The Ceph Blog

Ceph blog stories provide high-level spotlights on our customers all over the world

July 11, 2018

v10.2.11 Jewel released

This point releases brings a number of important bugfixes and has a few
important security fixes. This is expected to be the last Jewel release. We
recommend all Jewel 10.2.x users to upgrade.

Notable Changes

  • CVE 2018-1128: auth: cephx authorizer subject to replay attack (issue#24836, Sage Weil)
  • CVE 2018-1129: auth: cephx signature check is weak (issue#24837, Sage Weil)
  • CVE 2018-10861: mon: auth checks not correct for pool ops (issue#24838, Jason Dillaman)
  • The RBD C API’s rbd_discard method and the C++ API’s Image::discard method
    now enforce a maximum length of 2GB. This restriction prevents overflow of
    the result code.
  • New OSDs will now use rocksdb for omap data by default, rather than
    leveldb. omap is used by RGW bucket indexes and CephFS directories,
    and when a single leveldb grows to 10s of GB with a high write or
    delete workload, it can lead to high latency when leveldb’s
    single-threaded compaction cannot keep up. rocksdb supports multiple
    threads for compaction, which avoids this problem.
  • The CephFS client now catches failures to clear dentries during startup
    and refuses to start as consistency and untrimmable cache issues may
    develop. The new option client_die_on_failed_dentry_invalidate (default:
    true) may be turned off to allow the client to proceed (dangerous!).
  • In 10.2.10 and earlier releases, keyring caps were not checked for validity,
    so the caps string could be anything. As of 10.2.11, caps strings are
    validated and providing a keyring with an invalid caps string to, e.g.,
    “ceph auth add” will result in an error.