[PATCH manager] fix #7011: ceph monitor: set ownership of monitor logs

[PATCH manager] fix #7011: ceph monitor: set ownership of monitor logs

[Thomas Lamprecht]

From: Dominik Rusovac <d.rusovac@proxmox.com>

Ownership of the ceph monitor log file is now set to ceph:ceph after the
creation of a new monitor and before the new monitor starts. Hence,
effective ceph monitor logging on freshly set up ceph clusters no longer
depends on the first upgrade of ceph-common.

For setups (still) affected by #7011 it is required that ownership of
the ceph monitor log file is set to ceph:ceph (either manually or due to
some ceph-common upgrade), followed by a monitor restart.

Signed-off-by: Dominik Rusovac <d.rusovac@proxmox.com>
Reviewed-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Link: https://lore.proxmox.com/20251217083819.33912-1-d.rusovac@proxmox.com
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 PVE/API2/Ceph/MON.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/PVE/API2/Ceph/MON.pm b/PVE/API2/Ceph/MON.pm
index 70fc158dd..18407b1c2 100644
--- a/PVE/API2/Ceph/MON.pm
+++ b/PVE/API2/Ceph/MON.pm
@@ -428,6 +428,15 @@ __PACKAGE__->register_method({
                             $mon_keyring,
                         ]);
                         run_command(['chown', 'ceph:ceph', '-R', $mondir]);
+
+                        eval {
+                            # fix-up initial log file from freshly created monitor here, as currently
+                            # we cannot instruct ceph-mon to create it with the correct ownership without
+                            # losing access to the mon keyring inside pmxcfs.
+                            run_command(
+                                ['chown', 'ceph:ceph', "/var/log/ceph/ceph-mon.$monid.log"]);
+                        };
+                        warn "$@" if $@;
                     };
                     my $err = $@;
                     unlink $monmap;
-- 
2.47.3