cephadm: add group 'disk' to privileged container

This lets the osd read block devs that are group rw disk even after they
drop root privs.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 0678c7edde1976b892f7ea7f104f27fc49dda3ab..9768edeaa30b5a5a7651b62186dbf71b05433d1f 100755 (executable)
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -1500,7 +1500,9 @@ class CephContainer:
 
         priv = [] # type: List[str]
         if self.privileged:
-            priv = ['--privileged']
+            priv = ['--privileged',
+                    # let OSD etc read block devs that haven't been chowned
+                    '--group-add=disk']
         vols = sum(
             [['-v', '%s:%s' % (host_dir, container_dir)]
              for host_dir, container_dir in self.volume_mounts.items()], [])
@@ -1525,7 +1527,9 @@ class CephContainer:
         # type: (List[str]) -> List[str]
         priv = [] # type: List[str]
         if self.privileged:
-            priv = ['--privileged']
+            priv = ['--privileged',
+                    # let OSD etc read block devs that haven't been chowned
+                    '--group-add=disk']
         vols = [] # type: List[str]
         vols = sum(
             [['-v', '%s:%s' % (host_dir, container_dir)]