Chainguard Container for cephcsi

CephCSI is the Container Storage Interface (CSI) driver for Ceph, providing support for RBD and CephFS.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/cephcsi:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

The Chainguard cephcsi image is compatible with the upstream Ceph CSI image (quay.io/cephcsi/cephcsi).

Currently, the Chainguard cephcsi image does not support SELinux; support is actively in development.

Getting Started

Basic Usage

The Ceph Container Storage Interface (CSI) driver is deployed using Rook Ceph, a Kubernetes operator that automates the deployment and management of a Ceph storage cluster. Rook has prerequisites that need to be met before deployment, such as, at least one local storage device and a Linux kernel built with the RBD module.

Rook can be deployed by using manifests or helm charts.

Deploy the Rook Operator

The rook operator can be configured to use the Chainguard CephCSI image:

cat > rook-operator-values.yaml <<EOF
csi:
  cephcsi:
    image: cgr.dev/ORGANIZATION/cephcsi
    tag: latest
EOF

helm repo add rook-release https://charts.rook.io/release
helm install rook-ceph rook-release/rook-ceph -n rook-ceph --create-namespace -f rook-operator-values.yaml

Wait for the operator to be available:

$ kubectl wait --for=condition=Available -n rook-ceph deployment/rook-ceph-operator
$ kubectl get pods -n rook-ceph
NAME                                           READY   STATUS    RESTARTS   AGE
ceph-csi-controller-manager-778798b996-n6wh7   1/1     Running   0          31s
rook-ceph-operator-64d5db6dcb-w66tw            1/1     Running   0          31s

Deploy the Ceph Cluster

Install the ceph cluster chart:

helm install --create-namespace --namespace rook-ceph rook-ceph-cluster \
   --set operatorNamespace=rook-ceph rook-release/rook-ceph-cluster

If you have local storage available, rook-ceph-osd pods should be ready:

$ kubectl wait --for=condition=ready -n rook-ceph pod -l app=rook-ceph-osd
$ kubectl get pods -n rook-ceph
NAME                                                        READY   STATUS      RESTARTS   AGE
ceph-csi-controller-manager-778798b996-n6wh7                1/1     Running     0          2m29s
rook-ceph-exporter-5c01e877fcb9-f5bf658cd-bpffz             1/1     Running     0          31s
rook-ceph-mds-ceph-filesystem-a-755d58b858-52fqg            2/2     Running     0          34s
rook-ceph-mds-ceph-filesystem-b-9bf8fb4c8-b4xsq             2/2     Running     0          32s
rook-ceph-mgr-a-59cc5fcfbd-4kgqq                            2/2     Running     0          76s
rook-ceph-mon-a-6f99b7946f-shq25                            2/2     Running     0          100s
rook-ceph-operator-64d5db6dcb-w66tw                         1/1     Running     0          2m29s
rook-ceph-osd-0-5b8b9fdf8c-nwssh                            2/2     Running     0          41s
rook-ceph-osd-prepare-5c01e877fcb9-4nxb7                    0/1     Completed   0          55s
rook-ceph-tools-6f9c54c5f-74gx8                             1/1     Running     0          106s
rook-ceph.cephfs.csi.ceph.com-ctrlplugin-84dcc577bd-9x99v   6/6     Running     0          95s
rook-ceph.cephfs.csi.ceph.com-nodeplugin-hbqpg              3/3     Running     0          95s

Testing the Ceph CSI Driver

To confirm that the Ceph CSI driver is working correctly, you can create a Persistent Volume Claim (PVC) and a test pod that uses it.

By default, the Rook Ceph cluster Helm chart deploys a storage class named ceph-filesystem which is required for provisioning storage. This storage class uses the Ceph CSI driver to create and manage volumes. You can find the default values in the Rook Ceph GitHub repository.

1. Create a PVC that requests storage from the ceph-filesystem storage class.

kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-cephfs-pvc
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: ceph-filesystem
  resources:
    requests:
      storage: 1Gi
EOF
kubectl wait --for=jsonpath='{.status.phase}'=Bound pvc/my-cephfs-pvc --timeout=300s

2. Create a test pod and mount the PVC. The pod will be stuck in a waiting state if it fails to mount the volume.

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: default
spec:
  containers:
    - name: busybox
      image: busybox
      command: ["sh", "-c", "echo 'Hello from the test pod!' > /data/testfile.txt"]
      volumeMounts:
        - name: cephfs-volume
          mountPath: /data
  volumes:
    - name: cephfs-volume
      persistentVolumeClaim:
        claimName: my-cephfs-pvc
EOF

If the pod successfully starts, you've confirmed that the Ceph CSI driver is functional and able to provision and mount volumes.

For further exploration and more information, use these resources:

• Ceph CSI GitHub Repository
• Rook Ceph Documentation
• Ceph Documentation
• Kubernetes CSI Documentation

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.