Allow ceph device scrape-health-metrics
Ceph has a function to collect health metrics through smartctl or nvme command out of the box. And it relies on sudo spawned from the ceph-osd process so it needs to be considered in the apparmor policy. [/etc/sudoers.d/ceph-smartctl in ceph-base package] > ## allow ceph daemons (which run as user ceph) to collect device > ## health metrics > > ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/* > ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/* Also sync charmhelpers and mock platform info Closes-Bug: #2031637 Change-Id: I981a5db0fd49eca83aa8a619f0cbd0d34a533842
This commit is contained in:
parent
1bac66ee50
commit
c4209b3965
|
@ -4,6 +4,7 @@
|
|||
/usr/bin/ceph-osd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/python>
|
||||
|
||||
/usr/bin/ceph-osd mr,
|
||||
|
@ -36,8 +37,12 @@
|
|||
/{,var/}run/ceph/* rwk,
|
||||
/{,var/}tmp/ r,
|
||||
|
||||
/ r,
|
||||
/dev/ r,
|
||||
/dev/** rwk,
|
||||
/run/udev/data/* r,
|
||||
/sys/bus/nd/devices/ r,
|
||||
/sys/bus/nd/devices/** r,
|
||||
/sys/devices/** r,
|
||||
|
||||
/run/blkid/blkid.tab r,
|
||||
|
@ -48,4 +53,55 @@
|
|||
/usr/share/distro-info/** r,
|
||||
/etc/lsb-release r,
|
||||
/etc/debian_version r,
|
||||
|
||||
/usr/bin/sudo Px -> ceph-osd-sudo,
|
||||
}
|
||||
|
||||
profile ceph-osd-sudo flags=(attach_disconnected) {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability audit_write,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_resource,
|
||||
|
||||
/usr/bin/sudo r,
|
||||
/usr/libexec/sudo/* mr,
|
||||
|
||||
/etc/default/locale r,
|
||||
/etc/environment r,
|
||||
/etc/security/limits.d/ r,
|
||||
/etc/security/limits.d/* r,
|
||||
/etc/sudo.conf r,
|
||||
/etc/sudoers r,
|
||||
/etc/sudoers.d/ r,
|
||||
/etc/sudoers.d/* r,
|
||||
|
||||
owner @{PROC}/1/limits r,
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
|
||||
/usr/sbin/nvme Cx,
|
||||
/usr/sbin/smartctl Cx,
|
||||
|
||||
profile /usr/sbin/nvme {
|
||||
#include <abstractions/base>
|
||||
|
||||
/usr/sbin/nvme r,
|
||||
}
|
||||
|
||||
profile /usr/sbin/smartctl {
|
||||
#include <abstractions/base>
|
||||
|
||||
capability sys_admin,
|
||||
capability sys_rawio,
|
||||
|
||||
/usr/sbin/smartctl r,
|
||||
/var/lib/smartmontools/** r,
|
||||
|
||||
/dev/* r,
|
||||
/sys/devices/** r,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -416,17 +416,6 @@ def get_os_version_codename(codename, version_map=OPENSTACK_CODENAMES,
|
|||
error_out(e)
|
||||
|
||||
|
||||
def get_os_version_codename_swift(codename):
|
||||
'''Determine OpenStack version number of swift from codename.'''
|
||||
# for k, v in six.iteritems(SWIFT_CODENAMES):
|
||||
for k, v in SWIFT_CODENAMES.items():
|
||||
if k == codename:
|
||||
return v[-1]
|
||||
e = 'Could not derive swift version for '\
|
||||
'codename: %s' % codename
|
||||
error_out(e)
|
||||
|
||||
|
||||
def get_swift_codename(version):
|
||||
'''Determine OpenStack codename that corresponds to swift version.'''
|
||||
codenames = [k for k, v in SWIFT_CODENAMES.items() if version in v]
|
||||
|
@ -585,7 +574,6 @@ def get_installed_os_version():
|
|||
return openstack_release().get('OPENSTACK_CODENAME')
|
||||
|
||||
|
||||
@cached
|
||||
def openstack_release():
|
||||
"""Return /etc/os-release in a dict."""
|
||||
d = {}
|
||||
|
@ -847,14 +835,10 @@ def openstack_upgrade_available(package):
|
|||
if not cur_vers:
|
||||
# The package has not been installed yet do not attempt upgrade
|
||||
return False
|
||||
if "swift" in package:
|
||||
codename = get_os_codename_install_source(src)
|
||||
avail_vers = get_os_version_codename_swift(codename)
|
||||
else:
|
||||
try:
|
||||
avail_vers = get_os_version_install_source(src)
|
||||
except Exception:
|
||||
avail_vers = cur_vers
|
||||
try:
|
||||
avail_vers = get_os_version_install_source(src)
|
||||
except Exception:
|
||||
avail_vers = cur_vers
|
||||
apt.init()
|
||||
return apt.version_compare(avail_vers, cur_vers) >= 1
|
||||
|
||||
|
|
|
@ -26,3 +26,4 @@ git+https://github.com/openstack-charmers/zaza-openstack-tests.git#egg=zaza.open
|
|||
git+https://opendev.org/openstack/tempest.git#egg=tempest
|
||||
|
||||
croniter # needed for charm-rabbitmq-server unit tests
|
||||
psutil
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
import sys
|
||||
from unittest.mock import MagicMock
|
||||
from unittest import mock
|
||||
|
||||
sys.path.append('hooks')
|
||||
sys.path.append('lib')
|
||||
|
@ -21,3 +22,15 @@ sys.path.append('actions')
|
|||
sys.path.append('unit_tests')
|
||||
|
||||
sys.modules["tabulate"] = MagicMock()
|
||||
|
||||
# Patch out lsb_release() and get_platform() as unit tests should be fully
|
||||
# insulated from the underlying platform. Unit tests assume that the system is
|
||||
# ubuntu jammy.
|
||||
mock.patch(
|
||||
'charmhelpers.osplatform.get_platform', return_value='ubuntu'
|
||||
).start()
|
||||
mock.patch(
|
||||
'charmhelpers.core.host.lsb_release',
|
||||
return_value={
|
||||
'DISTRIB_CODENAME': 'jammy'
|
||||
}).start()
|
||||
|
|
Loading…
Reference in New Issue