From: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
Date: Wed, 14 Apr 2021 07:36:17 +0000 (+0800)
Subject: systemd: remove `ProtectClock=true` for `ceph-osd@.service`
X-Git-Tag: v16.2.4~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=775a15be38c268c08cfeb0e413a29bb044a8e285;p=ceph.git

systemd: remove `ProtectClock=true` for `ceph-osd@.service`

Ceph 16.2.0 Pacific by https://github.com/ceph/ceph/commit/9a84d5a introduce following new systemd restriction:

    ProtectClock=true
    ProtectHostname=true
    ProtectKernelLogs=true
    RestrictSUIDSGID=true

BTW, `ceph-osd@.service` failed with `ProtectClock=true` unexpectly, also see:

  - <https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/TNBGGNN6STGDKARAQTQCIPTU4KLIVJQV/>
  - <https://serverfault.com/questions/1059317/bluestore-var-lib-ceph-osd-ceph-2-block-read-bdev-label-failed-to-open-var-l>

This PR intruduce:

  - Remove `ProtectClock=true` for our systemd service templates

Fixes: https://tracker.ceph.com/issues/50347
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
(cherry picked from commit 85bc551b179d940a50cbdfd0c20848e3187c70a6)
---

diff --git a/systemd/ceph-fuse@.service.in b/systemd/ceph-fuse@.service.in
index 1ea4b17675a5..9c12c9ba4446 100644
--- a/systemd/ceph-fuse@.service.in
+++ b/systemd/ceph-fuse@.service.in
@@ -14,7 +14,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 # ceph-fuse requires access to /dev fuse device
 PrivateDevices=no
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
 ProtectKernelLogs=true
diff --git a/systemd/ceph-immutable-object-cache@.service.in b/systemd/ceph-immutable-object-cache@.service.in
index f5782487f9e2..62ff8dbd2729 100644
--- a/systemd/ceph-immutable-object-cache@.service.in
+++ b/systemd/ceph-immutable-object-cache@.service.in
@@ -14,7 +14,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-mds@.service.in b/systemd/ceph-mds@.service.in
index 2884f587f976..afa36702f9c0 100644
--- a/systemd/ceph-mds@.service.in
+++ b/systemd/ceph-mds@.service.in
@@ -17,7 +17,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-mgr@.service.in b/systemd/ceph-mgr@.service.in
index 1ee28285209b..8fadc4746b3a 100644
--- a/systemd/ceph-mgr@.service.in
+++ b/systemd/ceph-mgr@.service.in
@@ -16,7 +16,6 @@ LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in
index 994cdfd28695..b7c92f278e34 100644
--- a/systemd/ceph-mon@.service.in
+++ b/systemd/ceph-mon@.service.in
@@ -22,7 +22,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=false
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-osd@.service.in b/systemd/ceph-osd@.service.in
index 4981417d6202..046500efb66b 100644
--- a/systemd/ceph-osd@.service.in
+++ b/systemd/ceph-osd@.service.in
@@ -18,7 +18,6 @@ MemoryDenyWriteExecute=true
 # Need NewPrivileges via `sudo smartctl`
 NoNewPrivileges=false
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-radosgw@.service.in b/systemd/ceph-radosgw@.service.in
index cfff60c18b8c..b74747055065 100644
--- a/systemd/ceph-radosgw@.service.in
+++ b/systemd/ceph-radosgw@.service.in
@@ -16,7 +16,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-rbd-mirror@.service.in b/systemd/ceph-rbd-mirror@.service.in
index fe49f11116e1..1057892dc99c 100644
--- a/systemd/ceph-rbd-mirror@.service.in
+++ b/systemd/ceph-rbd-mirror@.service.in
@@ -16,7 +16,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/cephfs-mirror@.service.in b/systemd/cephfs-mirror@.service.in
index a97d6ad8b57a..bed9d195302b 100644
--- a/systemd/cephfs-mirror@.service.in
+++ b/systemd/cephfs-mirror@.service.in
@@ -15,7 +15,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
@@ -30,4 +29,4 @@ StartLimitInterval=30min
 TasksMax=infinity
 
 [Install]
-WantedBy=cephfs-mirror.target
\ No newline at end of file
+WantedBy=cephfs-mirror.target