From 85bc551b179d940a50cbdfd0c20848e3187c70a6 Mon Sep 17 00:00:00 2001
From: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
Date: Wed, 14 Apr 2021 15:36:17 +0800
Subject: [PATCH] systemd: remove `ProtectClock=true` for `ceph-osd@.service`

Ceph 16.2.0 Pacific by https://github.com/ceph/ceph/commit/9a84d5a introduce following new systemd restriction:

    ProtectClock=true
    ProtectHostname=true
    ProtectKernelLogs=true
    RestrictSUIDSGID=true

BTW, `ceph-osd@.service` failed with `ProtectClock=true` unexpectly, also see:

  - <https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/TNBGGNN6STGDKARAQTQCIPTU4KLIVJQV/>
  - <https://serverfault.com/questions/1059317/bluestore-var-lib-ceph-osd-ceph-2-block-read-bdev-label-failed-to-open-var-l>

This PR intruduce:

  - Remove `ProtectClock=true` for our systemd service templates

Fixes: https://tracker.ceph.com/issues/50347
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
---
 systemd/ceph-fuse@.service.in                   | 1 -
 systemd/ceph-immutable-object-cache@.service.in | 1 -
 systemd/ceph-mds@.service.in                    | 1 -
 systemd/ceph-mgr@.service.in                    | 1 -
 systemd/ceph-mon@.service.in                    | 1 -
 systemd/ceph-osd@.service.in                    | 1 -
 systemd/ceph-radosgw@.service.in                | 1 -
 systemd/ceph-rbd-mirror@.service.in             | 1 -
 systemd/cephfs-mirror@.service.in               | 3 +--
 9 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/systemd/ceph-fuse@.service.in b/systemd/ceph-fuse@.service.in
index 1ea4b17675a..9c12c9ba444 100644
--- a/systemd/ceph-fuse@.service.in
+++ b/systemd/ceph-fuse@.service.in
@@ -14,7 +14,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 # ceph-fuse requires access to /dev fuse device
 PrivateDevices=no
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
 ProtectKernelLogs=true
diff --git a/systemd/ceph-immutable-object-cache@.service.in b/systemd/ceph-immutable-object-cache@.service.in
index f5782487f9e..62ff8dbd272 100644
--- a/systemd/ceph-immutable-object-cache@.service.in
+++ b/systemd/ceph-immutable-object-cache@.service.in
@@ -14,7 +14,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-mds@.service.in b/systemd/ceph-mds@.service.in
index 2884f587f97..afa36702f9c 100644
--- a/systemd/ceph-mds@.service.in
+++ b/systemd/ceph-mds@.service.in
@@ -17,7 +17,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-mgr@.service.in b/systemd/ceph-mgr@.service.in
index 1ee28285209..8fadc4746b3 100644
--- a/systemd/ceph-mgr@.service.in
+++ b/systemd/ceph-mgr@.service.in
@@ -16,7 +16,6 @@ LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in
index 994cdfd2869..b7c92f278e3 100644
--- a/systemd/ceph-mon@.service.in
+++ b/systemd/ceph-mon@.service.in
@@ -22,7 +22,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=false
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-osd@.service.in b/systemd/ceph-osd@.service.in
index 4981417d620..046500efb66 100644
--- a/systemd/ceph-osd@.service.in
+++ b/systemd/ceph-osd@.service.in
@@ -18,7 +18,6 @@ MemoryDenyWriteExecute=true
 # Need NewPrivileges via `sudo smartctl`
 NoNewPrivileges=false
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-radosgw@.service.in b/systemd/ceph-radosgw@.service.in
index cfff60c18b8..b7474705506 100644
--- a/systemd/ceph-radosgw@.service.in
+++ b/systemd/ceph-radosgw@.service.in
@@ -16,7 +16,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/ceph-rbd-mirror@.service.in b/systemd/ceph-rbd-mirror@.service.in
index fe49f11116e..1057892dc99 100644
--- a/systemd/ceph-rbd-mirror@.service.in
+++ b/systemd/ceph-rbd-mirror@.service.in
@@ -16,7 +16,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
diff --git a/systemd/cephfs-mirror@.service.in b/systemd/cephfs-mirror@.service.in
index a97d6ad8b57..bed9d195302 100644
--- a/systemd/cephfs-mirror@.service.in
+++ b/systemd/cephfs-mirror@.service.in
@@ -15,7 +15,6 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateTmp=true
-ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
@@ -30,4 +29,4 @@ StartLimitInterval=30min
 TasksMax=infinity
 
 [Install]
-WantedBy=cephfs-mirror.target
\ No newline at end of file
+WantedBy=cephfs-mirror.target