Re: [openstack-helm] [Cinder] Cinder-Scheduler oslo_privsep.daemon.FailedToDropPrivileges: Privsep daemon failed to start
Hello Daniel here I have been test and trying to solve the oslo_privsep.daemon.FailedToDropPrivileges: Privsep daemon failed to start Error on openstack-helm deployed Cinder After the test with kolla-ansible i can confirm the problem is from kubernetes So i perform the test with all Cinder Service with Priviliged true setting in Value.yaml: pod: security_context: volume_usage_audit: pod: runAsUser: 42424 container: cinder_volume_usage_audit: readOnlyRootFilesystem: true privileged: true allowPrivilegeEscalation: true cinder_api: pod: runAsUser: 42424 container: ceph_coordination_volume_perms: runAsUser: 0 readOnlyRootFilesystem: true cinder_api: readOnlyRootFilesystem: true allowPrivilegeEscalation: true privileged: true cinder_scheduler: pod: runAsUser: 42424 container: ceph_coordination_volume_perms: runAsUser: 0 readOnlyRootFilesystem: true cinder_scheduler: capabilities: add: - SYS_ADMIN privileged: true readOnlyRootFilesystem: true allowPrivilegeEscalation: true Also Glance-api container too: pod: security_context: glance: pod: runAsUser: 42424 container: glance_perms: readOnlyRootFilesystem: true runAsUser: 0 ceph_keyring_placement: readOnlyRootFilesystem: true runAsUser: 0 glance_api: privileged: true readOnlyRootFilesystem: true allowPrivilegeEscalation: true nginx: readOnlyRootFilesystem: false runAsUser: 0 With Cinder and Glance container set as priviliged container the problem is gone and i can create volume with image normally So it is confirmed that the ERROR is because the pod permission Also my System Setup: | OS | Ubuntu:22.04 | | Kubernetes | 1.30.4 | | Openstack-helm | 2024.1 | P.S. i haven't test with a complete clean enviroment with only Ceph and Openstack component installed Daniel Lu
Hello Daniel here i have been testing on this Error in a clean enviroment i found out this Error is actually from Cinder-Volume Pod not Cinder-Scheduler Where the Cinder-Volume pod can't get enough Permission to run oslo_privsep Anyone that trying to run Openstack-helm and encounter this Error when deploy has to give privilige to Cinder-Volume ( No need to give more permission on any other Pod) The Value.yaml Setting shows below: cinder_volume: pod: runAsUser: 42424 container: ceph_keyring_placement: runAsUser: 0 readOnlyRootFilesystem: true ceph_coordination_volume_perms: runAsUser: 0 readOnlyRootFilesystem: true init_cinder_conf: runAsUser: 0 readOnlyRootFilesystem: true cinder_volume: privileged: true # Give cinder_volume priviliged readOnlyRootFilesystem: true Simply add the privileged: true on cinder_volume and everything should be fine Perhaps Cinder_volume has some wrong setting that cause the permission error? Daniel Lu
I just made a gerrit patch for this issue https://review.opendev.org/c/openstack/openstack-helm/+/937532 *Rico Lin* On Thu, Dec 5, 2024 at 9:42 AM <daniel890723@gmail.com> wrote:
Hello Daniel here i have been testing on this Error in a clean enviroment i found out this Error is actually from Cinder-Volume Pod not Cinder-Scheduler Where the Cinder-Volume pod can't get enough Permission to run oslo_privsep Anyone that trying to run Openstack-helm and encounter this Error when deploy has to give privilige to Cinder-Volume ( No need to give more permission on any other Pod) The Value.yaml Setting shows below: cinder_volume: pod: runAsUser: 42424 container: ceph_keyring_placement: runAsUser: 0 readOnlyRootFilesystem: true ceph_coordination_volume_perms: runAsUser: 0 readOnlyRootFilesystem: true init_cinder_conf: runAsUser: 0 readOnlyRootFilesystem: true cinder_volume: privileged: true # Give cinder_volume priviliged readOnlyRootFilesystem: true
Simply add the privileged: true on cinder_volume and everything should be fine Perhaps Cinder_volume has some wrong setting that cause the permission error?
Daniel Lu
Dear Daniel, I also stumbled upon this recently. This is most likely due to the introduction of the format_inspector module and its privileged calls [1] in recent Cinder releases. This makes backends which previously did not need privileges in cinder-volume now also require them. The individual capabilities required are listed in the code of the privsep module [2]. [1] https://github.com/openstack/cinder/commit/4aa6590a483901de64e0d162fff11f3d2... [2] https://github.com/openstack/cinder/blob/unmaintained/zed/cinder/privsep/__i... Best regards, Markus daniel890723@gmail.com schrieb:
Hello Daniel here i have been testing on this Error in a clean enviroment i found out this Error is actually from Cinder-Volume Pod not Cinder-Scheduler Where the Cinder-Volume pod can't get enough Permission to run oslo_privsep Anyone that trying to run Openstack-helm and encounter this Error when deploy has to give privilige to Cinder-Volume ( No need to give more permission on any other Pod) The Value.yaml Setting shows below: cinder_volume: pod: runAsUser: 42424 container: ceph_keyring_placement: runAsUser: 0 readOnlyRootFilesystem: true ceph_coordination_volume_perms: runAsUser: 0 readOnlyRootFilesystem: true init_cinder_conf: runAsUser: 0 readOnlyRootFilesystem: true cinder_volume: privileged: true # Give cinder_volume priviliged readOnlyRootFilesystem: true
Simply add the privileged: true on cinder_volume and everything should be fine Perhaps Cinder_volume has some wrong setting that cause the permission error?
Daniel Lu
-- Markus Hentsch DevOps Engineer Cloud&Heat Technologies GmbH Königsbrücker Straße 96 | 01099 Dresden +49 351 479 367 00 markus.hentsch@cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/ Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann
participants (3)
-
daniel890723@gmail.com
-
Markus Hentsch
-
Rico Lin