cephadm: drop --allow-ptrace option

`--container_cli_args` which is more generic allows to set that kind of parameter. Since there's no need to have a dedicated option for this, let's drop this one. Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
ceph · Oct 19, 2021 · b6bf048 · b6bf048
1 parent 7135c63
commit b6bf048
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 35 deletions.
diff --git a/doc/man/8/cephadm.rst b/doc/man/8/cephadm.rst
@@ -84,7 +84,7 @@ Synopsis
 | **cephadm** **deploy** [-h] --name NAME --fsid FSID [--config CONFIG]
 |                        [--config-json CONFIG_JSON] [--keyring KEYRING]
 |                        [--key KEY] [--osd-fsid OSD_FSID] [--skip-firewalld]
-|                        [--tcp-ports TCP_PORTS] [--reconfig] [--allow-ptrace]
+|                        [--tcp-ports TCP_PORTS] [--reconfig]
 
 | **cephadm** **check-host** [-h] [--expect-hostname EXPECT_HOSTNAME]
 
@@ -296,7 +296,6 @@ Arguments:
 * [--skip-firewalld]          Do not configure firewalld
 * [--tcp-ports                List of tcp ports to open in the host firewall
 * [--reconfig]                Reconfigure a previously deployed daemon
-* [--allow-ptrace]            Allow SYS_PTRACE on daemon container
 
 
 enter

diff --git a/qa/tasks/cephadm.py b/qa/tasks/cephadm.py
@@ -480,7 +480,7 @@ def ceph_bootstrap(ctx, config):
         # set options
         if config.get('allow_ptrace', True):
             _shell(ctx, cluster_name, bootstrap_remote,
-                   ['ceph', 'config', 'set', 'mgr', 'mgr/cephadm/allow_ptrace', 'true'])
+                   ['ceph', 'config', 'set', 'mgr', 'mgr/cephadm/container_cli_args', '--value="--cap-add=PTRACE"'])
 
         if not config.get('avoid_pacific_features', False):
             log.info('Distributing conf and client.admin keyring to all hosts + 0755')

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
@@ -2490,7 +2490,6 @@ def get_container_mounts(ctx, fsid, daemon_type, daemon_id,
 def get_container(ctx: CephadmContext,
                   fsid: str, daemon_type: str, daemon_id: Union[int, str],
                   privileged: bool = False,
-                  ptrace: bool = False,
                   container_args: Optional[List[str]] = None) -> 'CephContainer':
     entrypoint: str = ''
     name: str = ''
@@ -2589,7 +2588,6 @@ def get_container(ctx: CephadmContext,
         bind_mounts=get_container_binds(ctx, fsid, daemon_type, daemon_id),
         envs=envs,
         privileged=privileged,
-        ptrace=ptrace,
         host_network=host_network,
     )
 
@@ -3213,7 +3211,6 @@ class CephContainer:
                  container_args: List[str] = [],
                  envs: Optional[List[str]] = None,
                  privileged: bool = False,
-                 ptrace: bool = False,
                  bind_mounts: Optional[List[List[str]]] = None,
                  init: Optional[bool] = None,
                  host_network: bool = True,
@@ -3230,7 +3227,6 @@ class CephContainer:
         self.container_args = container_args
         self.envs = envs
         self.privileged = privileged
-        self.ptrace = ptrace
         self.bind_mounts = bind_mounts if bind_mounts else []
         self.init = init if init else ctx.container_init
         self.host_network = host_network
@@ -3250,7 +3246,6 @@ class CephContainer:
                    container_args: List[str] = [],
                    envs: Optional[List[str]] = None,
                    privileged: bool = False,
-                   ptrace: bool = False,
                    bind_mounts: Optional[List[List[str]]] = None,
                    init: Optional[bool] = None,
                    host_network: bool = True,
@@ -3267,7 +3262,6 @@ class CephContainer:
             container_args=container_args,
             envs=envs,
             privileged=privileged,
-            ptrace=ptrace,
             bind_mounts=bind_mounts,
             init=init,
             host_network=host_network,
@@ -3346,11 +3340,11 @@ class CephContainer:
                 '--privileged',
                 # let OSD etc read block devs that haven't been chowned
                 '--group-add=disk'])
-        if self.ptrace and not self.privileged:
-            # if privileged, the SYS_PTRACE cap is already added
-            # in addition, --cap-add and --privileged are mutually
-            # exclusive since podman >= 2.0
-            cmd_args.append('--cap-add=SYS_PTRACE')
+            if '--cap-add=PTRACE' in self.container_cli_args:
+                # if privileged, the SYS_PTRACE cap is already added
+                # in addition, --cap-add and --privileged are mutually
+                # exclusive since podman >= 2.0
+                self.container_cli_args.remove('--cap-add=PTRACE')
         if self.init:
             cmd_args.append('--init')
             envs += ['-e', 'CEPH_USE_RANDOM_NONCE=1']
@@ -4754,8 +4748,7 @@ def command_deploy(ctx):
         uid, gid = extract_uid_gid(ctx)
         make_var_run(ctx, ctx.fsid, uid, gid)
 
-        c = get_container(ctx, ctx.fsid, daemon_type, daemon_id,
-                          ptrace=ctx.allow_ptrace)
+        c = get_container(ctx, ctx.fsid, daemon_type, daemon_id)
         deploy_daemon(ctx, ctx.fsid, daemon_type, daemon_id, c, uid, gid,
                       config=config, keyring=keyring,
                       osd_fsid=ctx.osd_fsid,
@@ -4827,8 +4820,7 @@ def command_deploy(ctx):
         if not ctx.reconfig and not redeploy:
             daemon_ports.extend(cc.ports)
         c = get_container(ctx, ctx.fsid, daemon_type, daemon_id,
-                          privileged=cc.privileged,
-                          ptrace=ctx.allow_ptrace)
+                          privileged=cc.privileged)
         deploy_daemon(ctx, ctx.fsid, daemon_type, daemon_id, c,
                       uid=cc.uid, gid=cc.gid, config=None,
                       keyring=None, reconfig=ctx.reconfig,
@@ -7851,10 +7843,6 @@ def _get_parser():
         '--reconfig',
         action='store_true',
         help='Reconfigure a previously deployed daemon')
-    parser_deploy.add_argument(
-        '--allow-ptrace',
-        action='store_true',
-        help='Allow SYS_PTRACE on daemon container')
     parser_deploy.add_argument(
         '--container-init',
         action='store_true',

diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py
@@ -236,16 +236,6 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule,
             default=True,
             desc='log to the "cephadm" cluster log channel"',
         ),
-        Option(
-            'allow_ptrace',
-            type='bool',
-            default=False,
-            desc='allow SYS_PTRACE capability on ceph containers',
-            long_desc='The SYS_PTRACE capability is needed to attach to a '
-            'process with gdb or strace.  Enabling this options '
-            'can allow debugging daemons that encounter problems '
-            'at runtime.',
-        ),
         Option(
             'container_init',
             type='bool',
@@ -399,7 +389,6 @@ def __init__(self, *args: Any, **kwargs: Any):
             self.warn_on_stray_hosts = True
             self.warn_on_stray_daemons = True
             self.warn_on_failed_host_check = True
-            self.allow_ptrace = False
             self.container_init = True
             self.prometheus_alerts_path = ''
             self.migration_current: Optional[int] = None

diff --git a/src/pybind/mgr/cephadm/serve.py b/src/pybind/mgr/cephadm/serve.py
@@ -1074,8 +1074,6 @@ def _create_daemon(self,
 
                 if reconfig:
                     daemon_spec.extra_args.append('--reconfig')
-                if self.mgr.allow_ptrace:
-                    daemon_spec.extra_args.append('--allow-ptrace')
 
                 if self.mgr.cache.host_needs_registry_login(daemon_spec.host) and self.mgr.registry_url:
                     self._registry_login(daemon_spec.host, self.mgr.registry_url,