[pve-devel] [PATCH storage] Fix #2705: cephfs: mount fails with bad option

2020-04-24 Thread Alwin Antreich 
dmesg: libceph: bad option at 'conf=/etc/pve/ceph.conf'

After the upgrade to PVE 6 with Ceph Luminous, the mount.ceph helper
doesn't understand the conf= option yet. And the CephFS mount with the
kernel client fails. After upgrading to Ceph Nautilus the option exists
in the mount.ceph helper.

Signed-off-by: Alwin Antreich 
---
 PVE/CephConfig.pm   | 29 +
 PVE/Storage/CephFSPlugin.pm |  6 +-
 PVE/Storage/RBDPlugin.pm| 31 +--
 3 files changed, 35 insertions(+), 31 deletions(-)

diff --git a/PVE/CephConfig.pm b/PVE/CephConfig.pm
index 685bdae..1e95a90 100644
--- a/PVE/CephConfig.pm
+++ b/PVE/CephConfig.pm
@@ -255,4 +255,33 @@ sub ceph_remove_keyfile {
 }
 }
 
+my $ceph_version_parser = sub {
+my $ceph_version = shift;
+# FIXME this is the same as pve-manager PVE::Ceph::Tools get_local_version
+if ($ceph_version =~ 
/^ceph.*\s(\d+(?:\.\d+)+(?:-pve\d+)?)\s+(?:\(([a-zA-Z0-9]+)\))?/) {
+   my ($version, $buildcommit) = ($1, $2);
+   my $subversions = [ split(/\.|-/, $version) ];
+
+   return ($subversions, $version, $buildcommit);
+}
+warn "Could not parse Ceph version: '$ceph_version'\n";
+};
+
+sub ceph_version {
+my ($cache) = @_;
+
+my $version_string = $cache;
+if (!defined($version_string)) {
+   run_command('ceph --version', outfunc => sub {
+   $version_string = shift;
+   });
+}
+return undef if !defined($version_string);
+# subversion is an array ref. with the version parts from major to minor
+# version is the filtered version string
+my ($subversions, $version) = $ceph_version_parser->($version_string);
+
+return wantarray ? ($subversions, $version) : $version;
+}
+
 1;
diff --git a/PVE/Storage/CephFSPlugin.pm b/PVE/Storage/CephFSPlugin.pm
index 4aa9e96..54689ae 100644
--- a/PVE/Storage/CephFSPlugin.pm
+++ b/PVE/Storage/CephFSPlugin.pm
@@ -80,6 +80,7 @@ EOF
 sub cephfs_mount {
 my ($scfg, $storeid) = @_;
 
+my ($subversions) = PVE::CephConfig::ceph_version();
 my $mountpoint = $scfg->{path};
 my $subdir = $scfg->{subdir} // '/';
 
@@ -98,7 +99,10 @@ sub cephfs_mount {
 } else {
push @opts, "name=$cmd_option->{userid}";
push @opts, "secretfile=$secretfile" if defined($secretfile);
-   push @opts, "conf=$configfile" if defined($configfile);
+   
+   # FIXME: remove subversion check in PVE 7.0, not needed for >= Nautilus
+   # Luminous doesn't know the conf option
+   push @opts, "conf=$configfile" if defined($configfile) && 
@$subversions[0] > 12;
 }
 
 push @opts, $scfg->{options} if $scfg->{options};
diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
index 0a33ec0..7371721 100644
--- a/PVE/Storage/RBDPlugin.pm
+++ b/PVE/Storage/RBDPlugin.pm
@@ -77,7 +77,7 @@ my $librados_connect = sub {
 my $krbd_feature_update = sub {
 my ($scfg, $storeid, $name) = @_;
 
-my ($versionparts) = ceph_version();
+my ($versionparts) = PVE::CephConfig::ceph_version();
 return 1 if $versionparts->[0] < 10;
 
 my (@disable, @enable);
@@ -123,35 +123,6 @@ my $krbd_feature_update = sub {
 }
 };
 
-my $ceph_version_parser = sub {
-my $ceph_version = shift;
-# FIXME this is the same as pve-manager PVE::Ceph::Tools get_local_version
-if ($ceph_version =~ 
/^ceph.*\s(\d+(?:\.\d+)+(?:-pve\d+)?)\s+(?:\(([a-zA-Z0-9]+)\))?/) {
-   my ($version, $buildcommit) = ($1, $2);
-   my $subversions = [ split(/\.|-/, $version) ];
-
-   return ($subversions, $version, $buildcommit);
-}
-warn "Could not parse Ceph version: '$ceph_version'\n";
-};
-
-sub ceph_version {
-my ($cache) = @_;
-
-my $version_string = $cache;
-if (!defined($version_string)) {
-   run_command('ceph --version', outfunc => sub {
-   $version_string = shift;
-   });
-}
-return undef if !defined($version_string);
-# subversion is an array ref. with the version parts from major to minor
-# version is the filtered version string
-my ($subversions, $version) = $ceph_version_parser->($version_string);
-
-return wantarray ? ($subversions, $version) : $version;
-}
-
 sub run_rbd_command {
 my ($cmd, %args) = @_;
 
-- 
2.20.1


___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH manager] certs: early renew long-lived certificates

2020-04-24 Thread Fabian Grünbichler 
On April 23, 2020 9:42 pm, Thomas Lamprecht wrote:
> On 4/23/20 1:59 PM, Fabian Grünbichler wrote:
>> On April 23, 2020 1:07 pm, Dominik Csapak wrote:
>>> LGTM
>>>
>>> maybe we should shorten the lifespan to 1 year already?
>>> according to [0], safari on macos will reject certs
>>> that are longer valid than 398 days, when issued on/after
>>> 2020-09-01
>>>
>>> 0: https://support.apple.com/en-us/HT211025
>>>
>> 
>> forgot to include this tidbit: that change was actually the reason for 
>> looking at it, but it only affects certificates issued by CAs shipped in 
>> the Apple Trust Stores, not those issued by CAs manually trusted by a 
>> user. so our self-signed CA and its certificates are not affected (for 
>> now).
> 
> This all makes me thinking... Wouldn't we need to have the PMG also adapt
> to this? Checked a very recently from (new test) ISO installed test VM gets
> me a 10 year certificate lifespan.. I mean, there more may use a "trusted"
> one, but still..

Apple's 825 days limit affects self-signed as well AFAIU. so yes, we 
should probably port the renewal + shorten lifetime changes to PMG as 
well.

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel