From: Patrick Donnelly Date: Thu, 28 Jan 2016 02:17:14 +0000 (-0500) Subject: systemd: Add systemd sandboxing to services. X-Git-Tag: v10.0.4~52^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b65d9c545792d562de8ae8dc13274d8f2c4aeb9b;p=ceph.git systemd: Add systemd sandboxing to services. This change makes it so the mon/osd/mds/radosgw daemons: o Cannot write to /usr, /etc, and /boot. o Cannot access /home, /root, or /run/user. o Each daemon gets its own private /tmp and /var/tmp. o All daemons get a private /dev without physical devices (exception: osd) I'm not sure if the osd daemon needs access to a full /dev so I left ProtectDevices out for ceph-osd@.service. Signed-off-by: Patrick Donnelly --- diff --git a/systemd/ceph-mds@.service b/systemd/ceph-mds@.service index 708f42c81542..e12258058c74 100644 --- a/systemd/ceph-mds@.service +++ b/systemd/ceph-mds@.service @@ -11,6 +11,10 @@ EnvironmentFile=-/etc/sysconfig/ceph Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +PrivateDevices=yes +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-mds.target diff --git a/systemd/ceph-mon@.service b/systemd/ceph-mon@.service index 03a9b6c19e33..a8d427b5ab5e 100644 --- a/systemd/ceph-mon@.service +++ b/systemd/ceph-mon@.service @@ -17,6 +17,10 @@ EnvironmentFile=-/etc/sysconfig/ceph Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +PrivateDevices=yes +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-mon.target diff --git a/systemd/ceph-osd@.service b/systemd/ceph-osd@.service index 82dabdfe38df..1e120c46f1ba 100644 --- a/systemd/ceph-osd@.service +++ b/systemd/ceph-osd@.service @@ -12,6 +12,9 @@ Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-osd -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecStartPre=/usr/libexec/ceph/ceph-osd-prestart.sh --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-osd.target diff --git a/systemd/ceph-radosgw@.service b/systemd/ceph-radosgw@.service index fb09e190d61f..66d9eb85a2d9 100644 --- a/systemd/ceph-radosgw@.service +++ b/systemd/ceph-radosgw@.service @@ -10,6 +10,10 @@ LimitNPROC=1048576 EnvironmentFile=-/etc/sysconfig/ceph Environment=CLUSTER=ceph ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph +PrivateDevices=yes +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-radosgw.target