1725254 – Ceph NFS container runs as a privileged container in TripleO

Bug 1725254 - Ceph NFS container runs as a privileged container in TripleO

Summary: Ceph NFS container runs as a privileged container in TripleO

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Ceph-Ansible
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	4.1
Assignee:	Guillaume Abrioux
QA Contact:	Vasishta
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1760354
TreeView+	depends on / blocked

Reported:	2019-06-28 20:43 UTC by Goutham Pacha Ravi
Modified:	2020-01-02 13:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1725251
Environment:
Last Closed:	2020-01-02 13:18:43 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ceph ceph-ansible pull 4760	0	'None'	closed	nfs: do not run privileged nfs container	2020-12-14 23:45:30 UTC
Github	ceph ceph-container pull 1517	0	'None'	closed	nfs: run a dedicated dbus daemon for nfs-ganesha	2020-12-14 23:45:30 UTC

Description Goutham Pacha Ravi 2019-06-28 20:43:27 UTC

Description of problem:

The ceph-nfs container runs nfs-ganesha to support the CephFS FSAL and provide NFS shared file systems through openstack-manila. It uses the host's dbus socket and accepts commands over this socket from the CephFS via NFS driver in openstack-manila. 

This container does not need to be run as a privileged process. Please see a discussion here https://github.com/ceph/ceph-ansible/blob/f49090df7ef82419c69dfd7a22250a79c17de42f/roles/ceph-nfs/templates/ceph-nfs.service.j2#L21

Note You need to log in before you can comment on or make changes to this bug.