Re: [pve-devel] [PATCH pve-manager] fix #7011: ceph monitor: set ownership of monitor logs

From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>
Cc: Dominik Rusovac <d.rusovac@proxmox.com>,
	Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-manager] fix #7011: ceph monitor: set ownership of monitor logs
Date: Tue, 16 Dec 2025 13:54:20 +0100	[thread overview]
Message-ID: <s8o4ipq37ur.fsf@proxmox.com> (raw)
In-Reply-To: <3ef61f79-998e-46a1-ba14-ca4277ff482c@proxmox.com> (Thomas Lamprecht's message of "Tue, 16 Dec 2025 13:14:59 +0100")

Thomas Lamprecht <t.lamprecht@proxmox.com> writes:

> Am 16.12.25 um 13:06 schrieb Maximiliano Sandoval:
>> Thomas Lamprecht <t.lamprecht@proxmox.com> writes:
>> 
>>> Am 12.12.25 um 14:05 schrieb Dominik Rusovac:
>>>> Ownership of ceph logs is now set to ceph:ceph after the creation of a
>>>> new monitor and before the new monitor starts. Hence, effective ceph
>>>> monitor logging on freshly set up ceph clusters no longer depends on the
>>>> first upgrade of ceph-common.
>>>
>>> Might it be a better fix to then change the postinst script of
>>> ceph-common, or whatever packages postinst script creates those
>>> directories, to chown them to ceph:ceph? That way it would also work
>>> if one installs ceph directly, circumventing pveceph. While that is
>>> not exactly something we promote, but it's not really hard, and
>>> packaging is often a good place to take care of such things like
>>> directory ownership
>> 
>> The directories are created with the right permissions and owner, the
>> issue here is that the monitor logs generated when we create the monitor
>> (the command above the call introduced by the patch) are created with
>> root as the owner.
>> 
>
> Ok, thanks for your input, I missed your other reply due to searching
> explicitly for Dominik's patch due to talking with him in the morning.
>
> Anyhow, then I'd favor addressing the actual root cause in the
> "ceph-mon --mkfs" command over this approach here, might not be that
> complicated - I'm sure Max might have some pointers or could help, having
> wrestled with the ceph tooling in the past.
>
> Again, something like that here can still be fine as stop-gap, but then
> I really would use chown function inside a call to dir_glob_regex from
> PVE::Tools.

For the sake of documenting my findings: the problem when giving
ceph-mon the right ceph:ceph user (via the --set{user,group} optiosn) is
that our keyring is at /etc/pve and while this fixes the permissions on
the log file, the command (and task) would fail and the logs will end
in:

```
2025-12-16T13:48:47.307+0100 7282faa52cc0 -1 mon.c0-pve-101@-1(???) e0 unable to find a keyring on /etc/pve/priv/ceph.mon.keyring: (13) Permission denied
```

since the keyring has 600 permissions.

I think that one could simplify the proposed patch here to only chown
/var/log/ceph/ceph-mon.$monid.log instead of using any glob.

-- 
Maximiliano

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel