git-server-git.apps.pok.os.sepia.ceph.com Git

author	Matthew Oliver <moliver@suse.com>
	Wed, 20 May 2020 00:22:45 +0000 (10:22 +1000)
committer	Sebastian Wagner <sebastian.wagner@suse.com>
	Tue, 14 Jul 2020 09:39:06 +0000 (11:39 +0200)
commit	1cae696d1c9a300d8639b9444f6ec1bbad3c2ecd
tree	4028e107f87abc19934bea91adf1b8e8f7f566f6	tree \| snapshot
parent	ae0cda39b1cdc1e0e59b5069789aaf0c2f3ea67d	commit \| diff

cephadm: Give iscsci a RO /lib/modules bind mounted

The ceph iscsi container needs to be able to insert the iscsi_target_mod
but it doesn't exist in the container. for security reasons bind
mounting /lib/modules seems a little dangerous unless we can mount it
RO.
Unfortuntly the docker volume mount (-v) doesn't allow you mount
readonly, adding a `--read-only` actaully does the opposite, makes the
root on the container RO and expects you to write to the mounted volumes
(-v).

However, we get more grainular control over bind mount options if we use
`--mount`[0]. Here we can still bind mound the volume into the container,
but can also add additional options, like bind mounting RO.

This patch adds at addiontal `bind_mounts` option to the CephContainer
along side `volume_mounts`. The `bind_mounts` take a List[List[str]]:

binds = []
lib_modules = ['type=bind',
                'source=/lib/modules',
                'destination=/lib/modules',
                'ro=true']
binds.append(lib_modules)

And this is plumbed through into cephadm. Bind_mounts only needs to be
used if you need a little more control over the mounting, otherwise the
volume_mounts are easier to use.

[0] - https://docs.docker.com/engine/reference/commandline/service_create/#add-bind-mounts-volumes-or-memory-filesystems

Fixes: https://tracker.ceph.com/issues/45252
Signed-off-by: Matthew Oliver <moliver@suse.com>
(cherry picked from commit d9b5371478b744920cf14e1b34b7d63226c71050)