From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Kefu Chai <k.chai@proxmox.com>, pve-devel@lists.proxmox.com
Cc: Kefu Chai <tchaikov@gmail.com>
Subject: Re: [PATCH manager 1/1] ceph: osd: fix bootstrap keyring creation when auth_client_required is not in ceph.conf
Date: Wed, 11 Mar 2026 18:02:27 +0100 [thread overview]
Message-ID: <40e8e151-a812-4041-a4de-b0a79098eb73@proxmox.com> (raw)
In-Reply-To: <20260311132849.437725-3-k.chai@proxmox.com>
Am 11.03.26 um 14:29 schrieb Kefu Chai:
> The condition guarding bootstrap-osd keyring creation checks for
> `auth_client_required eq 'cephx'` by reading ceph.conf directly. When
> this setting is absent from ceph.conf (relying on the Ceph default, or
> configured via the mon config database instead), the check evaluates as
> `undef eq 'cephx'` which is false, causing PVE to skip creating the
> bootstrap keyring. ceph-volume then fails because it cannot find
> /var/lib/ceph/bootstrap-osd/ceph.keyring.
>
> This can happen when:
> - ceph.conf [global] was created before `pveceph init` wrote the auth
> settings (pveceph init skips writing them if [global] already exists)
> - auth settings were moved from ceph.conf to the mon config database
> - an upgrade or migration left ceph.conf without the auth lines
>
> Fix by defaulting to 'cephx' when the setting is absent (matching
> Ceph's own default) and inverting the check to only skip keyring
> creation when auth is explicitly set to 'none'.
>
> Signed-off-by: Kefu Chai <tchaikov@gmail.com>
> Signed-off-by: Kefu Chai <k.chai@proxmox.com>
> ---
> PVE/API2/Ceph/OSD.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/PVE/API2/Ceph/OSD.pm b/PVE/API2/Ceph/OSD.pm
> index a952c952..062729ae 100644
> --- a/PVE/API2/Ceph/OSD.pm
> +++ b/PVE/API2/Ceph/OSD.pm
> @@ -407,7 +407,7 @@ __PACKAGE__->register_method({
>
> if (
> !-f $ceph_bootstrap_osd_keyring
> - && $ceph_conf->{global}->{auth_client_required} eq 'cephx'
> + && ($ceph_conf->{global}->{auth_client_required} // 'cephx') ne 'none'
As the same variable is already accessed in the line above without a
fallback, it either has to be already always defined and this // 'cephx'
is superfluous, or we should pull that out upfront and use it for both,
like:
my $auth_client_required = $ceph_conf->{global}->{auth_client_required} // 'cephx';
(disclaimer, I did not review within the full code context, only found
above pattern slightly odd)
> ) {
> my $bindata = $rados->mon_command({
> prefix => 'auth get-or-create',
next prev parent reply other threads:[~2026-03-11 17:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 13:28 [PATCH manager 0/1] fix bootstreap keyring creation when auth_client_required is missing Kefu Chai
2026-03-11 13:28 ` [PATCH manager 1/1] ceph: osd: fix bootstrap keyring creation when auth_client_required is not in ceph.conf Kefu Chai
2026-03-11 17:02 ` Thomas Lamprecht [this message]
2026-03-12 3:35 ` Kefu Chai
2026-03-12 5:19 ` kefu chai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40e8e151-a812-4041-a4de-b0a79098eb73@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=k.chai@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=tchaikov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox