fix storage

2026-01-09 16:54:39 +00:00
parent dcb54c26ec
commit 7b91e0fd24
37 changed files with 3283 additions and 1227 deletions
--- a/PERMISSIONS-SETUP.md
+++ b/PERMISSIONS-SETUP.md
@@ -0,0 +1,117 @@
+# Calypso User Permissions Setup
+**Tanggal:** 2025-01-09  
+**User:** `calypso`  
+**Status:** ✅ **CONFIGURED**
+
+## Problem
+
+User `calypso` tidak memiliki permission yang cukup untuk:
+- Mengakses raw disk devices (`/dev/sd*`)
+- Menjalankan ZFS commands (`zpool`, `zfs`)
+- Mengakses tape devices
+- Menjalankan SCST commands
+
+## Solution
+
+### 1. Group Membership
+
+User `calypso` telah ditambahkan ke groups berikut:
+- `disk` - Access to disk devices
+- `tape` - Access to tape devices  
+- `storage` - Storage-related permissions
+
+```bash
+sudo usermod -aG disk,tape,storage calypso
+```
+
+### 2. Sudoers Configuration
+
+File `/etc/sudoers.d/calypso` telah dibuat dengan permissions berikut:
+
+#### ZFS Commands
+```sudoers
+calypso ALL=(ALL) NOPASSWD: /usr/sbin/zpool, /usr/sbin/zfs, /usr/bin/zpool, /usr/bin/zfs
+```
+
+#### SCST Commands
+```sudoers
+calypso ALL=(ALL) NOPASSWD: /usr/sbin/scstadmin, /usr/bin/scstadmin
+```
+
+#### Tape Utilities
+```sudoers
+calypso ALL=(ALL) NOPASSWD: /usr/bin/mtx, /usr/bin/mt, /usr/bin/sg_*, /usr/bin/sg3_utils/*
+```
+
+#### System Monitoring
+```sudoers
+calypso ALL=(ALL) NOPASSWD: /usr/bin/systemctl status *, /usr/bin/systemctl is-active *, /usr/bin/journalctl -u *
+```
+
+## Verification
+
+### Check Group Membership
+```bash
+groups calypso
+# Output should include: disk tape storage
+```
+
+### Check Sudoers File
+```bash
+sudo visudo -c -f /etc/sudoers.d/calypso
+# Should return: /etc/sudoers.d/calypso: parsed OK
+```
+
+### Test ZFS Access
+```bash
+sudo -u calypso zpool list
+# Should work without errors
+```
+
+### Test Device Access
+```bash
+sudo -u calypso ls -la /dev/sdb
+# Should show device permissions
+```
+
+## Backend Code Changes Needed
+
+Backend code perlu menggunakan `sudo` untuk ZFS commands. Contoh:
+
+```go
+// Before (will fail with permission denied)
+cmd := exec.CommandContext(ctx, "zpool", "create", ...)
+
+// After (with sudo)
+cmd := exec.CommandContext(ctx, "sudo", "zpool", "create", ...)
+```
+
+## Current Status
+
+✅ **Groups:** User calypso added to disk, tape, storage groups  
+✅ **Sudoers:** Configuration file created and validated  
+✅ **Permissions:** File permissions set to 0440 (secure)  
+⏭️ **Code Update:** Backend code needs to use `sudo` for privileged commands
+
+## Next Steps
+
+1. ✅ Groups configured
+2. ✅ Sudoers configured
+3. ⏭️ Update backend code to use `sudo` for:
+   - ZFS operations (`zpool`, `zfs`)
+   - SCST operations (`scstadmin`)
+   - Tape operations (`mtx`, `mt`, `sg_*`)
+4. ⏭️ Restart Calypso API service
+5. ⏭️ Test ZFS pool creation via frontend
+
+## Important Notes
+
+- Sudoers file uses `NOPASSWD` for convenience (service account)
+- Only specific commands are allowed (security best practice)
+- File permissions are 0440 (read-only for root and group)
+- Service restart required after permission changes
+
+---
+
+**Status:** ✅ **PERMISSIONS CONFIGURED**  
+**Action Required:** Update backend code to use `sudo` for privileged commands