Skip to content

cephadm-e2e: ensure crun + chmod libvirt socket for rootless podman #2590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
afreen23 wants to merge 2 commits into
base: main
Choose a base branch
from
+11 −3
Open

cephadm-e2e: ensure crun + chmod libvirt socket for rootless podman #2590

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a0936d
cephadm-e2e: ensure crun + chmod libvirt socket for rootless podman
afreen23 May 20, 2026
2476ac7
cephadm-e2e: fix file ownership for rootless podman
afreen23 May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ceph-dashboard-cephadm-e2e/build/cleanup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ set +x
echo "Starting cleanup..."

with_libvirt() {
# Ensure socket is accessible in case permissions were reset
sudo chmod 0666 /var/run/libvirt/libvirt-sock 2>/dev/null || true
sg libvirt -c "$1"
}

Expand Down
12 changes: 9 additions & 3 deletions scripts/dashboard/install-cephadm-e2e-deps.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,16 +39,21 @@ nvm install
nvm use
popd

sudo apt install -y libvirt-daemon-system libvirt-daemon-driver-qemu qemu-kvm libvirt-clients
sudo apt install -y libvirt-daemon-system libvirt-daemon-driver-qemu qemu-kvm libvirt-clients crun

sudo usermod -aG libvirt $(id -un)
newgrp libvirt # Avoid having to log out and log in for group addition to take effect.
sudo systemctl enable --now libvirtd

# Rootless podman creates a user namespace that drops supplementary groups.
# --group-add keep-groups (crun) preserves them, but only if crun is the
# OCI runtime. As a robust fallback, also widen socket permissions so the
# mapped UID can connect regardless of group membership.
sudo chmod 0666 /var/run/libvirt/libvirt-sock
Copy link
Copy Markdown
Member

@nizamial09 nizamial09 May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i am a bit skeptical about elevating this permission. why not just use the crun as the runtime for podman by passing --runtime crun to the podman command instead of elevating the sock permissions? would that fix the issue?

Copy link
Copy Markdown
Contributor Author

@afreen23 afreen23 May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I was just debugging and became so aggressive with the fix , did not refine code, good point will try that.


KCLI_CONFIG_DIR="${HOME}/.kcli"
mkdir -p ${KCLI_CONFIG_DIR}
if [[ ! -f "${KCLI_CONFIG_DIR}/id_rsa" ]]; then
sudo ssh-keygen -t rsa -q -f "${KCLI_CONFIG_DIR}/id_rsa" -N "" <<< y
ssh-keygen -t rsa -q -f "${KCLI_CONFIG_DIR}/id_rsa" -N "" <<< y
fi

: ${KCLI_CONTAINER_IMAGE:='quay.io/karmab/kcli:2543a61'}
Expand All @@ -70,6 +75,7 @@ sudo chmod +x /usr/local/bin/kcli

# KCLI cleanup function can be found here: https://github.com/ceph/ceph/blob/main/src/pybind/mgr/dashboard/ci/cephadm/start-cluster.sh
sudo mkdir -p /var/lib/libvirt/images/ceph-dashboard
sudo chown "$(id -u):$(id -g)" /var/lib/libvirt/images/ceph-dashboard

with_libvirt() {
sg libvirt -c "$1"
Expand Down