From: Matthew Oliver Date: Tue, 5 May 2020 06:17:06 +0000 (+1000) Subject: cephadm: give ceph-iscsi permissions to configfs X-Git-Tag: v15.2.4~73^2~76 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4d4a57b0d3753395c3787f445396c0aa09667bb5;p=ceph.git cephadm: give ceph-iscsi permissions to configfs The cephadm container mounts the configfs and then bind mounts (-v) it into the container. Currently the container is not a priviliaged container which leads to 2 problems: 1. The container can't insert the iscsi_target_mod kernel module; and 2. The container can't write to the configfs as that's only writeable by root. We _can_ get around 1, by preloading the kernel module. I.E add it the systemd unit file. But that doesn't help with 2. I've tried mounting the configfs with uid and gid options, but configfs doesn't use them. If we make the container a priviliged container then magically both 1 and 2 are solved. We don't need to preload the module so that's one less workaround. But more importantly, configfs can be written to so we can create ISCSI targets etc. So that's what this patch does, it makes iscsi containers privileged containers by setting the CephContainer --priviliged while creating it. Fixes: https://tracker.ceph.com/issues/45252 Signed-off-by: Matthew Oliver (cherry picked from commit 9b7dcb894c370570bf1e16982508eadb8b0c6f32) --- diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm index 934b1f6017d..9260b1218cc 100755 --- a/src/cephadm/cephadm +++ b/src/cephadm/cephadm @@ -1679,6 +1679,9 @@ def get_container(fsid, daemon_type, daemon_id, elif daemon_type == CephIscsi.daemon_type: entrypoint = CephIscsi.entrypoint name = '%s.%s' % (daemon_type, daemon_id) + # So the container can modprobe iscsi_target_mod and have write perms + # to configfs we need to make this a privileged container. + privileged = True else: entrypoint = '' name = ''