msgr: use DummyAuth
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
396e10fe79 auth/DummyAuth: dummy auth server and client for test code
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
b3defafb41 mon/Monitor: fix leak of auth_handler if we error out
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
5e4df2a509 doc/dev/cephx: re-wordwrap
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
c1102f043e doc/dev/cephx: document nautilus change to cephx
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
d3f0d0968a vstart.sh: fix --msgr2 option
Should be v2 only and turn of v1.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
87a991cc28 msg/async/ProtocolV2: use shared_ptr to manage auth_meta
When we reconnect a session, we need to move the new connection's auth_meta
over to the existing connection.  However, the existing connection may
have a thread that is unlocked and calling into an AuthClient or AuthServer
method making good use of the old auth_meta.

Resolved this by making auth_meta a shared_ptr and taking a local ref
before dropping the connection lock.  This way we are free to move the
auth_meta over to the new connection as long as we are holding the lock,
and at the same time the existing connection can fiddle with the old
auth_meta without being disturbed.  (That old auth_meta is about to get
discarded, but we still need to prevent the two threads from stomping on
each other.)

This also cleans up the reset_recv_state() a bit since we can simply
replace the old auth_meta with a totally fresh one without worrying about
what kind of state might be lurking in there.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
160b54da80 auth/Auth{Client,Server}: pass auth_meta in explicitly
This removes the wonky accessor on Connection, and most importantly
allows the caller to control the lifecycle of the AuthConnectionMeta.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
a948c0d0de mon/MonClient: behave if authorizer can't be built (yet)
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
26a8bb65a7 osd: set_auth_server on client_messenger
monc sets up the AuthClient, not the AuthServer.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
c1b5794a5a common/ceph_context: get_moduel_type() for seastar cct
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
951da2fbfa auth: make connection_secret a std::string
Move connection mode decision to initial auth_request point so that it
can inform auth implementation how big the connection secret should be.
Pass that value through where appropriate.

The connection_secret is now a std::string filled with random bytes.

For now the v2 protocol just uses the session_key CryptoKey to encrypt,
but this is about to change.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
c7ee66c3e5 auth,msg/async/ProtocolV2: negotiate connection modes
The modes are:

- crc: crc32c checksums to protect against bit errors.  No secrecy or
  authenticity guarantees, so a MITM could alter traffic in flight.
- secure: cryptographic secrecy and authenticity proection (i.e, encrypted
  and signed).

We do not include a 'signed' mode that provides authenticity without
secrecy because the cryptographic protocols appear to be faster than
SHA-2.

New settings:

- ms_cluster_mode  : mode(s list) for intra-cluster connections
- ms_service_mode  : mode(s list) for daemons to allow
- ms_client_mode   : mode(s list) for clients to allow

Also,

- ms_mon_cluster_mode  : mon <-> mon connections
- ms_mon_service_mode  : mon <-> daemon or client connections

The msgr2 protocol is expanded slightly to negotiate a mode.  Client
shares it's allowed/preferred modes, and server picks one as auth finishes.
Negotiation is independent of the authentication, except that the
authentiction mode may precluse certain choices. Specifically, AUTH_NONE
does not support 'secure', only 'crc'.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
9c3dd336b7 auth/AuthRegistry: refactor handling of auth_*_requred options
- simplify/consolidate my type and peer type effects on auth method
- watch for runtime config changes

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
fa7c83f6dc osd,mgr,mds: remove unused authorize registries
These are handled by AuthClient and AuthServer now.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00