Allow ceph device scrape-health-metrics
Ceph has a function to collect health metrics through smartctl or nvme command out of the box. And it relides on sudo spawned from the ceph-osd process so it needs to be considered in the apparmor policy. [/etc/sudoers.d/ceph-smartctl in ceph-base package] ==== ## allow ceph daemons (which run as user ceph) to collect device health ## metrics ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/* ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/* ==== Closes-Bug: #2031637 Change-Id: I981a5db0fd49eca83aa8a619f0cbd0d34a533842
This commit is contained in:
parent
1bac66ee50
commit
15582c49cf
@ -1,15 +1,20 @@
|
||||
# vim:syntax=apparmor
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/bin/ceph-osd {
|
||||
/usr/bin/ceph-osd flags=(attach_disconnected) {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/python>
|
||||
|
||||
/usr/bin/ceph-osd mr,
|
||||
|
||||
capability audit_write,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
capability sys_rawio,
|
||||
capability sys_resource,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
@ -21,10 +26,12 @@
|
||||
|
||||
owner @{PROC}/@{pids}/auxv r,
|
||||
owner @{PROC}/@{pids}/net/dev r,
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/task/*/comm rw,
|
||||
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/1/cmdline r,
|
||||
@{PROC}/1/limits r,
|
||||
@{PROC}/partitions r,
|
||||
@{PROC}/sys/kernel/random/uuid r,
|
||||
|
||||
@ -38,12 +45,28 @@
|
||||
|
||||
/dev/ r,
|
||||
/dev/** rwk,
|
||||
/run/udev/data/* r,
|
||||
/sys/devices/** r,
|
||||
|
||||
/run/blkid/blkid.tab r,
|
||||
|
||||
/bin/dash rix,
|
||||
|
||||
/usr/bin/sudo rix,
|
||||
/usr/libexec/sudo/* rm,
|
||||
/etc/default/locale r,
|
||||
/etc/environment r,
|
||||
/etc/pam.d/* r,
|
||||
/etc/security/limits.d/ r,
|
||||
/etc/sudo.conf r,
|
||||
/etc/sudoers r,
|
||||
/etc/sudoers.d/ r,
|
||||
/etc/sudoers.d/* r,
|
||||
|
||||
/usr/sbin/smartctl rix,
|
||||
/var/lib/smartmontools/** r,
|
||||
/usr/sbin/nvme rix,
|
||||
|
||||
/usr/bin/lsb_release rix,
|
||||
/usr/share/distro-info/** r,
|
||||
/etc/lsb-release r,
|
||||
|
Loading…
Reference in New Issue
Block a user