From 423514b3389420045847999cdd18452cd3f463c8 Mon Sep 17 00:00:00 2001
From: xy2 <kto.3decb@gmail.com>
Date: Wed, 12 Mar 2025 17:28:04 +0300
Subject: [PATCH] Add missing permissions to the Linstor plunger. (#693)

The Linstor satellite creates problems with admin privileges, so the
plunger needs the same privileges to fix those problems.

Also, use the native `losetup`. The Linstor image has a wrapper with an
additional function that we do not need here.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Refactor**
- Improved the management of unused loop devices with clearer feedback
and refined error handling.

- **New Features**
- Enhanced container configuration by adding elevated system
permissions, allowing the container to perform higher-level operations.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 .../linstor/hack/plunger/plunger-satellite.sh    | 16 ++++++++--------
 .../linstor/templates/satellites-plunger.yaml    |  4 ++++
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/packages/system/linstor/hack/plunger/plunger-satellite.sh b/packages/system/linstor/hack/plunger/plunger-satellite.sh
index 590aa644..5ecc184d 100755
--- a/packages/system/linstor/hack/plunger/plunger-satellite.sh
+++ b/packages/system/linstor/hack/plunger/plunger-satellite.sh
@@ -21,16 +21,16 @@ while true; do
   # Detect orphaned loop devices and detach them
   # the `/` path could not be a backing file for a loop device, so it's a good indicator of a stuck loop device
   # TODO describe the issue in more detail
-  losetup --json \
-  | jq -r '.[][]
-           | select(."back-file" == "/ (deleted)")
-           | "echo Detaching stuck loop device \(.name);
-              set -x;
-              losetup --detach \(.name)"' \
-  | sh
+  # Using the direct /usr/sbin/losetup as the linstor-satellite image has own wrapper in /usr/local
+  stale_loopbacks=$(/usr/sbin/losetup --json | jq -r '.[][] | select(."back-file" == "/ (deleted)").name')
+  for stale_device in $stale_loopbacks; do (
+    echo "Detaching stuck loop device ${stale_device}"
+    set -x
+    /usr/sbin/losetup --detach "${stale_device}"
+  ); done
 
   # Detect secondary volumes that lost connection and can be simply reconnected
-  disconnected_secondaries=$(drbdadm status | awk '/pvc-.*role:Secondary.*force-io-failures:yes/ {print $1}')
+  disconnected_secondaries=$(drbdadm status 2>/dev/null | awk '/pvc-.*role:Secondary.*force-io-failures:yes/ {print $1}')
   for secondary in $disconnected_secondaries; do (
     echo "Trying to reconnect secondary volume ${secondary}"
     set -x
diff --git a/packages/system/linstor/templates/satellites-plunger.yaml b/packages/system/linstor/templates/satellites-plunger.yaml
index a20ab31f..d70191e0 100644
--- a/packages/system/linstor/templates/satellites-plunger.yaml
+++ b/packages/system/linstor/templates/satellites-plunger.yaml
@@ -16,8 +16,12 @@ spec:
         - "/scripts/plunger-satellite.sh"
         securityContext:
           capabilities:
+            add:
+            - NET_ADMIN
+            - SYS_ADMIN
             drop:
             - ALL
+          privileged: true
           # make some room for live debugging
           readOnlyRootFilesystem: false
         volumeMounts: