Ceph » RADOS

this also fails,

/bin/podman run -it --net=host  --privileged    -v /dev:/dev:z    --entrypoint bash centos

• revert https://github.com/ceph/ceph/pull/31269 when this is fixed ***

What is this used/needed for? Having :z for /dev is not a great idea. Relabelling devices for use in containers in the main system would probably just result in many more issues.

You can just run

/bin/podman run -it --net=host --privileged -v /dev:/dev --entrypoint bash ceph/daemon-base

and that should give you a running container, SELinux might block access to some devices inside the container though. It may be a better idea to use the --device parameter to podman to include only the devices that you need inside the container.

Boris Ranto wrote:

What is this used/needed for? Having :z for /dev is not a great idea. Relabelling devices for use in containers in the main system would probably just result in many more issues.

You can just run

/bin/podman run -it --net=host --privileged -v /dev:/dev --entrypoint bash ceph/daemon-base

and that should give you a running container, SELinux might block access to some devices inside the container though. It may be a better idea to use the --device parameter to podman to include only the devices that you need inside the container.

Aha! Okay, I just added the :z because i saw it somewhere else, without knowing what it means.

Can you help me understand if and where we need :z for any of these volume pass-throughs? I think they fall into a few categories:

1. temporary files in /tmp that i'm mapping to various paths inside the container, like
- /tmp/othertempname
- /etc/ceph/ceph.conf
- /etc/ceph/ceph.keyring
do these need relabeling in order for the container processes to access them?

2. the actual daemon state in /var/lib/ceph, like
- /var/lib/ceph/$uuid/mon.foo to /var/lib/ceph/mon/ceph-foo

3. system directories like
- /sys
- /run/udev
- /dev

My guess is: yes, no, no?