[pve-devel] [PATCH v3 master ceph 01/13] debian: add patch to fix ceph crash dir permissions in postinst hook

[Max Carrara <m.carrara@proxmox.com>]

Ceph has a postinst hook that sets the ownership of '/var/lib/ceph/*'
to ceph:ceph (in our case), but misses out on the contents of
'/var/lib/ceph/crash'.

This patch therefore also recursively updates the permissions of
'/var/lib/ceph/crash'.

Signed-off-by: Max Carrara <m.carrara@proxmox.com>
---
Changes v1 --> v2:
  * use `find` instead of for-loop
Changes v2 --> v3:
  * rebased on master
  * `chown` all kinds of entries, not just files and directories
    (as discussed off-list) 
  * instead of `chown`-ing '/var/lib/ceph/**/*', recusively call `chown`
    on the contents of `/var/lib/ceph/crash` (as discussed off-list)

 ...ly-adjust-permissions-of-var-lib-cep.patch | 54 +++++++++++++++++++
 patches/series                                |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 patches/0016-debian-recursively-adjust-permissions-of-var-lib-cep.patch

diff --git a/patches/0016-debian-recursively-adjust-permissions-of-var-lib-cep.patch b/patches/0016-debian-recursively-adjust-permissions-of-var-lib-cep.patch
new file mode 100644
index 000000000..36f4df3aa
--- /dev/null
+++ b/patches/0016-debian-recursively-adjust-permissions-of-var-lib-cep.patch
@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Max Carrara <m.carrara@proxmox.com>
+Date: Thu, 1 Feb 2024 18:43:36 +0100
+Subject: [PATCH] debian: recursively adjust permissions of /var/lib/ceph/crash
+
+A rather recent PR made ceph-crash run as "ceph" user instead of
+root [0]. However, because /var/lib/ceph/crash/posted belongs to root,
+ceph-crash cannot actually post any crash logs now.
+
+This commit fixes this by recursively updating the permissions of
+'/var/lib/ceph/crash', which ensures that all files and directories
+used by 'ceph-crash.service' are actually owned by the user configured
+for Ceph.
+
+The previously existing loop has also been replaced by an invocation
+of `find | xargs`.
+
+[0]: https://github.com/ceph/ceph/pull/48713
+
+Signed-off-by: Max Carrara <m.carrara@proxmox.com>
+---
+ debian/ceph-base.postinst | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/debian/ceph-base.postinst b/debian/ceph-base.postinst
+index 75eeb59c624..424c2c889d5 100644
+--- a/debian/ceph-base.postinst
++++ b/debian/ceph-base.postinst
+@@ -33,13 +33,15 @@ case "$1" in
+ 	rm -f /etc/init/ceph.conf
+ 	[ -x /sbin/start ] && start ceph-all || :
+ 
+-        # adjust file and directory permissions
+-	for DIR in /var/lib/ceph/* ; do
+-	    if ! dpkg-statoverride --list $DIR >/dev/null
+-	    then
+-		chown $SERVER_USER:$SERVER_GROUP $DIR
+-	    fi
+-	done
++	PERM_COMMAND="dpkg-statoverride --list '{}' > /dev/null || chown ${SERVER_USER}:${SERVER_GROUP} '{}'"
++
++	# adjust file and directory permissions
++	find /var/lib/ceph -mindepth 1 -maxdepth 1 -print0 \
++	    | xargs -0 -I '{}' sh -c "${PERM_COMMAND}"
++
++	# adjust permissions so ceph-crash.service can post reports
++	find /var/lib/ceph/crash -print0 \
++	    | xargs -0 -I '{}' sh -c "${PERM_COMMAND}"
+     ;;
+     abort-upgrade|abort-remove|abort-deconfigure)
+ 	:
+-- 
+2.39.2
+
diff --git a/patches/series b/patches/series
index 6ad754713..83a168ec9 100644
--- a/patches/series
+++ b/patches/series
@@ -13,3 +13,4 @@
 0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
 0014-rocksb-inherit-parent-cmake-cxx-flags.patch
 0015-ceph-osd-postinst-avoid-reloading-all-sysctl-setting.patch
+0016-debian-recursively-adjust-permissions-of-var-lib-cep.patch
-- 
2.39.2