cephadm: capadd and privileged are mutex

Signed-off-by: Joshua Schmid <jschmid@suse.de>
2025-02-23 19:17:37 +00:00 · 2020-09-14 10:38:07 +02:00 · 2020-09-14 10:38:07 +02:00 · 76e5020b10
commit 76e5020b10
parent ec05d87432
1 changed files with 5 additions and 3 deletions
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@ -2535,9 +2535,11 @@ class CephContainer:
            cmd_args.extend([
                '--privileged',
                # let OSD etc read block devs that haven't been chowned
-                '--group-add=disk',
-            ])
-        if self.ptrace:
+                '--group-add=disk'])
+        if self.ptrace and not self.privileged:
+            # if privileged, the SYS_PTRACE cap is already added
+            # in addition, --cap-add and --privileged are mutually
+            # exclusive since podman >= 2.0
            cmd_args.append('--cap-add=SYS_PTRACE')
        if self.init:
            cmd_args.append('--init')