Hi Cartsen, Plz find the answers inline:
Best, Redo. On Wed, Dec 17, 2025 at 3:12 PM Carsten Götze via ceph-users < [email protected]> wrote: > Hi! > > Thank you for the pointers. > > Unfortunately restarting the active mgr daemon didn't help. > > However looking at cephadm.log gave me at least a clue what was going on. > It seems that installing and deinstalling systemd-firewalld has completely > messed up the firewall rules. And restarting one of the nodes has made > things even worse. The osd's on that node died after a few minutes. I had > to restart the osd's systemd services, only to see them tumbling down a few > minutes later. Only after I finally flushed all the firewall rules from > every single node things went back to "normal". However, orchestrator is > still out of sync with reality. > > So a few more questions: > Where does orchestrator store its state information? > [Redo] Orchestrator (cephadm in this case) use the mon-store to store the services/daemon status information. In order to get a "fresh" view of the services state you can run: > ceph orch ps --refresh > Is firewalld required for tentacle? I didn't need it for squid, but It > sure is now required for the nfs module.Do the other modules also use it to > control the firewall? > [Redo] Firewalld isn’t required for cephadm-managed services to run, but it’s an important operational security layer. Whether you enable it depends on your org/company security model and requirements. In many environments, host firewall rules (often combined with network segmentation) help ensure Ceph ports and services are only reachable from the intended networks and hosts, reducing the risk of accidental exposure and limiting blast radius if something is misconfigured or bcz some service is exposing exploited ports. With firewalld installed, would restarting the nodes help to restore the > firewall rules? > [Redo] Firewalld is an external service. It stores its configuration on the local host. Restarting the node will just get you back to the same status. If you want to reset/restore any configuration you have to use firewalld commands. > What ports have to be open in the firewall? So far I have: 3000, 3300, > 5666, 6789, 6800:7568, 8443, 9093, 9094, 9095, 9100. Anything else? > [Redo] When firewalld is enabled cephadm will automatically open the corresponding port for the service, you don't have to worry about opening the port manually. > Would it be safe to downgrade to squid again? > [Redo] No, unfortunately you can't downgrade the ceph version (bcz of several technical reasons). > > With best regards > Carsten Götze > > > Am 16.12.2025 um 14:10 schrieb Robert Sander via ceph-users < > [email protected]>: > > > > Hi, > > > > Am 16.12.25 um 2:03 PM schrieb Carsten Götze via ceph-users: > > > >> Is there a way to force the orchestrator to sync its state information > with the nodes? > > > > Try to restart the active MGR daemon with systemctl on its node. > > > >> Where do I find meaningful logs for the orchestrator? > > > > The journal of the active MGR contains cephadm output > > > > Regards > > -- > > Robert Sander > > Linux Consultant > > > > Heinlein Consulting GmbH > > Schwedter Str. 8/9b, 10119 Berlin > > > > https://www.heinlein-support.de > > > > Tel: +49 30 405051 - 0 > > Fax: +49 30 405051 - 19 > > > > Amtsgericht Berlin-Charlottenburg - HRB 220009 B > > Geschäftsführer: Peer Heinlein - Sitz: Berlin > > _______________________________________________ > > ceph-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ > ceph-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
