Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sit.cephfs: Add proxy enbaled shares with vfs_ceph_new(non-mgr) #128

Merged
merged 7 commits into from
Feb 5, 2025
Merged

sit.cephfs: Add proxy enbaled shares with vfs_ceph_new(non-mgr) #128

merged 7 commits into from
Feb 5, 2025

Conversation

anoopcs9
Copy link
Collaborator

With ceph/ceph#58376 merged we have the libcephfs proxy library and its dependencies available with upstream. Therefore we try to create an additional share with proxy enabled.

Please note that even though we have the required Recommends: for dependent packages defined in the rpm spec file(and visible with built rpms) there is an extra mile that DNF takes as part of libsolv library which prevents it from being presented as installable weak dependencies as one would expect as per the docs.

depends on ceph/ceph#61537

@dpulls dpulls
Copy link

dpulls bot commented Jan 28, 2025

⚠️ Dpulls not installed on repository ceph/ceph. Checkout our quickstart for how to install.

@anoopcs9 anoopcs9 force-pushed the add-cephfs-proxy-non-mgr branch from c171265 to 8bfbce6 Compare January 30, 2025 13:28
xhernandez
xhernandez previously approved these changes Jan 30, 2025
View reviewed changes
@anoopcs9
Copy link
Collaborator Author

We'll have to probably wait for the packages to be built with ceph/ceph#61537

and

There's still a TODO for resolving the following SELinux AVC denials:

type=AVC msg=audit(1738236295.070:1470): avc: denied { write } for pid=41822 comm="smbd[192.168.12" name="libcephfsd.sock" dev="tmpfs" ino=1908 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=1

type=AVC msg=audit(1738236295.070:1470): avc: denied { connectto } for pid=41822 comm="smbd[192.168.12" path="/run/libcephfsd.sock" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1

@anoopcs9 anoopcs9 force-pushed the add-cephfs-proxy-non-mgr branch from 8bfbce6 to c7a7f3a Compare January 31, 2025 12:34
@anoopcs9
Copy link
Collaborator Author

We'll have to probably wait for the packages to be built with ceph/ceph#61537

Done.

and

There's still a TODO for resolving the following SELinux AVC denials:

type=AVC msg=audit(1738236295.070:1470): avc: denied { write } for pid=41822 comm="smbd[192.168.12" name="libcephfsd.sock" dev="tmpfs" ino=1908 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=1

Temporarily did a hack to create socket under /run/samba where all required permissions(basically rw) are already granted for smbd.

type=AVC msg=audit(1738236295.070:1470): avc: denied { connectto } for pid=41822 comm="smbd[192.168.12" path="/run/libcephfsd.sock" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1

For this we may have to create a custom policy until upstream agrees to come up with a boolean(probably samba_load_cephfs_proxy) to contain allow rules for above mentioned AVC denials.

@anoopcs9
Copy link
Collaborator Author

Confirmation on the final pending SELinux AVC denial from failed test run logs:

$ grep type=AVC sit_statedump/storage2/log/audit/audit.log | grep smbd
type=AVC msg=audit(1738328323.323:3830): avc:  denied  { connectto } for  pid=57963 comm="smbd[192.168.12" path="/run/samba/libcephfsd.sock" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

anoopcs9 added a commit to anoopcs9/sit-environment that referenced this pull request Feb 3, 2025
@anoopcs9
samba.setup: Temporarily allow smbd to connect via unix domain sockets
d53b728 
For the time being, until the official fix[1] is available with standard
selinux-policy packages, compile and insert a local SELinux policy to
allow smbd to connect via unix stream sockets for proper fucntioning of
libcephfs proxy. Refer comments from [2] for more details.

[1]
[2] samba-in-kubernetes#128

Signed-off-by: Anoop C S <[email protected]>
@anoopcs9 anoopcs9 force-pushed the add-cephfs-proxy-non-mgr branch from c7a7f3a to fd35f0e Compare February 3, 2025 09:53
anoopcs9 added a commit to anoopcs9/sit-environment that referenced this pull request Feb 3, 2025
@anoopcs9
samba.setup: Temporarily allow smbd to connect via unix domain sockets
6415507 
For the time being, until the official fix[1] is available with standard
selinux-policy packages, compile and insert a local SELinux policy to
allow smbd to connect via unix stream sockets for proper fucntioning of
libcephfs proxy. Refer comments from [2] for more details.

[1]
[2] samba-in-kubernetes#128

Signed-off-by: Anoop C S <[email protected]>
@anoopcs9 anoopcs9 force-pushed the add-cephfs-proxy-non-mgr branch from fd35f0e to 5a65420 Compare February 3, 2025 10:13
anoopcs9 added a commit to anoopcs9/sit-environment that referenced this pull request Feb 3, 2025
@anoopcs9
samba.setup: Temporarily allow smbd to connect via unix domain sockets
873f2d9 
For the time being, until the official fix[1] is available with standard
selinux-policy packages, compile and insert a local SELinux policy to
allow smbd to connect via unix stream sockets for proper fucntioning of
libcephfs proxy. Refer comments from [2] for more details.

[1]
[2] samba-in-kubernetes#128

Signed-off-by: Anoop C S <[email protected]>
@anoopcs9 anoopcs9 force-pushed the add-cephfs-proxy-non-mgr branch from 5a65420 to 61e6cd6 Compare February 3, 2025 11:17
anoopcs9 added a commit to anoopcs9/sit-environment that referenced this pull request Feb 3, 2025
@anoopcs9
samba.setup: Temporarily allow smbd to connect via unix domain sockets
db0c1c1 
For the time being, until the official fix[1] is available with standard
selinux-policy packages, compile and insert a local SELinux policy to
allow smbd to connect via unix stream sockets for proper fucntioning of
libcephfs proxy. Refer comments from [2] for more details.

[1]
[2] samba-in-kubernetes#128

Signed-off-by: Anoop C S <[email protected]>
@anoopcs9 anoopcs9 force-pushed the add-cephfs-proxy-non-mgr branch from 61e6cd6 to d7d57ca Compare February 3, 2025 12:30
@anoopcs9
samba.setup: Temporarily allow smbd to connect via unix domain sockets
fa8595f 
For the time being, until the official fix[1] is available with standard
selinux-policy packages, compile and insert a local SELinux policy to
allow smbd to connect via unix stream sockets for proper fucntioning of
libcephfs proxy. Refer comments from [2] for more details.

[1] fedora-selinux/selinux-policy#2555
[2] samba-in-kubernetes#128

Signed-off-by: Anoop C S <[email protected]>
@anoopcs9
settings.yml: Add new vfs-new-proxy method for cephfs
5130351 
Signed-off-by: Anoop C S <[email protected]>
@anoopcs9
sit.cephfs: Add configuration for proxy enabled shares
1808c35 
The additional share configuration is currently included only for
default variant where ceph smb mgr module is not involved.

Signed-off-by: Anoop C S <[email protected]>
@anoopcs9 anoopcs9 force-pushed the add-cephfs-proxy-non-mgr branch from d7d57ca to 1808c35 Compare February 4, 2025 12:19
@anoopcs9
Copy link
Collaborator Author

anoopcs9 commented Feb 4, 2025

There's still a TODO for resolving the following SELinux AVC denials:

type=AVC msg=audit(1738236295.070:1470): avc: denied { write } for pid=41822 comm="smbd[192.168.12" name="libcephfsd.sock" dev="tmpfs" ino=1908 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1738236295.070:1470): avc: denied { connectto } for pid=41822 comm="smbd[192.168.12" path="/run/libcephfsd.sock" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1

fedora-selinux/selinux-policy#2555 created upstream to address the above SELinux issues.

@anoopcs9 anoopcs9 marked this pull request as ready for review February 4, 2025 12:21
@anoopcs9
Copy link
Collaborator Author

anoopcs9 commented Feb 5, 2025

Proxy enabled share configuration from test statedump:

[share-cephfs-default-vfs-new-proxy]
comment = Volume 'share' from cephfs(default vfs-new-proxy)
vfs objects = acl_xattr ceph_snapshots ceph_new
ceph_new:config_file = /etc/ceph/sit.ceph.conf
ceph_new:user_id = sit
ceph_new:proxy = yes
path = /volumes/_nogroup/share/9efd7a3c-72ff-4eb3-8abc-909703ca9da1
browseable = yes
read only = no
acl_xattr:security_acl_name = user.NTACL

and the sanity runs passed on the additional share.

==================================== PASSES ====================================
=========================== short test summary info ============================
PASSED testcases/consistency/test_consistency.py::test_consistency[192.168.123.10-share-cephfs-default-vfs-new]
PASSED testcases/consistency/test_consistency.py::test_consistency[192.168.123.10-share-cephfs-default-vfs-new-proxy]
PASSED testcases/consistency/test_consistency.py::test_consistency[192.168.123.10-share-cephfs-default-kclient]
PASSED testcases/consistency/test_consistency.py::test_consistency[192.168.123.10-share-cephfs-default-vfs]
============================== 4 passed in 0.94s ===============================

@anoopcs9 anoopcs9 merged commit d4df75c into samba-in-kubernetes:main Feb 5, 2025
7 of 8 checks passed
anoopcs9 added a commit that referenced this pull request Feb 5, 2025
@anoopcs9
samba.setup: Temporarily allow smbd to connect via unix domain sockets
d35a2e5 
For the time being, until the official fix[1] is available with standard
selinux-policy packages, compile and insert a local SELinux policy to
allow smbd to connect via unix stream sockets for proper fucntioning of
libcephfs proxy. Refer comments from [2] for more details.

[1] fedora-selinux/selinux-policy#2555
[2] #128

Signed-off-by: Anoop C S <[email protected]>
@anoopcs9 anoopcs9 deleted the add-cephfs-proxy-non-mgr branch February 5, 2025 05:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xhernandez xhernandez xhernandez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anoopcs9 @xhernandez