Allow ceph device scrape-health-metrics

Ceph has a function to collect health metrics through smartctl or nvme command out of the box. And it relies on sudo spawned from the ceph-osd process so it needs to be considered in the apparmor policy. [/etc/sudoers.d/ceph-smartctl in ceph-base package] > ## allow ceph daemons (which run as user ceph) to collect device > ## health metrics > > ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/* > ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/* Also sync charmhelpers and mock platform info Closes-Bug: #2031637 Change-Id: I981a5db0fd49eca83aa8a619f0cbd0d34a533842
2023-10-20 23:12:10 +09:00 · 2023-10-20 23:12:10 +09:00 · c4209b3965
parent 1bac66ee50
commit c4209b3965
4 changed files with 74 additions and 20 deletions
--- a/files/apparmor/usr.bin.ceph-osd
+++ b/files/apparmor/usr.bin.ceph-osd
@ -4,6 +4,7 @@
 /usr/bin/ceph-osd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
  #include <abstractions/python>

  /usr/bin/ceph-osd mr,
@ -36,8 +37,12 @@
  /{,var/}run/ceph/* rwk,
  /{,var/}tmp/ r,

+  / r,
  /dev/ r,
  /dev/** rwk,
+  /run/udev/data/* r,
+  /sys/bus/nd/devices/ r,
+  /sys/bus/nd/devices/** r,
  /sys/devices/** r,

  /run/blkid/blkid.tab r,
@ -48,4 +53,55 @@
  /usr/share/distro-info/** r,
  /etc/lsb-release r,
  /etc/debian_version r,
+
+  /usr/bin/sudo Px -> ceph-osd-sudo,
+}
+
+profile ceph-osd-sudo flags=(attach_disconnected) {
+  #include <abstractions/authentication>
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+
+  capability audit_write,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+
+  /usr/bin/sudo r,
+  /usr/libexec/sudo/* mr,
+
+  /etc/default/locale r,
+  /etc/environment r,
+  /etc/security/limits.d/ r,
+  /etc/security/limits.d/* r,
+  /etc/sudo.conf r,
+  /etc/sudoers r,
+  /etc/sudoers.d/ r,
+  /etc/sudoers.d/* r,
+
+  owner @{PROC}/1/limits r,
+  owner @{PROC}/@{pids}/stat r,
+
+  /usr/sbin/nvme Cx,
+  /usr/sbin/smartctl Cx,
+
+  profile /usr/sbin/nvme {
+    #include <abstractions/base>
+
+    /usr/sbin/nvme r,
+  }
+
+  profile /usr/sbin/smartctl {
+    #include <abstractions/base>
+
+    capability sys_admin,
+    capability sys_rawio,
+
+    /usr/sbin/smartctl r,
+    /var/lib/smartmontools/** r,
+
+    /dev/* r,
+    /sys/devices/** r,
+  }
 }
--- a/hooks/charmhelpers/contrib/openstack/utils.py
+++ b/hooks/charmhelpers/contrib/openstack/utils.py
@ -416,17 +416,6 @@ def get_os_version_codename(codename, version_map=OPENSTACK_CODENAMES,
    error_out(e)


-def get_os_version_codename_swift(codename):
-    '''Determine OpenStack version number of swift from codename.'''
-    # for k, v in six.iteritems(SWIFT_CODENAMES):
-    for k, v in SWIFT_CODENAMES.items():
-        if k == codename:
-            return v[-1]
-    e = 'Could not derive swift version for '\
-        'codename: %s' % codename
-    error_out(e)
-
-
 def get_swift_codename(version):
    '''Determine OpenStack codename that corresponds to swift version.'''
    codenames = [k for k, v in SWIFT_CODENAMES.items() if version in v]
@ -585,7 +574,6 @@ def get_installed_os_version():
    return openstack_release().get('OPENSTACK_CODENAME')


-@cached
 def openstack_release():
    """Return /etc/os-release in a dict."""
    d = {}
@ -847,14 +835,10 @@ def openstack_upgrade_available(package):
    if not cur_vers:
        # The package has not been installed yet do not attempt upgrade
        return False
-    if "swift" in package:
-        codename = get_os_codename_install_source(src)
-        avail_vers = get_os_version_codename_swift(codename)
-    else:
-        try:
-            avail_vers = get_os_version_install_source(src)
-        except Exception:
-            avail_vers = cur_vers
+    try:
+        avail_vers = get_os_version_install_source(src)
+    except Exception:
+        avail_vers = cur_vers
    apt.init()
    return apt.version_compare(avail_vers, cur_vers) >= 1

--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -26,3 +26,4 @@ git+https://github.com/openstack-charmers/zaza-openstack-tests.git#egg=zaza.open
 git+https://opendev.org/openstack/tempest.git#egg=tempest

 croniter            # needed for charm-rabbitmq-server unit tests
+psutil
--- a/unit_tests/init.py
+++ b/unit_tests/init.py
@ -14,6 +14,7 @@

 import sys
 from unittest.mock import MagicMock
+from unittest import mock

 sys.path.append('hooks')
 sys.path.append('lib')
@ -21,3 +22,15 @@ sys.path.append('actions')
 sys.path.append('unit_tests')

 sys.modules["tabulate"] = MagicMock()
+
+# Patch out lsb_release() and get_platform() as unit tests should be fully
+# insulated from the underlying platform.  Unit tests assume that the system is
+# ubuntu jammy.
+mock.patch(
+    'charmhelpers.osplatform.get_platform', return_value='ubuntu'
+).start()
+mock.patch(
+    'charmhelpers.core.host.lsb_release',
+    return_value={
+        'DISTRIB_CODENAME': 'jammy'
+    }).start()