Thomas Lamprecht <[email protected]> writes:
> Am 16.12.25 um 13:06 schrieb Maximiliano Sandoval:
>> Thomas Lamprecht <[email protected]> writes:
>>
>>> Am 12.12.25 um 14:05 schrieb Dominik Rusovac:
>>>> Ownership of ceph logs is now set to ceph:ceph after the creation of a
>>>> new monitor and before the new monitor starts. Hence, effective ceph
>>>> monitor logging on freshly set up ceph clusters no longer depends on the
>>>> first upgrade of ceph-common.
>>>
>>> Might it be a better fix to then change the postinst script of
>>> ceph-common, or whatever packages postinst script creates those
>>> directories, to chown them to ceph:ceph? That way it would also work
>>> if one installs ceph directly, circumventing pveceph. While that is
>>> not exactly something we promote, but it's not really hard, and
>>> packaging is often a good place to take care of such things like
>>> directory ownership
>>
>> The directories are created with the right permissions and owner, the
>> issue here is that the monitor logs generated when we create the monitor
>> (the command above the call introduced by the patch) are created with
>> root as the owner.
>>
>
> Ok, thanks for your input, I missed your other reply due to searching
> explicitly for Dominik's patch due to talking with him in the morning.
>
> Anyhow, then I'd favor addressing the actual root cause in the
> "ceph-mon --mkfs" command over this approach here, might not be that
> complicated - I'm sure Max might have some pointers or could help, having
> wrestled with the ceph tooling in the past.
>
> Again, something like that here can still be fine as stop-gap, but then
> I really would use chown function inside a call to dir_glob_regex from
> PVE::Tools.
For the sake of documenting my findings: the problem when giving
ceph-mon the right ceph:ceph user (via the --set{user,group} optiosn) is
that our keyring is at /etc/pve and while this fixes the permissions on
the log file, the command (and task) would fail and the logs will end
in:
```
2025-12-16T13:48:47.307+0100 7282faa52cc0 -1 mon.c0-pve-101@-1(???) e0 unable
to find a keyring on /etc/pve/priv/ceph.mon.keyring: (13) Permission denied
```
since the keyring has 600 permissions.
I think that one could simplify the proposed patch here to only chown
/var/log/ceph/ceph-mon.$monid.log instead of using any glob.
--
Maximiliano
_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
