ceph/systemd/ceph-mds@.service
Patrick Donnelly b65d9c5457
systemd: Add systemd sandboxing to services.
This change makes it so the mon/osd/mds/radosgw daemons:
    o Cannot write to /usr, /etc, and /boot.
    o Cannot access /home, /root, or /run/user.
    o Each daemon gets its own private /tmp and /var/tmp.
    o All daemons get a private /dev without physical devices (exception: osd)

I'm not sure if the osd daemon needs access to a full /dev so I left
ProtectDevices out for ceph-osd@.service.

Signed-off-by: Patrick Donnelly <batrick@batbytes.com>
2016-01-28 10:50:00 -05:00

21 lines
503 B
Desktop File

[Unit]
Description=Ceph metadata server daemon
After=network-online.target local-fs.target
Wants=network-online.target local-fs.target
PartOf=ceph-mds.target
[Service]
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-/etc/sysconfig/ceph
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
PrivateDevices=yes
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
[Install]
WantedBy=ceph-mds.target