[Doc] [Ceph] Mounting CephFS/RBD not possible with Cilium & host-reachable-services.

[martin31821]

In the following setup, mounting a CephFS/RBD is not possible:

• Cilium >= 1.6.5
• Rook 1.2.2 (all versions with CSI enabled)
• CoreOS 2303 (most likely older versions affected as well)
• Cilium Config enable-host-reachable-services: true

This is caused by cilium optimizing the ServiceIP <-> PodIP NAT step by hooking into the connect(), sendmsg(), recvmsg() syscalls using eBPF. Unfortunately, there is no way to hook into getpeername() which is used by ceph to verify the remote client. There is work in progress fixing the issue in net-next by @borkmann.

Until then, it's required to disable 'host-reachable-services'. This is also documented on the cilium wiki: https://cilium.readthedocs.io/en/stable/gettingstarted/host-services/#limitations

When hitting the problem, the kernel log looks like this:

[1141671.083024] libceph: wrong peer, want $podip:6789/0, got $serviceip:6789/0
[1141671.084930] libceph: mon0 $podip:6789 wrong peer at address

cc @galexrt

[JamesLaverack]

For anyone stumbling across this issue, as I did: This seems to have been fixed in Cilium, but requires kernel v5.8 or newer.

[jimsmith]

Adding this also as our team stumbled on this very issue, it's documented on Cilium at the very bottom of the page:

https://docs.cilium.io/en/stable/gettingstarted/host-services/

[SharkFill]

Hey, I have modified the configuration of Cilium according to your description:
apiVersion: v1
data:
agent-health-port: "9879"
auto-direct-node-routes: "False"
bpf-ct-global-any-max: "262144"
bpf-ct-global-tcp-max: "524288"
bpf-lb-external-clusterip: "true"
bpf-map-dynamic-size-ratio: "0.0025"
cgroup-root: /run/cilium/cgroupv2
clean-cilium-bpf-state: "false"
clean-cilium-state: "false"
cluster-name: default
custom-cni-conf: "false"
debug: "False"
disable-cnp-status-updates: "True"
enable-bpf-clock-probe: "True"
enable-bpf-masquerade: "False"
enable-host-legacy-routing: "True"
enable-host-reachable-services: "false"
enable-ip-masq-agent: "False"
enable-ipv4: "True"
enable-ipv4-masquerade: "True"
enable-ipv6: "False"
enable-ipv6-masquerade: "True"
enable-remote-node-identity: "True"
enable-well-known-identities: "False"
etcd-config: |-
---
endpoints:
- https://192.168.160.36:2379
- https://192.168.160.37:2379
- https://192.168.160.38:2379

# In case you want to use TLS in etcd, uncomment the 'ca-file' line
# and create a kubernetes secret by following the tutorial in
# https://cilium.link/etcd-config
ca-file: "/etc/cilium/certs/ca_cert.crt"

# In case you want client to server authentication, uncomment the following
# lines and create a kubernetes secret by following the tutorial in
# https://cilium.link/etcd-config
key-file: "/etc/cilium/certs/key.pem"
cert-file: "/etc/cilium/certs/cert.crt"

identity-allocation-mode: kvstore
ipam: kubernetes
kube-proxy-replacement: probe
kvstore: etcd
kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'
monitor-aggregation: medium
monitor-aggregation-flags: all
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "False"
sidecar-istio-proxy-image: cilium/istio_proxy
tunnel: vxlan

However, Ceph mount still reported an error:
[1141671.083024] libceph: wrong peer, want $podip:6789/0, got $serviceip:6789/0
[1141671.084930] libceph: mon0 $podip:6789 wrong peer at address

My kernel version:
4.19.12-1.el7.elrepo.x86_64

Do you have any good suggestions?

[parth-gr]

@SharkFill what rook version you are using,
I think it is fixed

[SharkFill]

@parth-gr my rook version:v1.11.6
my ceph version:17.2.6
my clium version:v1.12.1
Currently, the issue still exists in kernel 4.19.12-1.

[parth-gr]

I see, is this something not possible to upgrade to v5.8 ?
@jimsmith ^^

[parth-gr]

or maybe open this in ceph repo, they may provide some workaround

[SharkFill]

@parth-gr Thank you for your suggestion. Currently, upgrading the kernel version is not acceptable. After consulting the documentation of Cilium, it may be unsolvable. However, for us, the rook cluster is independent of the business cluster and currently has no impact on the business.

[jimsmith]

upgrading the kernel version is not acceptable

From a stablility and security point of view that makes no sense, and follows best practice, you should raise this back internally as you've got a very very old kernel version

[SharkFill]

@jimsmith
Currently, some basic services have a strong dependence on the 4. x kernel. We are about to run a cluster with a kernel of 5.19.12 to replace this CEPH cluster. Thank you for your suggestion.