Unable to change permissions to /etc/ceph/ceph.conf (pmxcfs issue), in order to run ceph status?

victorhooi

Well-Known Member
Apr 3, 2018
251
20
58
38
I'm attempting to setup Telegraf to monitor my Proxmox Ceph cluster.

Hitting a couple of issues (mostly around permissions):

https://github.com/influxdata/telegraf/issues/5590

but I appear to be nearly there. (I had to install sudo on Proxmox in order to do testing - curious if there's a reason sudo isn't included out of the box?)

However, one thing is that still not working is ceph status. Specifically:

Code:
root@syd1:/etc/ceph# sudo -u telegraf ceph status
2019-03-16 06:37:31.558292 7f3ee7ed1700 -1 Errors while parsing config file!
2019-03-16 06:37:31.558295 7f3ee7ed1700 -1 parse_file: cannot open /etc/ceph/ceph.conf: (13) Permission denied
Error initializing cluster client: PermissionDeniedError('error calling conf_read_file',)

If I check that file:
Code:
root@syd1:/etc/ceph# ls -lah
total 16K
drwxr-xr-x  2 root root 4.0K Mar 16 06:18 .
drwxr-xr-x 96 root root 4.0K Mar 16 06:09 ..
-rw-------  1 ceph ceph  159 Mar 14 07:45 ceph.client.admin.keyring
lrwxrwxrwx  1 root root   18 Mar 14 07:43 ceph.conf -> /etc/pve/ceph.conf
-rw-r--r--  1 root root   92 Nov 20 07:29 rbdmap
If I try to change the group ownership of that file:
Code:
root@syd1:/etc/ceph# chown root:ceph ceph.conf
chown: changing ownership of 'ceph.conf': Operation not permitted
I assume this is perhaps related to the pmxcfs? (The wiki mentions that changing permissions isn't supported).

Is there a workaround, or another way of granting a non-root user access to
/etc/ceph/ceph.conf?
 
Actually, I was able to grant the telegraf user permission to those files by adding it to the www-data group.

Code:
root@syd1:/etc/ceph# usermod -a -G www-data telegraf
root@syd1:/etc/ceph# groups telegraf
telegraf : telegraf www-data ceph

However, I then hit a second issue around permissions again:
Code:
root@syd1:/etc/ceph# sudo -u telegraf ceph status
2019-03-16 07:06:43.990909 7f2349b98700 -1 auth: unable to find a keyring on /etc/pve/priv/ceph.client.admin.keyring: (13) Permission denied
2019-03-16 07:06:43.990916 7f2349b98700  0 librados: client.admin initialization error (13) Permission denied
[errno 13] error connecting to the cluster
There definitely is a keyring file, and it is owned by group www-data:
Code:
root@syd1:/etc/pve/priv# ls -lah /etc/pve/priv/ceph.client.admin.keyring
-rw------- 1 root www-data 63 Mar 14 07:45 /etc/pve/priv/ceph.client.admin.keyring
Is there something specific about Proxmox's Ceph configuration/keyring setup I'm missing here?
 
First, the keyring file is owned by root, and the group has no access for security reasons.

You simply cannot change the file permissions on /etc/pve. If you have other requirements, you need to copy the files into another location where you can do what you want.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!