AWS IAM Subordinate Charm

cdk-addons 1.21 needs updated cephcsi image

Bug #1945685 reported by Vern Hart on 2021-09-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AWS IAM Subordinate Charm	Invalid	Undecided	Unassigned

Bug Description

In debugging a PersistentVolumeClaim issue I tracked it to this Cephx CVE:
https://docs.ceph.com/en/latest/security/CVE-2021-20288/

The fix for that CVE is to:
ceph config set mon auth_allow_insecure_global_id_reclaim false

After doing this, PersistentVolumeClaims get stuck Pending as they can't authorize with ceph.

The recommended fix for that is to update ceph clients.

I confirmed that updating the cephcsi container image to v3.3.1 resolves the PVC issue. However cdk-addons keeps switching it back to v2.1.2. https://pastebin.ubuntu.com/p/vT7WsTgCrj/

Checking the various snap versions I see:

cdk-addon cephcsi
1.23.0-alpha.2 v3.3.1
1.22.2 v3.3.1
1.22.1 v3.3.1
1.21.5 v2.1.2
1.21.3 v2.1.2
1.20.11 v2.1.2
1.20.4 v2.1.2
1.19.15 v2.1.2
1.19.8 v2.1.2
1.18.20 none

So it seems we need to backport the cephcsi container image version v3.3.1 to 1.21, 1.20, and 1.19.

Revision history for this message

Vern Hart (vern) wrote on 2021-09-30:

Sorry. Wrong project.

Changed in charm-aws-iam:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.