cephadm: capadd and privileged are mutex

Signed-off-by: Joshua Schmid <jschmid@suse.de>

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 83c860ef18d1482e27aeef6964b40b15f3e2e07f..7f78ab91492537630bd8c2803b21d8c8a75f449c 100755 (executable)
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -2535,9 +2535,11 @@ class CephContainer:
             cmd_args.extend([
                 '--privileged',
                 # let OSD etc read block devs that haven't been chowned
-                '--group-add=disk',
-            ])
-        if self.ptrace:
+                '--group-add=disk'])
+        if self.ptrace and not self.privileged:
+            # if privileged, the SYS_PTRACE cap is already added
+            # in addition, --cap-add and --privileged are mutually
+            # exclusive since podman >= 2.0
             cmd_args.append('--cap-add=SYS_PTRACE')
         if self.init:
             cmd_args.append('--init')