From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Kefu Chai <k.chai@proxmox.com>, pve-devel@lists.proxmox.com
Cc: Kefu Chai <tchaikov@gmail.com>
Subject: Re: [PATCH manager 1/1] ceph: osd: fix bootstrap keyring creation when auth_client_required is not in ceph.conf
Date: Wed, 11 Mar 2026 18:02:27 +0100 [thread overview]
Message-ID: <40e8e151-a812-4041-a4de-b0a79098eb73@proxmox.com> (raw)
In-Reply-To: <20260311132849.437725-3-k.chai@proxmox.com>
Am 11.03.26 um 14:29 schrieb Kefu Chai:
> The condition guarding bootstrap-osd keyring creation checks for
> `auth_client_required eq 'cephx'` by reading ceph.conf directly. When
> this setting is absent from ceph.conf (relying on the Ceph default, or
> configured via the mon config database instead), the check evaluates as
> `undef eq 'cephx'` which is false, causing PVE to skip creating the
> bootstrap keyring. ceph-volume then fails because it cannot find
> /var/lib/ceph/bootstrap-osd/ceph.keyring.
>
> This can happen when:
> - ceph.conf [global] was created before `pveceph init` wrote the auth
> settings (pveceph init skips writing them if [global] already exists)
> - auth settings were moved from ceph.conf to the mon config database
> - an upgrade or migration left ceph.conf without the auth lines
>
> Fix by defaulting to 'cephx' when the setting is absent (matching
> Ceph's own default) and inverting the check to only skip keyring
> creation when auth is explicitly set to 'none'.
>
> Signed-off-by: Kefu Chai <tchaikov@gmail.com>
> Signed-off-by: Kefu Chai <k.chai@proxmox.com>
> ---
> PVE/API2/Ceph/OSD.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/PVE/API2/Ceph/OSD.pm b/PVE/API2/Ceph/OSD.pm
> index a952c952..062729ae 100644
> --- a/PVE/API2/Ceph/OSD.pm
> +++ b/PVE/API2/Ceph/OSD.pm
> @@ -407,7 +407,7 @@ __PACKAGE__->register_method({
>
> if (
> !-f $ceph_bootstrap_osd_keyring
> - && $ceph_conf->{global}->{auth_client_required} eq 'cephx'
> + && ($ceph_conf->{global}->{auth_client_required} // 'cephx') ne 'none'
As the same variable is already accessed in the line above without a
fallback, it either has to be already always defined and this // 'cephx'
is superfluous, or we should pull that out upfront and use it for both,
like:
my $auth_client_required = $ceph_conf->{global}->{auth_client_required} // 'cephx';
(disclaimer, I did not review within the full code context, only found
above pattern slightly odd)
> ) {
> my $bindata = $rados->mon_command({
> prefix => 'auth get-or-create',
next prev parent reply other threads:[~2026-03-11 17:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 13:28 [PATCH manager 0/1] fix bootstreap keyring creation when auth_client_required is missing Kefu Chai
2026-03-11 13:28 ` [PATCH manager 1/1] ceph: osd: fix bootstrap keyring creation when auth_client_required is not in ceph.conf Kefu Chai
2026-03-11 17:02 ` Thomas Lamprecht [this message]
2026-03-12 3:35 ` Kefu Chai
2026-03-12 5:19 ` kefu chai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40e8e151-a812-4041-a4de-b0a79098eb73@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=k.chai@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=tchaikov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.