systemd: remove `ProtectClock=true` for `ceph-osd@.service`

Ceph 16.2.0 Pacific by https://github.com/ceph/ceph/commit/9a84d5a introduce following new systemd restriction:

    ProtectClock=true
    ProtectHostname=true
    ProtectKernelLogs=true
    RestrictSUIDSGID=true

BTW, `ceph-osd@.service` failed with `ProtectClock=true` unexpectly, also see:

  - <https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/TNBGGNN6STGDKARAQTQCIPTU4KLIVJQV/>
  - <https://serverfault.com/questions/1059317/bluestore-var-lib-ceph-osd-ceph-2-block-read-bdev-label-failed-to-open-var-l>

This PR intruduce:

  - Remove `ProtectClock=true` for our systemd service templates

Fixes: https://tracker.ceph.com/issues/50347
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
(cherry picked from commit 85bc551b179d940a50cbdfd0c20848e3187c70a6)

diff --git a/systemd/ceph-fuse@.service.in b/systemd/ceph-fuse@.service.in
index 1ea4b17675a559a822e7ae3a8e5000e2c0f73424..9c12c9ba4446690a122eff36cb8b34b0e4fecec7 100644 (file)
--- a/systemd/ceph-fuse@.service.in
+++ b/systemd/ceph-fuse@.service.in
@@ -14,7 +14,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 # ceph-fuse requires access to /dev fuse device
 PrivateDevices=no
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
 ProtectKernelLogs=true

diff --git a/systemd/ceph-immutable-object-cache@.service.in b/systemd/ceph-immutable-object-cache@.service.in
index f5782487f9e209a41584368650ac986a92255d0f..62ff8dbd2729e1f3a0373ff5ceb554fd6085dace 100644 (file)
--- a/systemd/ceph-immutable-object-cache@.service.in
+++ b/systemd/ceph-immutable-object-cache@.service.in
@@ -14,7 +14,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true

diff --git a/systemd/ceph-mds@.service.in b/systemd/ceph-mds@.service.in
index 2884f587f9768f876facd895fb13f607443f7248..afa36702f9c0ab0257b7dbdfb161bd2b770d8713 100644 (file)
--- a/systemd/ceph-mds@.service.in
+++ b/systemd/ceph-mds@.service.in
@@ -17,7 +17,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true

diff --git a/systemd/ceph-mgr@.service.in b/systemd/ceph-mgr@.service.in
index 1ee28285209ba6c801d0c410b9a09859eccb0a33..8fadc4746b3ad18c2c7082e3a4cb5f2159c19617 100644 (file)
--- a/systemd/ceph-mgr@.service.in
+++ b/systemd/ceph-mgr@.service.in
@@ -16,7 +16,6 @@ LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true

diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in
index 994cdfd2869593f65148f39f7f096fccb206fab0..b7c92f278e345d0e14c501bb0f24c067d55881e3 100644 (file)
--- a/systemd/ceph-mon@.service.in
+++ b/systemd/ceph-mon@.service.in
@@ -22,7 +22,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=false
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true

diff --git a/systemd/ceph-osd@.service.in b/systemd/ceph-osd@.service.in
index 4981417d6202cb0484c23a39a4736f7ee3d2eedf..046500efb66b27d9d1af52b27e5cdca0bec50a28 100644 (file)
--- a/systemd/ceph-osd@.service.in
+++ b/systemd/ceph-osd@.service.in
@@ -18,7 +18,6 @@ MemoryDenyWriteExecute=true
 # Need NewPrivileges via `sudo smartctl`
 NoNewPrivileges=false
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true

diff --git a/systemd/ceph-radosgw@.service.in b/systemd/ceph-radosgw@.service.in
index cfff60c18b8ccc754b630540e2813d8f72e42f8c..b74747055065282bd2740da2c4afebc60c40d275 100644 (file)
--- a/systemd/ceph-radosgw@.service.in
+++ b/systemd/ceph-radosgw@.service.in
@@ -16,7 +16,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true

diff --git a/systemd/ceph-rbd-mirror@.service.in b/systemd/ceph-rbd-mirror@.service.in
index fe49f11116e1859d52df2a31dd4c5e0877f53b48..1057892dc99c25e45411cdf651d3c5e862979c35 100644 (file)
--- a/systemd/ceph-rbd-mirror@.service.in
+++ b/systemd/ceph-rbd-mirror@.service.in
@@ -16,7 +16,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true

diff --git a/systemd/cephfs-mirror@.service.in b/systemd/cephfs-mirror@.service.in
index a97d6ad8b57a50bc389484b87523df8b97195d29..bed9d195302ba14c6efaa019ddc34c0637486d62 100644 (file)
--- a/systemd/cephfs-mirror@.service.in
+++ b/systemd/cephfs-mirror@.service.in
@@ -15,7 +15,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
@@ -30,4 +29,4 @@ StartLimitInterval=30min
 TasksMax=infinity
 
 [Install]
-WantedBy=cephfs-mirror.target
\ No newline at end of file
+WantedBy=cephfs-mirror.target