From b5e5c753f415ab1f18ccfe3ad636649a0f51a93a Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Mon, 3 Feb 2020 16:49:20 -0600
Subject: [PATCH] cephadm: add group 'disk' to privileged container

This lets the osd read block devs that are group rw disk even after they
drop root privs.

Signed-off-by: Sage Weil <sage@redhat.com>
---
 src/cephadm/cephadm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 0678c7edde1..9768edeaa30 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -1500,7 +1500,9 @@ class CephContainer:
 
         priv = [] # type: List[str]
         if self.privileged:
-            priv = ['--privileged']
+            priv = ['--privileged',
+                    # let OSD etc read block devs that haven't been chowned
+                    '--group-add=disk']
         vols = sum(
             [['-v', '%s:%s' % (host_dir, container_dir)]
              for host_dir, container_dir in self.volume_mounts.items()], [])
@@ -1525,7 +1527,9 @@ class CephContainer:
         # type: (List[str]) -> List[str]
         priv = [] # type: List[str]
         if self.privileged:
-            priv = ['--privileged']
+            priv = ['--privileged',
+                    # let OSD etc read block devs that haven't been chowned
+                    '--group-add=disk']
         vols = [] # type: List[str]
         vols = sum(
             [['-v', '%s:%s' % (host_dir, container_dir)]
-- 
2.39.5