Seafile on ceph: shipped librados too old

Hi all,

I updated my ceph cluster and ceph clients to 14.2.21 to address the recent security issue ceph:
https://docs.ceph.com/en/latest/security/CVE-2021-20288/#cve-2021-20288

see also the ceph changelog (for nautilus):
https://docs.ceph.com/en/latest/releases/nautilus/

the problem is now, that as soon as I enable the security fix with
ceph config set mon auth_allow_insecure_global_id_reclaim false

seafile blocks all access after a few minutes. if I revert the security fix with
ceph config set mon auth_allow_insecure_global_id_reclaim true

seafile (web-interface, client access) works again. the reason in my opinion is that seafile uses the shipped

seafile/lib/librados.so.2

which is most probably too old and does not yet implement the security fix (see above).

however, seafile also does not work with a newer librados.so.2 provided by the system. when I remove the shipped librados.so.2, seafserver cannot be started.

@Jonathan is there a way I can use the system librados.so.2 or is it possible that you ship an updated version of librados.so.2?

Many thanks and best regards,
Hp

You just need to remove librados from the Seafile bundle. The librados from system will be used then.

maybe I was not clear enough, @Jonathan , I tried this. But if I do this, the seaf-server process does not start.

cheers,
Hp

running seaf-fsck (which helped me in the past tracing library problems) after remove the shipped librados gives the following error:

/srv/seafile/seafile-pro-server-7.1.17/seafile/bin/seaf-fsck: /srv/seafile/seafile-pro-server-7.1.17/seafile/lib/libibverbs.so.1: version `IBVERBS_1.5' not found (required by /lib/x86_64-linux-gnu/librdmacm.so.1)

removing the shipped libibverbs does not really help, then I get:

Starting seaf-fsck, please wait ...

terminate called after throwing an instance of 'std::system_error'
  what():  Invalid argument
./seaf-fsck.sh: line 41: 30027 Aborted                 LD_LIBRARY_PATH=$SEAFILE_LD_LIBRARY_PATH ${seaf_fsck} -c "${default_ccnet_conf_dir}" -d "${default_seafile_data_dir}" -F "${default_conf_dir}" ${seaf_fsck_opts}

could it be that seafile cannot use librados from nautilus (ceph 14.x.y)? unfortunately I was not able to determine to which ceph version the shipped librados corresponds.

best,
Hp

Hi @hkunz

For 7.1 and 8.0, the versions are:
centos
librados2-devel.x86_64 1:10.2.5-4.el7
ubuntu
librados-dev 12.2.13-0ubuntu0.18.04.7

Unfortunately we don’t upgrade the libraries in maintenance releases. Could you still use the bundled library?

I understand that, but luminous (ceph 12.x.y) was end-of-life on 2020-03-01. given that there are unfixed security issues, I hope you maybe can make an exception to the rule.

please note: in order to use the bundled librados I have to force my ceph cluster (nautilus) to run in an insecure way. of course I can do that (in fact right now I have to) but obviously this is not a really good long-term option. is there a time-line when to expect a release with a newer librados bundled?

here is the CVE again for your reference:
https://docs.ceph.com/en/latest/security/CVE-2021-20288/#cve-2021-20288

I hope we find a solution here. I am happy to support you in any way I can (I have a test installation, including a test ceph cluster).

Many thanks and best regards,
Hp

3 Likes

OK. We’ll upgrade the bundled librados library in the next version.

2 Likes

Hi @Jonathan,

I guess this has been fixed in 8.0.6. but it has not been fixed for seafile 7, correct? So I guess I will have to upgrade to seafile 8, correct?

Best and many thanks,
Hp

Yes it’s fixed in 8.0.6 pro version.