From: Pere Diaz Bou Date: Mon, 9 Jan 2023 10:45:55 +0000 (+0100) Subject: cephadm/box: remove --privileged flag X-Git-Tag: v18.1.0~410^2~3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=28ec4ae0c17fce569c4f50dd37ebafd913a95ad5;p=ceph.git cephadm/box: remove --privileged flag Without --privileged flag mounting /sys/dev/block wasn't possible. Nevertherless, when I checked the permissions of the empty /sys/dev/block inside the container, I noticed that I had permissions, therefore umount was possible. With `umount /sys/dev/block` the real fs was exposed. Signed-off-by: Pere Diaz Bou --- diff --git a/src/cephadm/box/DockerfilePodman b/src/cephadm/box/DockerfilePodman index 61db237f818c..440267bc6ec5 100644 --- a/src/cephadm/box/DockerfilePodman +++ b/src/cephadm/box/DockerfilePodman @@ -14,7 +14,7 @@ RUN ln -s /ceph/src/cephadm/cephadm.py $CEPHADM_PATH # NOTE: assume path of ceph # directories used by yum that are just taking # up space. RUN dnf -y update; rpm --restore shadow-utils 2>/dev/null; \ -yum -y install strace podman fuse-overlayfs --exclude container-selinux; \ +yum -y install podman fuse-overlayfs --exclude container-selinux; \ rm -rf /var/cache /var/log/dnf* /var/log/yum.* RUN dnf install which firewalld chrony procps systemd openssh openssh-server openssh-clients sshpass lvm2 -y @@ -37,6 +37,7 @@ RUN echo 'root:root' | chpasswd RUN dnf install -y adjtimex # adjtimex syscall doesn't exist in fedora 35+ therefore we have to install it manually # so chronyd works +RUN dnf install -y strace sysstat # debugging tools RUN dnf -y install hostname iproute udev ENV _CONTAINERS_USERNS_CONFIGURED="" diff --git a/src/cephadm/box/box.py b/src/cephadm/box/box.py index 8942e300ceac..ee6ad168d97e 100755 --- a/src/cephadm/box/box.py +++ b/src/cephadm/box/box.py @@ -113,18 +113,30 @@ def setup_podman_env(hosts: int = 1, osd_devs={}): run_shell_command(f'podman network create -d bridge {network_name}') run_default_options = """--group-add keep-groups --device /dev/fuse -it -d \\ - --privileged \\ - --cpus 12 \\ + --cap-add SYS_ADMIN \\ + --cap-add NET_ADMIN \\ + --cap-add SYS_TIME \\ + --cap-add SYS_RAWIO \\ + --cap-add MKNOD \\ + --cap-add NET_RAW \\ + --cap-add SETUID \\ + --cap-add SETGID \\ + --cap-add CHOWN \\ + --cap-add SYS_PTRACE \\ + --cap-add SYS_TTY_CONFIG \\ + --cap-add CAP_AUDIT_WRITE \\ + --cap-add CAP_AUDIT_CONTROL \\ -e CEPH_BRANCH=main \\ -v ../../../:/ceph:z \\ -v ../:/cephadm:z \\ -v /run/udev:/run/udev \\ + --tmpfs /run \\ + --tmpfs /tmp \\ -v /sys/dev/block:/sys/dev/block \\ - -v /sys/fs/cgroup:/sys/fs/cgroup \\ + -v /sys/fs/cgroup:/sys/fs/cgroup:ro \\ -v /dev/fuse:/dev/fuse \\ -v /dev/disk:/dev/disk \\ -v /sys/devices/virtual/block:/sys/devices/virtual/block \\ - -v /sys/dev/block:/dev/dev/block:rshared \\ -v /sys/block:/dev/block \\ -v /dev/mapper:/dev/mapper \\ -v /dev/mapper/control:/dev/mapper/control \\ @@ -292,6 +304,11 @@ class Cluster(Target): else: setup_podman_env(hosts=hosts, osd_devs=osd.load_osd_devices()) + # Umounting somehow brings back the contents of the host /sys/dev/block. + # On startup /sys/dev/block is empty. After umount, we can see symlinks again + # so that lsblk is able to run as expected + run_dc_shell_command('umount /sys/dev/block', 1, BoxType.SEED) + run_shell_command('sudo sysctl net.ipv4.conf.all.forwarding=1') run_shell_command('sudo iptables -P FORWARD ACCEPT') diff --git a/src/cephadm/box/osd.py b/src/cephadm/box/osd.py index bb716e13f467..6ce3a1d6fea5 100644 --- a/src/cephadm/box/osd.py +++ b/src/cephadm/box/osd.py @@ -111,8 +111,9 @@ def deploy_osds(count: int): 1, BoxType.SEED ) - deployed = 'created osd' in deployed.lower() - time.sleep(2) + deployed = 'created osd' in deployed.lower() or 'already created?' in deployed.lower() + print('Waiting 5 seconds to re-run deploy osd...') + time.sleep(5) host_index = (host_index + 1) % len(hosts)