cephadm: capadd and privileged are mutex

Signed-off-by: Joshua Schmid <jschmid@suse.de>
(cherry picked from commit 76e5020b106e14284f63bd7cee81822ad6b1fbf0)

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index d354de8f22cb7656c0e26139405f9b679dd8947c..35b5fe278c205deea23204f7f8040269caea2e11 100755 (executable)
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -2536,9 +2536,11 @@ class CephContainer:
             cmd_args.extend([
                 '--privileged',
                 # let OSD etc read block devs that haven't been chowned
-                '--group-add=disk',
-            ])
-        if self.ptrace:
+                '--group-add=disk'])
+        if self.ptrace and not self.privileged:
+            # if privileged, the SYS_PTRACE cap is already added
+            # in addition, --cap-add and --privileged are mutually
+            # exclusive since podman >= 2.0
             cmd_args.append('--cap-add=SYS_PTRACE')
         if self.init:
             cmd_args.append('--init')