Permission denied when creating pvc using cephfs-csi

[yehaifeng]

Describe the bug

A clear and concise description of what the bug is.

Permission denied when creating pvc using cephfs-csi

Environment details

• Image/version of Ceph CSI driver : v3.10.0
• Helm chart version :
• Kernel version : 6.3.11-200.fc38.x86_64
• Mounter used for mounting PVC (for cephFS its fuse or kernel. for rbd its krbd or rbd-nbd) : kernel
• Kubernetes cluster version : v1.26.4
• Ceph cluster version : 17.2.5

Steps to reproduce

Steps to reproduce the behavior:

1. Setup details: '...'
2. Deployment to trigger the issue '....'
3. See error

Actual results

Describe what happened

Expected behavior

A clear and concise description of what you expected to happen.

Logs

If the issue is in PVC creation, deletion, cloning please attach complete logs of below containers.

• csi-provisioner and csi-rbdplugin/csi-cephfsplugin container logs from the provisioner pod.

csi-provisioner

I1206 09:56:27.264832       1 round_trippers.go:570] HTTP Statistics: GetConnection 0 ms ServerProcessing 27 ms Duration 27 ms
I1206 09:56:27.264840       1 round_trippers.go:577] Response Headers:
I1206 09:56:27.264850       1 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: 806fbd2a-1249-4c19-ae0b-66d96d58937d
I1206 09:56:27.264876       1 round_trippers.go:580]     Content-Length: 1261
I1206 09:56:27.264885       1 round_trippers.go:580]     Date: Wed, 06 Dec 2023 09:56:27 GMT
I1206 09:56:27.264893       1 round_trippers.go:580]     Audit-Id: 4d2a4713-6d13-4e82-aa05-7938c2b9ff90
I1206 09:56:27.264900       1 round_trippers.go:580]     Cache-Control: no-cache, private
I1206 09:56:27.264907       1 round_trippers.go:580]     Content-Type: application/json
I1206 09:56:27.264915       1 round_trippers.go:580]     Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I1206 09:56:27.264922       1 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: dbdf1be7-8df1-4fbd-b38f-338d58d4d6a9
I1206 09:56:27.264975       1 request.go:1212] Response Body: {"kind":"Event","apiVersion":"v1","metadata":{"name":"csi-cephfs-pvc.179e358ad4806be5","namespace":"default","uid":"8daa61d4-69e2-4820-9cc7-1dd5b687c033","resourceVersion":"43471707","creationTimestamp":"2023-12-06T09:56:19Z","managedFields":[{"manager":"csi-provisioner","operation":"Update","apiVersion":"v1","time":"2023-12-06T09:56:27Z","fieldsType":"FieldsV1","fieldsV1":{"f:count":{},"f:firstTimestamp":{},"f:involvedObject":{},"f:lastTimestamp":{},"f:message":{},"f:reason":{},"f:reportingComponent":{},"f:source":{"f:component":{}},"f:type":{}}}]},"involvedObject":{"kind":"PersistentVolumeClaim","namespace":"default","name":"csi-cephfs-pvc","uid":"1302ff8c-0e55-4c9b-bc54-2be000056e77","apiVersion":"v1","resourceVersion":"43471666"},"reason":"Provisioning","message":"External provisioner is provisioning volume for claim \"default/csi-cephfs-pvc\"","source":{"component":"cephfs.csi.ceph.com_csi-cephfsplugin-provisioner-56bc878b48-2gwhj_57c5dd59-b3b8-4cee-9eaa-52473ec5ffcf"},"firstTimestamp":"2023-12-06T09:56:19Z","lastTimestamp":"2023-12-06T09:56:27Z","count":5,"type":"Normal","eventTime":null,"reportingComponent":"cephfs.csi.ceph.com_csi-cephfsplugin-provisioner-56bc878b48-2gwhj_57c5dd59-b3b8-4cee-9eaa-52473ec5ffcf","reportingInstance":""}
I1206 09:56:27.270347       1 connection.go:200] GRPC response: {}
I1206 09:56:27.270424       1 connection.go:201] GRPC error: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I1206 09:56:27.270491       1 controller.go:816] CreateVolume failed, supports topology = false, node selected false => may reschedule = false => state = Finished: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I1206 09:56:27.270556       1 controller.go:1075] Final error received, removing PVC 1302ff8c-0e55-4c9b-bc54-2be000056e77 from claims in progress
W1206 09:56:27.270604       1 controller.go:934] Retrying syncing claim "1302ff8c-0e55-4c9b-bc54-2be000056e77", failure 4
E1206 09:56:27.270649       1 controller.go:957] error syncing claim "1302ff8c-0e55-4c9b-bc54-2be000056e77": failed to provision volume with StorageClass "csi-cephfs-sc":rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I1206 09:56:27.271394       1 request.go:1212] Request Body: {"count":5,"lastTimestamp":"2023-12-06T09:56:27Z","message":"failed to provision volume with StorageClass \"csi-cephfs-sc\": rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied"}
I1206 09:56:27.271782       1 round_trippers.go:466] curl -v -XPATCH  -H "User-Agent: csi-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Bearer <masked>" -H "Content-Type: application/strategic-merge-patch+json" -H "Accept: application/json, */*" 'https://172.19.0.1:443/api/v1/namespaces/default/events/csi-cephfs-pvc.179e358ad67b06a8'
I1206 09:56:27.272287       1 event.go:298] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"csi-cephfs-pvc", UID:"1302ff8c-0e55-4c9b-bc54-2be000056e77", APIVersion:"v1", ResourceVersion:"43471666", FieldPath:""}): type: 'Warning' reason: 'ProvisioningFailed' failed to provision volume with StorageClass "csi-cephfs-sc": rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I1206 09:56:27.291889       1 round_trippers.go:553] PATCH https://172.19.0.1:443/api/v1/namespaces/default/events/csi-cephfs-pvc.179e358ad67b06a8 200 OK in 20 milliseconds

csi-cephfsplugin

I1206 10:00:27.753816       1 utils.go:165] ID: 94 GRPC request: {}
I1206 10:00:27.753854       1 utils.go:171] ID: 94 GRPC response: {}
I1206 10:00:35.392697       1 utils.go:164] ID: 95 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 GRPC call: /csi.v1.Controller/CreateVolume
I1206 10:00:35.398312       1 utils.go:165] ID: 95 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 GRPC request: {"capacity_range":{"required_bytes":1073741824},"name":"pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77","parameters":{"clusterID":"b70279b4-d085-11ed-b8cc-fa163e1ab7dd","csi.storage.k8s.io/pv/name":"pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77","csi.storage.k8s.io/pvc/name":"csi-cephfs-pvc","csi.storage.k8s.io/pvc/namespace":"default","fsName":"st2k8s"},"secrets":"***stripped***","volume_capabilities":[{"AccessType":{"Mount":{}},"access_mode":{"mode":5}}]}
E1206 10:00:35.415696       1 controllerserver.go:290] ID: 95 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 validation and extraction of volume options failed: failed to get connection: connecting failed: rados: ret=-13, Permission denied
E1206 10:00:35.415752       1 utils.go:169] ID: 95 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 GRPC error: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I1206 10:00:43.318774       1 utils.go:164] ID: 96 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 GRPC call: /csi.v1.Controller/CreateVolume
I1206 10:00:43.319052       1 utils.go:165] ID: 96 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 GRPC request: {"capacity_range":{"required_bytes":1073741824},"name":"pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77","parameters":{"clusterID":"b70279b4-d085-11ed-b8cc-fa163e1ab7dd","csi.storage.k8s.io/pv/name":"pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77","csi.storage.k8s.io/pvc/name":"csi-cephfs-pvc","csi.storage.k8s.io/pvc/namespace":"default","fsName":"st2k8s"},"secrets":"***stripped***","volume_capabilities":[{"AccessType":{"Mount":{}},"access_mode":{"mode":5}}]}
E1206 10:00:43.330657       1 controllerserver.go:290] ID: 96 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 validation and extraction of volume options failed: failed to get connection: connecting failed: rados: ret=-13, Permission denied
E1206 10:00:43.330743       1 utils.go:169] ID: 96 Req-ID: pvc-1302ff8c-0e55-4c9b-bc54-2be000056e77 GRPC error: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I1206 10:01:27.776197       1 utils.go:164] ID: 97 GRPC call: /csi.v1.Identity/Probe
I1206 10:01:27.776278       1 utils.go:165] ID: 97 GRPC request: {}
I1206 10:01:27.776306       1 utils.go:171] ID: 97 GRPC response: {}
I1206 10:02:27.810833       1 utils.go:164] ID: 98 GRPC call: /csi.v1.Identity/Probe
I1206 10:02:27.810938       1 utils.go:165] ID: 98 GRPC request: {}
I1206 10:02:27.810968       1 utils.go:171] ID: 98 GRPC response: {}
I1206 10:03:27.784343       1 utils.go:164] ID: 99 GRPC call: /csi.v1.Identity/Probe
I1206 10:03:27.784418       1 utils.go:165] ID: 99 GRPC request: {}
I1206 10:03:27.784455       1 utils.go:171] ID: 99 GRPC response: {}

If the issue is in PVC resize please attach complete logs of below containers.

• csi-resizer and csi-rbdplugin/csi-cephfsplugin container logs from the provisioner pod.

If the issue is in snapshot creation and deletion please attach complete logs of below containers.

• csi-snapshotter and csi-rbdplugin/csi-cephfsplugin container logs from the provisioner pod.

If the issue is in PVC mounting please attach complete logs of below containers.

• csi-rbdplugin/csi-cephfsplugin and driver-registrar container logs from plugin pod from the node where the mount is failing.

• if required attach dmesg logs.

Note:- If its a rbd issue please provide only rbd related logs, if its a cephFS issue please provide cephFS logs.

Additional context

Add any other context about the problem here.

For example:

Any existing bug report which describe about the similar issue/behavior

### Tasks

[yehaifeng]

My user

ceph auth get-or-create client.k8s_provisioner \
mon 'allow r' \
osd 'allow rw tag cephfs metadata=*' \
mgr 'allow rw'

[yehaifeng]

I found a relative issue, but my secret using stringData. https://github.com/DataONEorg/k8s-cluster/issues/42

---
apiVersion: v1
kind: Secret
metadata:
  name: csi-cephfs-secret
  namespace: ceph-csi
stringData:
  # Required for statically provisioned volumes
  userID: client.st2k8s_provisioner
  userKey: AQCdJXBlyVJ0ABAASP0QyXCqyJ1jHhBtQNkv5A==

  # Required for dynamically provisioned volumes
  adminID: client.st2k8s_node
  adminKey: AQDMJXBlqsD9GhAAJ+KNPHzEpLezdQtd4IjOyg==

  # Encryption passphrase
  encryptionPassphrase: test_passphrase

[Rakshith-R]

Can you check if its similar to this issue https://github.com/ceph/ceph-csi/issues/2848 ?

Try executing the command manually from the pod csi-cephfsplugin-provisioner csi-cephfsplugin container https://github.com/rook/rook/blob/master/Documentation/Troubleshooting/ceph-csi-common-issues.md#rbd-commands

[yehaifeng]

Can you check if its similar to this issue #2848 ?

Yes, I checked it and the version of ceph is 17.2.5, that bug is fixed.

Try executing the command manually from the pod csi-cephfsplugin-provisioner csi-cephfsplugin container https://github.com/rook/rook/blob/master/Documentation/Troubleshooting/ceph-csi-common-issues.md#rbd-commands

I mounted manually with failed. The secretfile i not found in /tmp/csi/keys, that is added manually.

[root@csi-cephfsplugin-provisioner-69c48ff476-pjks5 keys]# mount -vvv -t ceph 192.168.80.3:6789,192.168.80.4:6789,192.168.80.5:6789:/volumes/cephcsi/k8ssubvol/5ce1ea09-60b9-4ce6-9e30-a06a3fbd5979 /tmp/a -o name=client.st2k8s_provisioner,mds_namespace=st2k8s,secretfile=/tmp/csi/keys/keyring,_netdev
parsing options: rw,name=client.st2k8s_provisioner,mds_namespace=st2k8s,secretfile=/tmp/csi/keys/keyring,_netdev
mount.ceph: options "name=client.st2k8s_provisioner,mds_namespace=st2k8s".
invalid new device string format
Unable to apply new capability set.
Child exited with status 1
secret is not valid base64: Invalid argument.
adding ceph secret key to kernel failed: Invalid argument
couldn't append secret option: -22

[yehaifeng]

I try a new cephfs

and the secret like this, no prefix client.

---
apiVersion: v1
kind: Secret
metadata:
  name: csi-cephfs-secret
  namespace: ceph-csi
stringData:
  # Required for statically provisioned volumes
  userID: csi-cephfs-provisioner
  userKey: AQCdJXBlyVJ0ABAASP0QyXCqyJ1jHhBtQNkv5A==

  # Required for dynamically provisioned volumes
  adminID: csi-cephfs-node
  adminKey: AQDMJXBlqsD9GhAAJ+KNPHzEpLezdQtd4IjOyg==

  # Encryption passphrase
  encryptionPassphrase: test_passphrase

ceph auth get-or-create client.cephfs-csi-provisioner \
mon 'allow r' \
osd 'allow rw tag cephfs metadata=*, allow rw tag cephfs data=*' \
mds 'allow rw'

ceph auth get-or-create client.cephfs-csi-node \
mon 'allow r' \
osd 'allow rw tag cephfs metadata=*, allow rw tag cephfs data=*' \
mgr 'allow rw' \
mds 'allow rw'

[yehaifeng]

There are 3 cephfs in my ceph cluster, so i need fsname

[yehaifeng]

This is not a bug, closing.