Ceph: permissions to access admin socket
How to chmod Ceph admin socket via ceph.conf
I run into a (minor?) trouble while configuring a monitoring for Ceph: Ceph have its admin socket heavily restricted, and I want to relax it to allow members of ceph
group to have access to this socket for R/W:
ls -lah /var/run/ceph/ceph-mon.mon2.asok
srwxr-xr-x 1 ceph ceph 0 Jun 25 11:31 /var/run/ceph/ceph-mon.mon2.asok
Google shows no definitive answer, init script tells nothing. I dug into the sources and found this in src/common/common_init.cc
:
if (!conf->admin_socket.empty() && !conf->admin_socket_mode.empty()) {
int ret = 0;
std::string err;ret = strict_strtol(conf->admin_socket_mode.c_str(), 8, &err);
if (err.empty()) {
if (!(ret & (~ACCESSPERMS))) {
cct->get_admin_socket()->chmod(static_cast<mode_t>(ret));
} else {
lderr(cct) << "Invalid octal permissions string: "
<< conf->admin_socket_mode << dendl;
}
} else {
lderr(cct) << "Invalid octal string: " << err << dendl;
}
}
I’m not a C++ guru, but I see conf->admin_socket_mode
here.
Amazingly, Google is still mute about this.
Further reading The Documentation™ shows this in src/common/options.cc
:
Option("admin_socket_mode", Option::TYPE_STR, Option::LEVEL_ADVANCED)
.set_description("file mode to set for the admin socket file, e.g, '0755'")
.add_service("common")
.add_see_also("admin_socket"),
But a google still instincts it knows nothing about this.
Experimenting
I added this option into [mon]
section of ceph.conf
:
admin socket mode = 0775
restarted my ceph monitor (systemctl restart ceph-mon@mon2
), and…
ls -lah /var/run/ceph/ceph-mon.mon2.asok
srwxrwxr-x 1 ceph ceph 0 Jun 25 12:04 /var/run/ceph/ceph-mon.mon2.aso
Conclusion
There is an undocumented option admin socket mode
which allows Ceph to change an access mode for the admin socket. Reading The Documentation™ in the form of source code is hard, but useful.