cephadm-e2e: ensure crun + chmod libvirt socket for rootless podman#2590
cephadm-e2e: ensure crun + chmod libvirt socket for rootless podman#2590afreen23 wants to merge 2 commits into
Conversation
--group-add keep-groups requires crun as the OCI runtime; runc silently ignores it. Install crun explicitly and chmod the libvirt socket as a fallback so the mapped UID inside rootless podman can always connect. Also removes newgrp which is unreliable inside non-interactive scripts. Signed-off-by: Afreen Misbah <afreen@ibm.com>
sudo creates the kcli SSH key as root:root and the image pool directory as root:root. Inside rootless podman the container's uid 0 maps to jenkins-build (uid 1000) on the host, so the kernel denies access to root-owned files. Drop sudo from ssh-keygen and chown the image pool directory so both are owned by the build user and readable/writable inside the container's user namespace. Signed-off-by: Afreen Misbah <afreen@ibm.com>
|
The kcli root issues are gone- kcli setup completed successfully https://jenkins.ceph.com/job/ceph-dashboard-cephadm-e2e/22829/console previous run: https://jenkins.ceph.com/job/ceph-dashboard-cephadm-e2e/22719/consoleFull This PR fixes only kcli installation, for complete job running need this fix as well ceph/ceph#69116 (comment) |
| # --group-add keep-groups (crun) preserves them, but only if crun is the | ||
| # OCI runtime. As a robust fallback, also widen socket permissions so the | ||
| # mapped UID can connect regardless of group membership. | ||
| sudo chmod 0666 /var/run/libvirt/libvirt-sock |
There was a problem hiding this comment.
i am a bit skeptical about elevating this permission. why not just use the crun as the runtime for podman by passing --runtime crun to the podman command instead of elevating the sock permissions? would that fix the issue?
There was a problem hiding this comment.
I guess I was just debugging and became so aggressive with the fix , did not refine code, good point will try that.
|
@afreen23 hi Afreen, does this change address the issue at https://tracker.ceph.com/issues/76929 ? |
Yes |
3 participants
--group-add keep-groups requires crun as the OCI runtime; runc silently ignores it. Install crun explicitly and chmod the libvirt socket as a fallback so the mapped UID inside rootless podman can always connect. Also removes newgrp which is unreliable inside non-interactive scripts.