cephadm: add allow_ptrace option to enable SYS_PTRACE

In any environments it is helpful to have SYS_PTRACE so that you can
gdb attach or strace a daemon.

Leave this off by default so that the container is more secure.

Enable this in teuthology and vstart.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/qa/suites/rados/cephadm/upgrade/1-start.yaml b/qa/suites/rados/cephadm/upgrade/1-start.yaml
index 99cc19b77f3bdba385133b5d930e6c52206ae32c..6e974cef32f515f9e2311d89f704b3d830ce2ad9 100644 (file)
--- a/qa/suites/rados/cephadm/upgrade/1-start.yaml
+++ b/qa/suites/rados/cephadm/upgrade/1-start.yaml
@@ -1,4 +1,4 @@
 tasks:
 - cephadm:
-    image: quay.io/ceph-ci/ceph:wip-sage4-testing-2020-03-14-1141
-    cephadm_branch: wip-sage4-testing-2020-03-14-1141
+    image: quay.io/ceph-ci/ceph:wip-sage-testing-2020-03-16-1740
+    cephadm_branch: wip-sage-testing-2020-03-16-1740

diff --git a/qa/tasks/cephadm.py b/qa/tasks/cephadm.py
index f99a627d7ddb21fb9bb7f084aff3d10ed7afa41f..2b076053a784cb1745a5db278b27b61e40efb4c0 100644 (file)
--- a/qa/tasks/cephadm.py
+++ b/qa/tasks/cephadm.py
@@ -413,6 +413,10 @@ def ceph_bootstrap(ctx, config):
             'sudo', 'chmod', '0600', '/root/.ssh/authorized_keys',
         ])
 
+        # set options
+        _shell(ctx, cluster_name, bootstrap_remote,
+               ['ceph', 'config', 'set', 'mgr', 'mgr/cephadm/allow_ptrace', 'true'])
+
         # add other hosts
         for remote in ctx.cluster.remotes.keys():
             if remote == bootstrap_remote:

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 7bac5cbb5cca2e11824e3001d4d48a84679c1202..9dc9f0cceda2a6ebaad134e9b0ae1826024236e1 100755 (executable)
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -1422,9 +1422,11 @@ def get_container_mounts(fsid, daemon_type, daemon_id,
 
     return mounts
 
-def get_container(fsid, daemon_type, daemon_id, privileged=False,
+def get_container(fsid, daemon_type, daemon_id,
+                  privileged=False,
+                  ptrace=False,
                   container_args=[]):
-    # type: (str, str, Union[int, str], bool, List[str]) -> CephContainer
+    # type: (str, str, Union[int, str], bool, bool, List[str]) -> CephContainer
     if daemon_type in ['mon', 'osd']:
         # mon and osd need privileged in order for libudev to query devices
         privileged = True
@@ -1484,6 +1486,7 @@ def get_container(fsid, daemon_type, daemon_id, privileged=False,
         cname='ceph-%s-%s.%s' % (fsid, daemon_type, daemon_id),
         envs=envs,
         privileged=privileged,
+        ptrace=ptrace,
     )
 
 def extract_uid_gid(img='', file_path='/var/lib/ceph'):
@@ -1838,16 +1841,18 @@ class CephContainer:
                  cname='',
                  container_args=[],
                  envs=None,
-                 privileged=False):
-        # type: (str, str, List[str], Dict[str, str], str, List[str], Optional[List[str]], Optional[bool]) -> None
+                 privileged=False,
+                 ptrace=False):
+        # type: (str, str, List[str], Dict[str, str], str, List[str], Optional[List[str]], bool, bool) -> None
         self.image = image
         self.entrypoint = entrypoint
         self.args = args
         self.volume_mounts = volume_mounts
         self.cname = cname
         self.container_args = container_args
-        self.privileged = privileged
         self.envs = envs
+        self.privileged = privileged
+        self.ptrace = ptrace
 
     def run_cmd(self):
         # type: () -> List[str]
@@ -1863,6 +1868,8 @@ class CephContainer:
             priv = ['--privileged',
                     # let OSD etc read block devs that haven't been chowned
                     '--group-add=disk']
+        if self.ptrace:
+            priv.append('--cap-add=SYS_PTRACE')
         vols = sum(
             [['-v', '%s:%s' % (host_dir, container_dir)]
              for host_dir, container_dir in self.volume_mounts.items()], [])
@@ -2428,7 +2435,8 @@ def command_deploy():
         (config, keyring) = get_config_and_keyring()
         (uid, gid) = extract_uid_gid()
         make_var_run(args.fsid, uid, gid)
-        c = get_container(args.fsid, daemon_type, daemon_id)
+        c = get_container(args.fsid, daemon_type, daemon_id,
+                          ptrace=args.allow_ptrace)
         deploy_daemon(args.fsid, daemon_type, daemon_id, c, uid, gid,
                       config=config, keyring=keyring,
                       osd_fsid=args.osd_fsid,
@@ -4111,6 +4119,10 @@ def _get_parser():
         '--reconfig',
         action='store_true',
         help='Reconfigure a previously deployed daemon')
+    parser_deploy.add_argument(
+        '--allow-ptrace',
+        action='store_true',
+        help='Allow SYS_PTRACE on daemon container')
 
     parser_check_host = subparsers.add_parser(
         'check-host', help='check host configuration')

diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h
index f0811e0cd89c68c9a4763f43e3f95adb304a6aa0..d1cbd336e8f55f16db11b2769936380fc0b79ae8 100644 (file)
--- a/src/mon/MonCommands.h
+++ b/src/mon/MonCommands.h
@@ -1161,7 +1161,7 @@ COMMAND("mgr dump "
        "name=epoch,type=CephInt,range=0,req=false",
        "dump the latest MgrMap",
        "mgr", "r")
-COMMAND("mgr fail name=who,type=CephString",
+COMMAND("mgr fail name=who,type=CephString,req=false",
        "treat the named manager daemon as failed", "mgr", "rw")
 COMMAND("mgr module ls",
        "list active mgr modules", "mgr", "r")

diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py
index 887543d105eebfcc9d87d7935625381fb7fd5b6c..09da4fdf9824b6bce091b4a790952cea88093742 100644 (file)
--- a/src/pybind/mgr/cephadm/module.py
+++ b/src/pybind/mgr/cephadm/module.py
@@ -611,6 +611,16 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
             'default': True,
             'desc': 'log to the "cephadm" cluster log channel"',
         },
+        {
+            'name': 'allow_ptrace',
+            'type': 'bool',
+            'default': False,
+            'desc': 'allow SYS_PTRACE capability on ceph containers',
+            'long_desc': 'The SYS_PTRACE capability is needed to attach to a '
+                         'process with gdb or strace.  Enabling this options '
+                         'can allow debugging daemons that encounter problems '
+                         'at runtime.',
+        },
     ]
 
     def __init__(self, *args, **kwargs):
@@ -636,6 +646,7 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
             self.warn_on_stray_hosts = True
             self.warn_on_stray_daemons = True
             self.warn_on_failed_host_check = True
+            self.allow_ptrace = False
 
         self._cons = {}  # type: Dict[str, Tuple[remoto.backends.BaseConnection,remoto.backends.LegacyModuleExecute]]
 
@@ -2169,6 +2180,8 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
 
         if reconfig:
             extra_args.append('--reconfig')
+        if self.allow_ptrace:
+            extra_args.append('--allow-ptrace')
 
         self.log.info('%s daemon %s on %s' % (
             'Reconfiguring' if reconfig else 'Deploying',

diff --git a/src/vstart.sh b/src/vstart.sh
index 78008f6568ec596e95fc28e9ac501440282cbfbf..5396ea0ab3337bd3e16ff0e3e737d533531e54f0 100755 (executable)
--- a/src/vstart.sh
+++ b/src/vstart.sh
@@ -997,6 +997,7 @@ EOF
         ceph_adm orch set backend cephadm
         ceph_adm orch host add $HOSTNAME
         ceph_adm orch apply crash '*'
+        ceph_adm config set mgr mgr/cephadm/allow_ptrace true
     fi
 }