From: Benoît Knecht <bknecht@protonmail.ch>
Date: Mon, 6 Dec 2021 08:29:43 +0000 (+0100)
Subject: systemd: Set PrivateDevices=false in ceph-mon@.service
X-Git-Tag: v17.1.0~108^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=96de1c97608b81ab80d4be3160ac05d11d4b23c8;p=ceph.git

systemd: Set PrivateDevices=false in ceph-mon@.service

The `ceph-mon` daemon needs access to block devices to check the health of the
disk that backs its DB store (#24151).

Fixes: https://tracker.ceph.com/issues/52416
Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
---

diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in
index b7c92f278e34..2eba83c3cc9b 100644
--- a/systemd/ceph-mon@.service.in
+++ b/systemd/ceph-mon@.service.in
@@ -20,7 +20,10 @@ LockPersonality=true
 MemoryDenyWriteExecute=true
 # Need NewPrivileges via `sudo smartctl`
 NoNewPrivileges=false
-PrivateDevices=yes
+# We need access to block devices to check the health of the disk backing the
+# monitor DB store. It can be set to `true` if you're not interested in that
+# feature.
+PrivateDevices=false
 PrivateTmp=true
 ProtectControlGroups=true
 ProtectHome=true