permission denied error even after using correct usernam and key with cephfs

[kishore438]

we are using cephfs csi plugin in kubernetes for pvc provisioning.

I am facing permission denied error even after providing correct usernmame/password.

below are the logs. any leads would be greatly appreciated.

I0202 11:42:30.982150 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"test-pvc-rwx", UID:"1006227d-c084-4634-af01-72a992d5d693", APIVersion:"v1", ResourceVersion:"187182", FieldPath:""}): type: 'Normal' reason: 'Provisioning' External provisioner is provisioning volume for claim "default/test-pvc-rwx"
I0202 11:42:30.985064 1 connection.go:182] GRPC call: /csi.v1.Controller/CreateVolume
I0202 11:42:30.985273 1 connection.go:183] GRPC request: {"capacity_range":{"required_bytes":20971520},"name":"pvc-1006227d-c084-4634-af01-72a992d5d693","parameters":{"clusterID":"eab5fb46-7eb5-11ec-91ab-d4f5ef46983c","fsName":"shared_fs_storage","volumeNamePrefix":"cs-vol-project-"},"secrets":"stripped","volume_capabilities":[{"AccessType":{"Mount":{"mount_flags":["debug"]}},"access_mode":{"mode":5}}]}
I0202 11:42:30.998809 1 connection.go:185] GRPC response: {}
I0202 11:42:30.998902 1 connection.go:186] GRPC error: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I0202 11:42:30.998924 1 controller.go:645] CreateVolume failed, supports topology = false, node selected false => may reschedule = false => state = Finished: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I0202 11:42:30.998985 1 controller.go:1084] Final error received, removing PVC 1006227d-c084-4634-af01-72a992d5d693 from claims in progress
W0202 11:42:30.998996 1 controller.go:943] Retrying syncing claim "1006227d-c084-4634-af01-72a992d5d693", failure 0
I0202 11:42:30.999260 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"test-pvc-rwx", UID:"1006227d-c084-4634-af01-72a992d5d693", APIVersion:"v1", ResourceVersion:"187182", FieldPath:""}): type: 'Warning' reason: 'ProvisioningFailed' failed to provision volume with StorageClass "csi-cephfs-sc": rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied

authorization for user csi-cephfs-node

ceph:~ # ceph auth get client.csi-cephfs-node
exported keyring for client.csi-cephfs-node
[client.csi-cephfs-node]
key = AQCYT/pheeUIJBAAqfczLvmpp0wisx0+Jp+keg==
caps mds = "allow rw"
caps mgr = "allow rw"
caps mon = "allow r"
caps osd = "allow rw tag cephfs ="
ceph:~ #

mount is successful with the same user

cephfs-test-stage:/tmp/cephrwx/ceph-csi/charts/ceph-csi-cephfs # mount -t ceph 172.16.0.1:6789:/ /mnt/ceph -o name=csi-cephfs-node,secretfile=test.key --verbose
parsing options: rw,name=csi-cephfs-node,secretfile=test.key
cephfs-test-stage:/tmp/cephrwx/ceph-csi/charts/ceph-csi-cephfs # ls /mnt/ceph/
flexilab_clients
cephfs-test-stage:/tmp/cephrwx/ceph-csi/charts/ceph-csi-cephfs #

storage class:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csi-cephfs-sc
provisioner: cephfs.csi.ceph.com
parameters:
clusterID: eab5fb46-7eb5-11ec-91ab-d4f5ef46983c
fsName: shared_fs_storage
csi.storage.k8s.io/provisioner-secret-name: csi-cephfs-secret
csi.storage.k8s.io/provisioner-secret-namespace: ceph-provisioner
csi.storage.k8s.io/controller-expand-secret-name: csi-cephfs-secret
csi.storage.k8s.io/controller-expand-secret-namespace: ceph-provisioner
csi.storage.k8s.io/node-stage-secret-name: csi-cephfs-secret
csi.storage.k8s.io/node-stage-secret-namespace: ceph-provisioner
volumeNamePrefix: "cs-vol-project-"

reclaimPolicy: Delete
allowVolumeExpansion: true
mountOptions:

• debug

secret file:

apiVersion: v1
kind: Secret
metadata:
name: csi-cephfs-secret
namespace: ceph-provisioner
stringData:

userID: csi-cephfs-node
userKey:

adminID: csi-cephfs-node
adminKey:

pods running in ceph-provisioner

cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl get pods -n ceph-provisioner
NAME READY STATUS RESTARTS AGE
cephfs-provisioner-ceph-csi-cephfs-nodeplugin-cp7s9 3/3 Running 0 72m
cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr 6/6 Running 0 72m

mount command running inside the pod succesfully

cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl exec -it cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr -c csi-cephfsplugin -n ceph-provisioner -- bash
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]# ls
bin csi dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]#
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]#
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]# echo "" > test.key
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]# mkdir /mnt/ceph
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]# mount -t ceph 172.16.0.1:6789:/ /mnt/ceph -o name=csi-cephfs-node,secretfile=test.key --verbose
parsing options: rw,name=csi-cephfs-node,secretfile=test.key
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]# ls /mnt/ceph/
flexilab_clients
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr /]#

please let me know if you need more information.

[Madhu-1]

the problem is with pvc creation not with mounting. please make sure the caps are as per the requirement https://github.com/ceph/ceph-csi/blob/devel/docs/capabilities.md#cephfs

[kishore438]

thanks for the response.

we have correct user permissions please check below

ceph:~ # ceph auth get client.csi-cephfs-node
exported keyring for client.csi-cephfs-node
[client.csi-cephfs-node]
key = AQCYT/pheeUIJBAAqfczLvmpp0wisx0+Jp+keg==
caps mds = "allow rw"
caps mgr = "allow rw"
caps mon = "allow r"
caps osd = "allow rw tag cephfs ="

[Madhu-1]

it should be like below

ceph auth get client.csi-cephfs-node
[client.csi-cephfs-node]
	key = AQCko/dhkjfqEBAAxsbULx1aQl/g7RY9HuNsMA==
	caps mds = "allow rw"
	caps mgr = "allow rw"
	caps mon = "allow r"
	caps osd = "allow rw tag cephfs *=*"
exported keyring for client.csi-cephfs-node

[kishore438]

those * are being removed when pasting the output here

exported keyring for client.csi-cephfs-node [client.csi-cephfs-node] key = AQCYT/pheeUIJBAAqfczLvmpp0wisx0+Jp+keg== caps mds = "allow rw" caps mgr = "allow rw" caps mon = "allow r" caps osd = "allow rw tag cephfs *=*"
please check. we are using exact permissions

[Madhu-1]

@kishore438 what is the ceph version you are using?

[kishore438]

@Madhu-1
ceph:~ # ceph --version
ceph version 15.2.15-83-gf72054fa653 (f72054fa65354688da034079d54554bf34373d94) octopus (stable)

[Madhu-1]

i will see the above user caps has permission to create volume can you try with below caps.

ceph auth get-or-create client.kubernetes \
mon 'allow r' \
osd 'allow rw tag cephfs metadata=*' \
mgr 'allow rw'

this is similar to #904?

[kishore438]

Created client
ceph:~ # ceph auth get-or-create client.kubernetes mon 'allow r' osd 'allow rw tag cephfs metadata=*' mgr 'allow rw'
[client.kubernetes]
key = AQAWiPph0s2DEBAAvtJNf13IbpljRWXuChU5nw==

ceph:~ # ceph auth get client.kubernetes
exported keyring for client.kubernetes
[client.kubernetes]
key = AQAWiPph0s2DEBAAvtJNf13IbpljRWXuChU5nw==
caps mgr = "allow rw"
caps mon = "allow r"
caps osd = "allow rw tag cephfs metadata=*"
ceph:~ #

created a secret:
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # cat cephfs-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: csi-cephfs-secret
namespace: ceph-provisioner
stringData:

Required for dynamically provisioned volumes

userID: kubernetes
userKey: AQAWiPph0s2DEBAAvtJNf13IbpljRWXuChU5nw==

adminID: kubernetes
adminKey: AQAWiPph0s2DEBAAvtJNf13IbpljRWXuChU5nw==
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras #

cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl delete secret csi-cephfs-secret -n ceph-provisionersecret "csi-cephfs-secret" deleted
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # vi
ceph-cm.yaml cephfs-sc.yaml cephfs-secret.yaml pvc.yaml
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # vi cephfs-secret.yaml
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl apply -f cephfs-secret.yaml -n ceph-provisioner
secret/csi-cephfs-secret created
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl scale deploy cephfs-provisioner-ceph-csi-cephfs-provisioner --replicas=0 -n ceph-provisioner
deployment.apps/cephfs-provisioner-ceph-csi-cephfs-provisioner scaled
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl scale deploy cephfs-provisioner-ceph-csi-cephfs-provisioner --replicas=1 -n ceph-provisioner
deployment.apps/cephfs-provisioner-ceph-csi-cephfs-provisioner scaled
cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr csi-provisioner -n ceph-provisioner -f
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl get pods -n ceph-provisioner
NAME READY STATUS RESTARTS AGE
cephfs-provisioner-ceph-csi-cephfs-nodeplugin-cp7s9 3/3 Running 0 114m
cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-nqp5g 6/6 Running 0 10s
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl logs cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-nqp5g csi-provisioner -n ceph-provisioner -f
I0202 13:36:33.627415 1 csi-provisioner.go:121] Version: v2.0.4
I0202 13:36:33.627534 1 csi-provisioner.go:135] Building kube configs for running in cluster...
I0202 13:36:33.643176 1 connection.go:153] Connecting to unix:///csi/csi-provisioner.sock
I0202 13:36:34.644156 1 common.go:111] Probing CSI driver for readiness
I0202 13:36:34.644179 1 connection.go:182] GRPC call: /csi.v1.Identity/Probe
I0202 13:36:34.644184 1 connection.go:183] GRPC request: {}
I0202 13:36:34.649044 1 connection.go:185] GRPC response: {}
I0202 13:36:34.649139 1 connection.go:186] GRPC error:
I0202 13:36:34.649148 1 connection.go:182] GRPC call: /csi.v1.Identity/GetPluginInfo
I0202 13:36:34.649151 1 connection.go:183] GRPC request: {}
I0202 13:36:34.649588 1 connection.go:185] GRPC response: {"name":"cephfs.csi.ceph.com","vendor_version":"v3.2.1"}
I0202 13:36:34.649635 1 connection.go:186] GRPC error:
I0202 13:36:34.649644 1 csi-provisioner.go:182] Detected CSI driver cephfs.csi.ceph.com
W0202 13:36:34.649655 1 metrics.go:333] metrics endpoint will not be started because metrics-address was not specified.
I0202 13:36:34.649662 1 connection.go:182] GRPC call: /csi.v1.Identity/GetPluginCapabilities
I0202 13:36:34.649665 1 connection.go:183] GRPC request: {}
I0202 13:36:34.653907 1 connection.go:185] GRPC response: {"capabilities":[{"Type":{"Service":{"type":1}}},{"Type":{"VolumeExpansion":{"type":1}}},{"Type":{"Service":{"type":2}}}]}
I0202 13:36:34.654084 1 connection.go:186] GRPC error:
I0202 13:36:34.654126 1 connection.go:182] GRPC call: /csi.v1.Controller/ControllerGetCapabilities
I0202 13:36:34.654130 1 connection.go:183] GRPC request: {}
I0202 13:36:34.654782 1 connection.go:185] GRPC response: {"capabilities":[{"Type":{"Rpc":{"type":1}}},{"Type":{"Rpc":{"type":5}}},{"Type":{"Rpc":{"type":9}}},{"Type":{"Rpc":{"type":7}}}]}
I0202 13:36:34.654897 1 connection.go:186] GRPC error:
I0202 13:36:34.655024 1 csi-provisioner.go:210] CSI driver does not support PUBLISH_UNPUBLISH_VOLUME, not watching VolumeAttachments
I0202 13:36:34.655830 1 controller.go:735] Using saving PVs to API server in background
I0202 13:36:34.663931 1 leaderelection.go:243] attempting to acquire leader lease ceph-provisioner/cephfs-csi-ceph-com...
I0202 13:36:34.674782 1 leader_election.go:179] new leader detected, current leader: cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-vnrtr
I0202 13:36:54.312934 1 leaderelection.go:253] successfully acquired lease ceph-provisioner/cephfs-csi-ceph-com
I0202 13:36:54.313228 1 leader_election.go:172] became leader, starting
I0202 13:36:54.313428 1 leader_election.go:179] new leader detected, current leader: cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-nqp5g
I0202 13:36:54.413995 1 controller.go:820] Starting provisioner controller cephfs.csi.ceph.com_cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-nqp5g_eb4844fb-1fe6-4c77-81dd-c1ec03b1c314!
I0202 13:36:54.414083 1 clone_controller.go:66] Starting CloningProtection controller
I0202 13:36:54.414269 1 clone_controller.go:84] Started CloningProtection controller
I0202 13:36:54.414104 1 volume_store.go:97] Starting save volume queue
I0202 13:36:54.514534 1 controller.go:1317] provision "default/test-pvc-rwx" class "csi-cephfs-sc": started
I0202 13:36:54.514671 1 controller.go:869] Started provisioner controller cephfs.csi.ceph.com_cephfs-provisioner-ceph-csi-cephfs-provisioner-865f97f7d9-nqp5g_eb4844fb-1fe6-4c77-81dd-c1ec03b1c314!
I0202 13:36:54.514754 1 controller.go:573] CreateVolumeRequest {Name:pvc-1006227d-c084-4634-af01-72a992d5d693 CapacityRange:required_bytes:20971520 VolumeCapabilities:[mount:<mount_flags:"debug" > access_mode:<mode:MULTI_NODE_MULTI_WRITER > ] Parameters:map[clusterID:eab5fb46-7eb5-11ec-91ab-d4f5ef46983c csi.storage.k8s.io/controller-expand-secret-name:csi-cephfs-secret csi.storage.k8s.io/controller-expand-secret-namespace:ceph-provisioner csi.storage.k8s.io/node-stage-secret-name:csi-cephfs-secret csi.storage.k8s.io/node-stage-secret-namespace:ceph-provisioner csi.storage.k8s.io/provisioner-secret-name:csi-cephfs-secret csi.storage.k8s.io/provisioner-secret-namespace:ceph-provisioner fsName:shared_fs_storage volumeNamePrefix:cs-vol-project-] Secrets:map[] VolumeContentSource: AccessibilityRequirements: XXX_NoUnkeyedLiteral:{} XXX_unrecognized:[] XXX_sizecache:0}
I0202 13:36:54.515320 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"test-pvc-rwx", UID:"1006227d-c084-4634-af01-72a992d5d693", APIVersion:"v1", ResourceVersion:"187182", FieldPath:""}): type: 'Normal' reason: 'Provisioning' External provisioner is provisioning volume for claim "default/test-pvc-rwx"
I0202 13:36:54.520887 1 connection.go:182] GRPC call: /csi.v1.Controller/CreateVolume
I0202 13:36:54.520901 1 connection.go:183] GRPC request: {"capacity_range":{"required_bytes":20971520},"name":"pvc-1006227d-c084-4634-af01-72a992d5d693","parameters":{"clusterID":"eab5fb46-7eb5-11ec-91ab-d4f5ef46983c","fsName":"shared_fs_storage","volumeNamePrefix":"cs-vol-project-"},"secrets":"stripped","volume_capabilities":[{"AccessType":{"Mount":{"mount_flags":["debug"]}},"access_mode":{"mode":5}}]}
I0202 13:36:54.538510 1 connection.go:185] GRPC response: {}
I0202 13:36:54.538583 1 connection.go:186] GRPC error: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I0202 13:36:54.538609 1 controller.go:645] CreateVolume failed, supports topology = false, node selected false => may reschedule = false => state = Finished: rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I0202 13:36:54.538648 1 controller.go:1084] Final error received, removing PVC 1006227d-c084-4634-af01-72a992d5d693 from claims in progress
W0202 13:36:54.538658 1 controller.go:943] Retrying syncing claim "1006227d-c084-4634-af01-72a992d5d693", failure 0
E0202 13:36:54.538741 1 controller.go:966] error syncing claim "1006227d-c084-4634-af01-72a992d5d693": failed to provision volume with StorageClass "csi-cephfs-sc": rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I0202 13:36:54.538826 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"test-pvc-rwx", UID:"1006227d-c084-4634-af01-72a992d5d693", APIVersion:"v1", ResourceVersion:"187182", FieldPath:""}): type: 'Warning' reason: 'ProvisioningFailed' failed to provision volume with StorageClass "csi-cephfs-sc": rpc error: code = InvalidArgument desc = failed to get connection: connecting failed: rados: ret=-13, Permission denied
I0202 13:36:55.038957 1 controller.go:1317] provision "default/test-pvc-rwx" class "csi-cephfs-sc": started
I0202 13:36:55.039062 1 controller.go:573] CreateVolumeRequest {Name:pvc-1006227d-c084-4634-af01-72a992d5d693 CapacityRange:required_bytes:20971520 VolumeCapabilities:[mount:<mount_flags:"debug" > access_mode:<mode:MULTI_NODE_MULTI_WRITER > ] Parameters:map[clusterID:eab5fb46-7eb5-11ec-91ab-d4f5ef46983c csi.storage.k8s.io/controller-expand-secret-name:csi-cephfs-secret csi.storage.k8s.io/controller-expand-secret-namespace:ceph-provisioner csi.storage.k8s.io/node-stage-secret-name:csi-cephfs-secret csi.storage.k8s.io/node-stage-secret-namespace:ceph-provisioner csi.storage.k8s.io/provisioner-secret-name:csi-cephfs-secret csi.storage.k8s.io/provisioner-secret-namespace:ceph-provisioner fsName:shared_fs_storage volumeNamePrefix:cs-vol-project-] Secrets:map[] VolumeContentSource: AccessibilityRequirements: XXX_NoUnkeyedLiteral:{} XXX_unrecognized:[] XXX_sizecache:0}
I0202 13:36:55.039389 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"test-pvc-rwx", UID:"1006227d-c084-4634-af01-72a992d5d693", APIVersion:"v1", ResourceVersion:"187182", FieldPath:""}): type: 'Normal' reason: 'Provisioning' External provisioner is provisioning volume for claim "default/test-pvc-rwx"
I0202 13:36:55.042560 1 connection.go:182] GRPC call: /csi.v1.Controller/CreateVolume
I0202 13:36:55.042724 1 connection.go:183] GRPC request: {"capacity_range":{"required_bytes":20971520},"name":"pvc-1006227d-c084-4634-af01-72a992d5d693","parameters":{"clusterID":"eab5fb46-7eb5-11ec-91ab-d4f5ef46983c","fsName":"shared_fs_storage","volumeNamePrefix":"cs-vol-project-"},"secrets":"stripped","volume_capabilities":[{"AccessType":{"Mount":{"mount_flags":["debug"]}},"access_mode":{"mode":5}}]}
^C

cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
rbd-pvc Bound pvc-98cd443a-f2f9-45cd-be84-d7e7ff69e1ed 1Gi RWO csi-rbd-sc 19h
test-pvc-rwx Pending csi-cephfs-sc 3h31m
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras #
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras #

I deleted pvc, storageclass and recreated them but still no luck.

I am clueless.
#904 error looks different "operation not permitted".
but it looks more like authorization issue to me.

[Madhu-1]

@kishore438 i have tested this one with different ceph version (it should not matter) with below caps

client.csi-cephfs-node
	key: AQCqcfthdw34IxAAajgC3v02hcRTkQsoKfmIMA==
	caps: [mds] allow rw
	caps: [mgr] allow rw
	caps: [mon] allow r
	caps: [osd] allow rw tag cephfs *=*

I0203 06:19:19.131531       1 utils.go:191] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 GRPC call: /csi.v1.Controller/CreateVolume
I0203 06:19:19.131751       1 utils.go:195] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 GRPC request: {"capacity_range":{"required_bytes":1073741824},"name":"pvc-50404659-ff24-432d-91ce-446e3d12e2c6","parameters":{"clusterID":"rook-ceph","fsName":"myfs","pool":"myfs-replicated"},"secrets":"***stripped***","volume_capabilities":[{"AccessType":{"Mount":{}},"access_mode":{"mode":7}}]}
E0203 06:19:19.144210       1 omap.go:78] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 omap not found (pool="myfs-metadata", namespace="csi", name="csi.volumes.default"): rados: ret=-2, No such file or directory
I0203 06:19:19.153322       1 omap.go:155] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 set omap keys (pool="myfs-metadata", namespace="csi", name="csi.volumes.default"): map[csi.volume.pvc-50404659-ff24-432d-91ce-446e3d12e2c6:3862936f-84b9-11ec-9426-1e134e2fee53])
I0203 06:19:19.157633       1 omap.go:155] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 set omap keys (pool="myfs-metadata", namespace="csi", name="csi.volume.3862936f-84b9-11ec-9426-1e134e2fee53"): map[csi.imagename:csi-vol-3862936f-84b9-11ec-9426-1e134e2fee53 csi.volname:pvc-50404659-ff24-432d-91ce-446e3d12e2c6])
I0203 06:19:19.157675       1 fsjournal.go:291] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 Generated Volume ID (0001-0009-rook-ceph-0000000000000001-3862936f-84b9-11ec-9426-1e134e2fee53) and subvolume name (csi-vol-3862936f-84b9-11ec-9426-1e134e2fee53) for request name (pvc-50404659-ff24-432d-91ce-446e3d12e2c6)
I0203 06:19:19.199694       1 volume.go:171] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 cephfs: created subvolume group csi
I0203 06:19:19.257154       1 controllerserver.go:305] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 cephfs: successfully created backing volume named csi-vol-3862936f-84b9-11ec-9426-1e134e2fee53 for request name pvc-50404659-ff24-432d-91ce-446e3d12e2c6
I0203 06:19:19.257312       1 utils.go:202] ID: 17 Req-ID: pvc-50404659-ff24-432d-91ce-446e3d12e2c6 GRPC response: {"volume":{"capacity_bytes":1073741824,"volume_context":{"clusterID":"rook-ceph","fsName":"myfs","pool":"myfs-replicated","subvolumeName":"csi-vol-3862936f-84b9-11ec-9426-1e134e2fee53","subvolumePath":"/volumes/csi/csi-vol-3862936f-84b9-11ec-9426-1e134e2fee53/0c5b334d-ae66-4697-9f3a-94e3f1853625"},"volume_id":"0001-0009-rook-ceph-0000000000000001-3862936f-84b9-11ec-9426-1e134e2fee53"}}

This is Rook csi troubleshooting guide see this helps https://github.com/rook/rook/blob/master/Documentation/ceph-csi-troubleshooting.md

what is the cephcsi version you are using?
if you are using the latest (supported) cephcsi hope you have proper mon details in the cephcsi configmap. if you are using v2 mon ports try using v1 mon ports.

[kishore438]

@Madhu-1

I see "access_mode":{"mode":7} in your logs. Does it make any difference?? How can It be updated??

[Madhu-1]

that is the PVC type it's RWX PVC. it's not a problem.

[kishore438]

if possible, could you share your storageclass.yaml, values.yaml, secret(with removed password) yaml files.
I would like to cross verify.

Is there any way we can troubleshoot from ceph side??
I checked all the below troubleshooting steps and it looks ok to me.
https://github.com/rook/rook/blob/master/Documentation/ceph-csi-troubleshooting.md

is there any tool or command I can execute with username/password to create a pvc??

[kishore438]

Hi again,

After troubleshooting, We found that permission denied error come only from the pod. If the same command run from the host where minikube is running, the command works.

from host vm:

cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # ceph -m 172.16.0.1:3300,172.16.0.2:3300,172.16.0.3:3300 --id csi-cephfs-node --key AQCYT/pheeUIJBAAqfczLvmpp0wisx0+Jp+keg== fs ls --format=json

[{"name":"shared_fs_storage","metadata_pool":"shared_fs_storage_metadata","metadata_pool_id":12,"data_pool_ids":[11],"data_pools":["shared_fs_storage_data"]}]

from the pod:
cephfs-test-stage:/tmp/cephrwx/cephfs/ceph-csi-extras # kubectl exec -it cephfs-provisioner-ceph-csi-cephfs-provisioner-5fffbdd74c-cznbx -c csi-cephfsplugin -n ceph-provisioner -- bash
[root@cephfs-provisioner-ceph-csi-cephfs-provisioner-5fffbdd74c-cznbx /]# ceph -m 172.16.0.1:3300,172.16.0.2:3300,172.16.0.3:3300 --id csi-cephfs-node --key AQCYT/pheeUIJBAAqfczLvmpp0wisx0+Jp+keg== fs ls --format=json
[errno 13] RADOS permission denied (error connecting to the cluster)

Do you know if we have to do any configuration change from ceph side??

[kishore438]

Finally found the issue.

Ceph is dropping the authentication due to issue with insecure global_id.
I saw the below error in mon debug logs.

"attempt to reclaim global_id 155276 without presenting ticket"

To fix this either we need to update ceph clients the versions (ex: 15.2.11) or allow insecure connections by enabling "auth_allow_insecure_global_id_reclaim" in ceph(which is not recommended)

thank you @Madhu-1 for your support on this issue.