cephadm/smb: Add NET_RAW capability to deploy ctdbd

CTDB heavily depends on raw sockets to send gratuitous ARPs[1](see the
second point from the list of reasons to use gratuitous ARPs). As per
the current design it is also inevitable while sending tickle ACKs[2]
in the event of an IP failover. man capabilities(7)[3] further mandates
CAP_NET_RAW to use raw sockets. Therefore append NET_RAW to the list of
capabilties while deploying ctdbd containers.

[1] https://wiki.wireshark.org/Gratuitous_ARP
[2] https://ctdb.samba.org/manpages/ctdb.1.html
[3] https://www.man7.org/linux/man-pages/man7/capabilities.7.html

Signed-off-by: Anoop C S <anoopcs@cryptolab.net>

diff --git a/src/cephadm/cephadmlib/daemons/smb.py b/src/cephadm/cephadmlib/daemons/smb.py
index 74cb13f4ab022443443980879b3df70e5b25401b..a0e648e857cbf58a0dc5a1019d166f01d5b0aefa 100644 (file)
--- a/src/cephadm/cephadmlib/daemons/smb.py
+++ b/src/cephadm/cephadmlib/daemons/smb.py
@@ -370,6 +370,8 @@ class CTDBDaemonContainer(SambaContainerCommon):
         # make conditional?
         # CAP_NET_ADMIN is needed for event script to add public ips to iface
         cargs.append('--cap-add=NET_ADMIN')
+        # CAP_NET_RAW allows to send gratuitous ARPs/tickle ACKs via raw sockets
+        cargs.append('--cap-add=NET_RAW')
         return cargs