Crush temporary buffers are allocated as per replica size configured
by the user.When there are more final osds (to be selected as per
rule) than the replicas, buffer overlaps and it causes crash.Now, it
ensures that at most num-rep osds are selected even if more number of
osds are allowed by indep rule. The fix for firstn rules is already
merged as part of bug #9492. Required test files are added.
Fixes: #9492
Signed-off-by: Johnu George johnugeo@cisco.com
(cherry picked from commit 234b066ba0)
Crush temporary buffers are allocated as per replica size configured
by the user.When there are more final osds (to be selected as per
rule) than the replicas, buffer overlaps and it causes crash.Now, it
ensures that at most num-rep osds are selected even if more number of
osds are allowed by the rule.
Fixes: #9492
Signed-off-by: Johnu George <johnugeo@cisco.com>
(cherry picked from commit 6b4d1aa997)
It is expected for ceph tell to fail with ENXIO if the daemon it is
trying to join is not ready for some reason. This should be handled as a
transient error instead of a fatal error.
Add two shell functions to help with retry. They may prove useful if
other cases requiring a few retries show up.
http://tracker.ceph.com/issues/9655Fixes: #9655
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
Crush temporary buffers are allocated as per replica size configured
by the user.When there are more final osds (to be selected as per
rule) than the replicas, buffer overlaps and it causes crash.Now, it
ensures that at most num-rep osds are selected even if more number of
osds are allowed by indep rule. The fix for firstn rules is already
merged as part of bug #9492. Required test files are added.
Fixes: #9492
Signed-off-by: Johnu George johnugeo@cisco.com
We weren't setting an explicit compat version and so the Message
was setting it to the head version, breaking communication with
older daemons.
Fixes: #9657
Signed-off-by: Greg Farnum <greg@inktank.com>
Keep a bool sharded in memory and use for set/get_allow_sharded_objects()
Create a file "sharded" in the data dir when sharded is true during _save()
Check for file "sharded" during _load()
Fixes: #9661
Signed-off-by: David Zafman <dzafman@redhat.com>
Although they have been useful, their maintenance and fragility caused
more trouble than their benefits.
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
(cherry picked from commit 038de0031b)
And the mon_advanced_debug_mode option that is only used in the context
of osdmonitor_prepare_command.
http://tracker.ceph.com/issues/9245Fixes: #9245
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
(cherry picked from commit 2abc8f400f)
If a given client doesn't have the required caps when running a command,
it must receive an EACCES or EPERM reply. This is already handled by
Monitor::handle_command(), which does an exceptionally good job at it.
Therefore, and unlike other messages that do not expect return values,
we can't simply drop the message if the client doesn't have the
appropriate capabilities, or things can get very weird very fast from
the user's perspective. Dropping the message for a command without a
reply has roughly the same effect as loss of quorum (timeout, pipes
failing) and confusion may ensue from it.
Signed-off-by: Joao Eduardo Luis <joao@redhat.com>
test creating and entity with blank caps with and without '--force'
being specified. without '--force' they must fail with EINVAL as the
monitor will not be able to parse them.
Signed-off-by: Joao Eduardo Luis <joao@redhat.com>
Eye-candy. We changed indentation of a few other entries and this one
was just too darn obvious, itching all over, night terrors, the whole
nine yards.
Signed-off-by: Joao Eduardo Luis <joao@redhat.com>
We have variables with the same name that are being shared! We don't
hit any issues with it currently because the code just kind of works
even though that happens. Add a bit of new logic that relies on an
immutable return code (for instance) and we're in the woods.
Signed-off-by: Joao Eduardo Luis <joao@redhat.com>
Only dispatch messages that a client may send if said client has at
least MON_CAP_R, and only dispatch internal monitor messages if peer is
a monitor.
Backport: firefly
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
Instead of a single switch(), have multiple switch() and order them by
increasing necessity of privileges.
This patch thus divides the big switch into:
- messages not requiring auth/caps checks at all
- messages which caps shall be checked somewhere else
- messages the Monitor class needs to deal with but only require a
client to have enough caps for the monitor to consider handling them
- messages that only a monitor is allowed to send.
Backport: firefly
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
Adds three new profiles:
read-only: able to issue all read-only (MON_CAP_R) commands. Any
command that may take additional caps (MON_CAP_W or MON_CAP_X) won't
be allowed.
read-write: able to issue all read-write (MON_CAP_R | MON_CAP_W)
commands. Commands that require MON_CAP_X will not be allowed.
role-definer: solely able to issue commands on the 'auth' subsystem,
to which all caps are given (MON_CAP_R | MON_CAP_W | MON_CAP_X).
Fixes: #8899
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
We were checking the command's permissions against what we perceived as
the 'module' from parsing the command's "prefix" (specified by the
client). This caused troubles with cap checks for commands without a
submodule clearly defined, such as 'status' or 'health' (vs 'mon dump'
or 'osd pool set', which are of submodule 'mon' and 'osd' respectively).
As such, we now grab the command's submodule (right now solely for caps
checks) from the monitor's internal representation of the commands
(defined in mon/MonCommands.h and built at compile time and stashed in
'mon_commands'). Given that commands such as 'health', 'fsid' or
'status' have properly defined modules in MonCommands.h, we simply rely
on that representation for all commands. Which is what we should have
been doing from the start anyway, because we shouldn't be relying on the
client to point us to what we want to authenticate against.
Backport: firefly
Signed-off-by: Joao Eduardo Luis <joao@redhat.com>
The monitor doesn't really know how to validate caps not meant for it.
The MDS or the OSD may very well allow blank caps for instance, while
the monitor categorically does not. We can't simply state a capability
is invalid because we wouldn't take it as such.
On the other hand, we must check monitor caps and make sure they are
correct, otherwise malformed caps can go unnoticed for a while,
sometimes even being hard to understand what may have gone wrong.
Backport: firefly
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
Although they have been useful, their maintenance and fragility caused
more trouble than their benefits.
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
And the mon_advanced_debug_mode option that is only used in the context
of osdmonitor_prepare_command.
http://tracker.ceph.com/issues/9245Fixes: #9245
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
The STATEDIR variable is used to initialize the bootstrap-osd keyring
before it gets a chance to be overriden by --statedir. Replace it with
{statedir} so that it can be substituted after all options have been
parsed.
http://tracker.ceph.com/issues/9653Fixes: #9653
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
(cherry picked from commit fa0bd06b46)
The STATEDIR variable is used to initialize the bootstrap-osd keyring
before it gets a chance to be overriden by --statedir. Replace it with
{statedir} so that it can be substituted after all options have been
parsed.
http://tracker.ceph.com/issues/9653Fixes: #9653
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
The RWTimer event cancellation is racy. Instead, just make all of our
callbacks tolerate cancellation races. This is already true of most of
them (in fact, they are probably broken because they try to take a write
lock while holding a read lock). Fix C_CancelOp so that it calls the
other op_cancel (that takes a tid).
Then switch the RWTimer back to a SafeTimer. Put it in unsafe callbacks
mode because we don't want to introduce lock cycles with timer_lock.
Fixes: #9582
See also: #9650
Signed-off-by: Sage Weil <sage@redhat.com>
In the rados.cc special case to handle put an empty objects, use
write_full() instead of create().
A special case was introduced 6843a0b81f
to create() an object if the rados put file is empty. Prior to this fix
an attempt to rados put an empty file was a noop. The problem with this
fix is that it is not idempotent. rados put an empty file twice would
fail the second time and rados put a file with one byte would succeed as
expected.
Signed-off-by: Loic Dachary <loic-201408@dachary.org>
