From: Anoop C S <anoopcs@cryptolab.net>
Date: Thu, 10 Oct 2024 05:30:03 +0000 (+0530)
Subject: cephadm/smb: Add NET_RAW capability to deploy ctdbd
X-Git-Tag: v20.0.0~842^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=6c419323584103aefed847d8af0a261eda938c29;p=ceph.git

cephadm/smb: Add NET_RAW capability to deploy ctdbd

CTDB heavily depends on raw sockets to send gratuitous ARPs[1](see the
second point from the list of reasons to use gratuitous ARPs). As per
the current design it is also inevitable while sending tickle ACKs[2]
in the event of an IP failover. man capabilities(7)[3] further mandates
CAP_NET_RAW to use raw sockets. Therefore append NET_RAW to the list of
capabilties while deploying ctdbd containers.

[1] https://wiki.wireshark.org/Gratuitous_ARP
[2] https://ctdb.samba.org/manpages/ctdb.1.html
[3] https://www.man7.org/linux/man-pages/man7/capabilities.7.html

Signed-off-by: Anoop C S <anoopcs@cryptolab.net>
---

diff --git a/src/cephadm/cephadmlib/daemons/smb.py b/src/cephadm/cephadmlib/daemons/smb.py
index 74cb13f4ab022..a0e648e857cbf 100644
--- a/src/cephadm/cephadmlib/daemons/smb.py
+++ b/src/cephadm/cephadmlib/daemons/smb.py
@@ -370,6 +370,8 @@ class CTDBDaemonContainer(SambaContainerCommon):
         # make conditional?
         # CAP_NET_ADMIN is needed for event script to add public ips to iface
         cargs.append('--cap-add=NET_ADMIN')
+        # CAP_NET_RAW allows to send gratuitous ARPs/tickle ACKs via raw sockets
+        cargs.append('--cap-add=NET_RAW')
         return cargs