From 0dd48804e11fbe23180a497f4ed9829c58f17116 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 27 Apr 2021 12:29:58 +0200
Subject: [PATCH] api: ceph/monitor: automatically disable insecure global ID
 reclaim after creating first monitor

nautilus 14.2.20 and octopus 15.2.11 fixed a security issue with
reclaiming the global ID auth (CVE-2021-20288). As fixing this issue
means that older client won't be able to connect anymore, the fix was
done behind a switch, with a HEALTH warning if it was not active
(i.e., disallowed connection from older clients).

New installations have this switch also at the insecure level, for
compat reasons, so lets deactivate it ourself after monitor creation
to avoid the health warning and slightly insecure setup (in default
PVE ceph the whole issue was of rather low impact/risk). But, only do
so when creating the first monitor of a ceph cluster, to avoid
breaking existing setups by accident.

An admin can always switch it back again, e.g., if they're recovering
from some failure and need to setup fresh monitors but have still old
clients.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 PVE/API2/Ceph/MON.pm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Ceph/MON.pm b/PVE/API2/Ceph/MON.pm
index b33b8700..19ba5e50 100644
--- a/PVE/API2/Ceph/MON.pm
+++ b/PVE/API2/Ceph/MON.pm
@@ -199,7 +199,9 @@ __PACKAGE__->register_method ({
 	my $rados = eval { PVE::RADOS->new() }; # try a rados connection, fails for first monitor
 	my $monhash = PVE::Ceph::Services::get_services_info('mon', $cfg, $rados);
 
-	if (!defined($rados) && (scalar(keys %$monhash) || $cfg->{global}->{mon_host})) {
+	my $is_first_monitor = !(scalar(keys %$monhash) || $cfg->{global}->{mon_host});
+
+	if (!defined($rados) && !$is_first_monitor) {
 	    die "Could not connect to ceph cluster despite configured monitors\n";
 	}
 
@@ -226,6 +228,7 @@ __PACKAGE__->register_method ({
 		my $mon_keyring = PVE::Ceph::Tools::get_config('pve_mon_key_path');
 
 		if (! -f $mon_keyring) {
+		    print "creating new monitor keyring\n";
 		    run_command("ceph-authtool --create-keyring $mon_keyring ".
 			" --gen-key -n mon. --cap mon 'allow *'");
 		    run_command("ceph-authtool $mon_keyring --import-keyring $client_keyring");
@@ -282,6 +285,18 @@ __PACKAGE__->register_method ({
 
 		PVE::Ceph::Services::ceph_service_cmd('start', $monsection);
 
+		if ($is_first_monitor) {
+		    print "created the first monitor, assume it's safe to disable insecure global"
+			." ID reclaim for new setup\n";
+		    eval {
+			run_command(
+			    ['ceph', 'config', 'set', 'mon', 'auth_allow_insecure_global_id_reclaim', 'false'],
+			    errfunc => sub { print STDERR "$_[0]\n" },
+			)
+		    };
+		    warn "$@" if $@;
+		}
+
 		eval { PVE::Ceph::Services::ceph_service_cmd('enable', $monsection) };
 		warn "Enable ceph-mon\@${monid}.service failed, do manually: $@\n" if $@;