git-server-git.apps.pok.os.sepia.ceph.com Git

author	Patrick Donnelly <batrick@batbytes.com>
	Thu, 28 Jan 2016 02:17:14 +0000 (21:17 -0500)
committer	Patrick Donnelly <batrick@batbytes.com>
	Thu, 28 Jan 2016 15:50:00 +0000 (10:50 -0500)
commit	b65d9c545792d562de8ae8dc13274d8f2c4aeb9b
tree	cbfb47a90404cf1f2da210c748c89ade89846eb5	tree \| snapshot
parent	1e08b21f1b826134718219be3432569c63273015	commit \| diff

systemd: Add systemd sandboxing to services.

This change makes it so the mon/osd/mds/radosgw daemons:
    o Cannot write to /usr, /etc, and /boot.
    o Cannot access /home, /root, or /run/user.
    o Each daemon gets its own private /tmp and /var/tmp.
    o All daemons get a private /dev without physical devices (exception: osd)

I'm not sure if the osd daemon needs access to a full /dev so I left
ProtectDevices out for ceph-osd@.service.

Signed-off-by: Patrick Donnelly <batrick@batbytes.com>

systemd/ceph-mds@.service		diff \| blob \| history
systemd/ceph-mon@.service		diff \| blob \| history
systemd/ceph-osd@.service		diff \| blob \| history
systemd/ceph-radosgw@.service		diff \| blob \| history