From eda437b9a117f680b1958c0b194545fbecaba95a Mon Sep 17 00:00:00 2001 From: Adam King Date: Mon, 22 Apr 2024 08:25:56 -0400 Subject: [PATCH] cephadm: limit mounts for shell and ceph-volume commands This drops the /sys, /dev, and / (on rootfs) mounts from the shell, as these shouldn't be required and it also makes the ceph-volume commands monut of / a slave mount so there isn't an issue unmounting things on the host due to the container having this mount. Signed-off-by: Adam King (cherry picked from commit ff4be2873499dacf15652a77f970edabc404ddee) --- src/cephadm/cephadm.py | 4 ++-- src/cephadm/cephadmlib/daemons/ceph.py | 21 +++++++++++++++++---- src/cephadm/tests/test_cephadm.py | 1 + 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/src/cephadm/cephadm.py b/src/cephadm/cephadm.py index df7a657e24c..489cb6e0f0d 100755 --- a/src/cephadm/cephadm.py +++ b/src/cephadm/cephadm.py @@ -3137,7 +3137,7 @@ def command_shell(ctx): daemon_type = ctx.name daemon_id = None else: - daemon_type = 'osd' # get the most mounts + daemon_type = 'shell' # get limited set of mounts daemon_id = None if ctx.fsid and daemon_type in ceph_daemons(): @@ -3275,7 +3275,7 @@ def command_ceph_volume(ctx): lock.acquire() (uid, gid) = (0, 0) # ceph-volume runs as root - mounts = get_container_mounts_for_type(ctx, ctx.fsid, 'osd') + mounts = get_container_mounts_for_type(ctx, ctx.fsid, 'ceph-volume') tmp_config = None tmp_keyring = None diff --git a/src/cephadm/cephadmlib/daemons/ceph.py b/src/cephadm/cephadmlib/daemons/ceph.py index 55a92835129..8c2c4a1d99b 100644 --- a/src/cephadm/cephadmlib/daemons/ceph.py +++ b/src/cephadm/cephadmlib/daemons/ceph.py @@ -386,12 +386,17 @@ def get_ceph_mounts_for_type( """ mounts = dict() - if daemon_type in ceph_daemons(): + if daemon_type in ceph_daemons() or daemon_type in [ + 'ceph-volume', + 'shell', + ]: if fsid: run_path = os.path.join('/var/run/ceph', fsid) if os.path.exists(run_path): mounts[run_path] = '/var/run/ceph:z' log_dir = os.path.join(ctx.log_dir, fsid) + if not os.path.exists(log_dir): + os.mkdir(log_dir) mounts[log_dir] = '/var/log/ceph:z' crash_dir = '/var/lib/ceph/%s/crash' % fsid if os.path.exists(crash_dir): @@ -400,14 +405,19 @@ def get_ceph_mounts_for_type( journald_sock_dir = '/run/systemd/journal' mounts[journald_sock_dir] = journald_sock_dir - if daemon_type in ['mon', 'osd', 'clusterless-ceph-volume']: + if daemon_type in [ + 'mon', + 'osd', + 'ceph-volume', + 'clusterless-ceph-volume', + ]: mounts['/dev'] = '/dev' # FIXME: narrow this down? mounts['/run/udev'] = '/run/udev' - if daemon_type in ['osd', 'clusterless-ceph-volume']: + if daemon_type in ['osd', 'ceph-volume', 'clusterless-ceph-volume']: mounts['/sys'] = '/sys' # for numa.cc, pick_address, cgroups, ... mounts['/run/lvm'] = '/run/lvm' mounts['/run/lock/lvm'] = '/run/lock/lvm' - if daemon_type == 'osd': + if daemon_type in ['osd', 'ceph-volume']: # selinux-policy in the container may not match the host. if HostFacts(ctx).selinux_enabled: cluster_dir = f'{ctx.data_dir}/{fsid}' @@ -420,7 +430,10 @@ def get_ceph_mounts_for_type( logger.error( f'Cluster direcotry {cluster_dir} does not exist.' ) + if daemon_type == 'osd': mounts['/'] = '/rootfs' + elif daemon_type == 'ceph-volume': + mounts['/'] = '/rootfs:rslave' try: if ( diff --git a/src/cephadm/tests/test_cephadm.py b/src/cephadm/tests/test_cephadm.py index 6a5f4c9f00c..c22fa294cb0 100644 --- a/src/cephadm/tests/test_cephadm.py +++ b/src/cephadm/tests/test_cephadm.py @@ -402,6 +402,7 @@ class TestCephAdm(object): 'cephadm.read_configuration_source', dest=lambda c: {} ) funkypatch.patch('cephadm.fetch_custom_config_files') + funkypatch.patch('os.mkdir') ctx = _cephadm.CephadmContext() ctx.name = 'mon.test' -- 2.39.5