d/postinst: ensure all ceph state files/dirs have correct owner

Ceph has a postinst hook that sets the ownership of '/var/lib/ceph/*' to ceph:ceph (in our case), but misses out on the contents of '/var/lib/ceph/crash'. This patch therefore also recursively updates the permissions of '/var/lib/ceph/crash'. The change was also proposed upstream [0]. [0]: https://github.com/ceph/ceph/pull/55917 Signed-off-by: Max Carrara <m.carrara@proxmox.com> (cherry picked from commit d52158f918) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-04-28 12:54:34 +00:00 · 2024-03-05 16:07:45 +01:00 · 2024-03-05 16:07:45 +01:00 · 2c43e981ad
commit 2c43e981ad
parent f19ec7906d
2 changed files with 55 additions and 0 deletions
--- a/patches/0025-debian-recursively-adjust-permissions-of-var-lib-cep.patch
+++ b/patches/0025-debian-recursively-adjust-permissions-of-var-lib-cep.patch
@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Max Carrara <m.carrara@proxmox.com>
+Date: Thu, 1 Feb 2024 18:43:36 +0100
+Subject: [PATCH] debian: recursively adjust permissions of /var/lib/ceph/crash
+
+A rather recent PR made ceph-crash run as "ceph" user instead of
+root [0]. However, because /var/lib/ceph/crash/posted belongs to root,
+ceph-crash cannot actually post any crash logs now.
+
+This commit fixes this by recursively updating the permissions of
+'/var/lib/ceph/crash', which ensures that all files and directories
+used by 'ceph-crash.service' are actually owned by the user configured
+for Ceph.
+
+The previously existing loop has also been replaced by an invocation
+of `find | xargs`.
+
+[0]: https://github.com/ceph/ceph/pull/48713
+
+Signed-off-by: Max Carrara <m.carrara@proxmox.com>
+---
+ debian/ceph-base.postinst | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/debian/ceph-base.postinst b/debian/ceph-base.postinst
+index 75eeb59c624..424c2c889d5 100644
+--- a/debian/ceph-base.postinst
+++ b/debian/ceph-base.postinst
+@@ -33,13 +33,15 @@ case "$1" in
+ 	rm -f /etc/init/ceph.conf
+ 	[ -x /sbin/start ] && start ceph-all || :
+ 
+-        # adjust file and directory permissions
+-	for DIR in /var/lib/ceph/* ; do
+-	    if ! dpkg-statoverride --list $DIR >/dev/null
+-	    then
+-		chown $SERVER_USER:$SERVER_GROUP $DIR
+-	    fi
+-	done
+	PERM_COMMAND="dpkg-statoverride --list '{}' > /dev/null || chown ${SERVER_USER}:${SERVER_GROUP} '{}'"
+
+	# adjust file and directory permissions
+	find /var/lib/ceph -mindepth 1 -maxdepth 1 -print0 \
+	    | xargs -0 -I '{}' sh -c "${PERM_COMMAND}"
+
+	# adjust permissions so ceph-crash.service can post reports
+	find /var/lib/ceph/crash -print0 \
+	    | xargs -0 -I '{}' sh -c "${PERM_COMMAND}"
+     ;;
+     abort-upgrade|abort-remove|abort-deconfigure)
+ 	:
+-- 
+2.39.2
+
--- a/patches/series
+++ b/patches/series
@ -16,3 +16,4 @@
 0022-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
 0023-rocksb-inherit-parent-cmake-cxx-flags.patch
 0024-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch
+0025-debian-recursively-adjust-permissions-of-var-lib-cep.patch