[pve-devel] [PATCH pve-manager] fix #7011: ceph monitor: set ownership of monitor logs
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Dec 17 08:33:36 CET 2025
Am 16.12.25 um 13:54 schrieb Maximiliano Sandoval:
> For the sake of documenting my findings: the problem when giving
> ceph-mon the right ceph:ceph user (via the --set{user,group} optiosn) is
> that our keyring is at /etc/pve and while this fixes the permissions on
> the log file, the command (and task) would fail and the logs will end
> in:
>
> ```
> 2025-12-16T13:48:47.307+0100 7282faa52cc0 -1 mon.c0-pve-101 at -1(???) e0 unable to find a keyring on /etc/pve/priv/ceph.mon.keyring: (13) Permission denied
> ```
>
> since the keyring has 600 permissions.
Ack, still sounds like it can be fixed in ceph-mon, but might be a bit
more involved; lets put that to the backlog for now.
>
> I think that one could simplify the proposed patch here to only chown
> /var/log/ceph/ceph-mon.$monid.log instead of using any glob.
In that case I'd be OK with a specific chown to just that file, ideally
accompanied with a comment that includes a short variant of the basic
reasoning, like:
# fix-up initial log file from freshly created monitor here, as currently
# we cannot instruct ceph-mon to create it with the correct ownership while
# not losing access to the mon keyring inside pmxcfs.
might need polishing language/grammar wise though.
More information about the pve-devel
mailing list