Chainguard Container for cephcsi

CephCSI is the Container Storage Interface (CSI) driver for Ceph, providing support for RBD and CephFS.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/cephcsi:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

The Chainguard cephcsi image is compatible with the upstream Ceph CSI image (quay.io/cephcsi/cephcsi).

Currently, the Chainguard cephcsi image does not support SELinux; support is actively in development.

Getting Started

Basic Usage

The Ceph Container Storage Interface (CSI) driver is deployed using Rook Ceph, a Kubernetes operator that automates the deployment and management of a Ceph storage cluster. Rook has prerequisites that need to be met before deployment, such as, at least one local storage device and a Linux kernel built with the RBD module.

Rook can be deployed by using manifests or helm charts.

Deploy the Rook Operator

The rook operator can be configured to use the Chainguard CephCSI image:

cat > rook-operator-values.yaml <<EOF
csi:
  cephcsi:
    image: cgr.dev/ORGANIZATION/cephcsi
    tag: latest
EOF

helm repo add rook-release https://charts.rook.io/release
helm install rook-ceph rook-release/rook-ceph -n rook-ceph --create-namespace -f rook-operator-values.yaml

Wait for the operator to be available:

$ kubectl wait --for=condition=Available -n rook-ceph deployment/rook-ceph-operator
$ kubectl get pods -n rook-ceph
NAME                                           READY   STATUS    RESTARTS   AGE
ceph-csi-controller-manager-778798b996-n6wh7   1/1     Running   0          31s
rook-ceph-operator-64d5db6dcb-w66tw            1/1     Running   0          31s

Deploy the Ceph Cluster

Install the ceph cluster chart:

helm install --create-namespace --namespace rook-ceph rook-ceph-cluster \
   --set operatorNamespace=rook-ceph rook-release/rook-ceph-cluster

If you have local storage available, rook-ceph-osd pods should be ready:

$ kubectl wait --for=condition=ready -n rook-ceph pod -l app=rook-ceph-osd
$ kubectl get pods -n rook-ceph
NAME                                                        READY   STATUS      RESTARTS   AGE
ceph-csi-controller-manager-778798b996-n6wh7                1/1     Running     0          2m29s
rook-ceph-exporter-5c01e877fcb9-f5bf658cd-bpffz             1/1     Running     0          31s
rook-ceph-mds-ceph-filesystem-a-755d58b858-52fqg            2/2     Running     0          34s
rook-ceph-mds-ceph-filesystem-b-9bf8fb4c8-b4xsq             2/2     Running     0          32s
rook-ceph-mgr-a-59cc5fcfbd-4kgqq                            2/2     Running     0          76s
rook-ceph-mon-a-6f99b7946f-shq25                            2/2     Running     0          100s
rook-ceph-operator-64d5db6dcb-w66tw                         1/1     Running     0          2m29s
rook-ceph-osd-0-5b8b9fdf8c-nwssh                            2/2     Running     0          41s
rook-ceph-osd-prepare-5c01e877fcb9-4nxb7                    0/1     Completed   0          55s
rook-ceph-tools-6f9c54c5f-74gx8                             1/1     Running     0          106s
rook-ceph.cephfs.csi.ceph.com-ctrlplugin-84dcc577bd-9x99v   6/6     Running     0          95s
rook-ceph.cephfs.csi.ceph.com-nodeplugin-hbqpg              3/3     Running     0          95s

Testing the Ceph CSI Driver

To confirm that the Ceph CSI driver is working correctly, you can create a Persistent Volume Claim (PVC) and a test pod that uses it.

By default, the Rook Ceph cluster Helm chart deploys a storage class named ceph-filesystem which is required for provisioning storage. This storage class uses the Ceph CSI driver to create and manage volumes. You can find the default values in the Rook Ceph GitHub repository.

1. Create a PVC that requests storage from the ceph-filesystem storage class.

kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-cephfs-pvc
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: ceph-filesystem
  resources:
    requests:
      storage: 1Gi
EOF
kubectl wait --for=jsonpath='{.status.phase}'=Bound pvc/my-cephfs-pvc --timeout=300s

2. Create a test pod and mount the PVC. The pod will be stuck in a waiting state if it fails to mount the volume.

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: default
spec:
  containers:
    - name: busybox
      image: busybox
      command: ["sh", "-c", "echo 'Hello from the test pod!' > /data/testfile.txt"]
      volumeMounts:
        - name: cephfs-volume
          mountPath: /data
  volumes:
    - name: cephfs-volume
      persistentVolumeClaim:
        claimName: my-cephfs-pvc
EOF

If the pod successfully starts, you've confirmed that the Ceph CSI driver is functional and able to provision and mount volumes.

For further exploration and more information, use these resources:

• Ceph CSI GitHub Repository
• Rook Ceph Documentation
• Ceph Documentation
• Kubernetes CSI Documentation

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.