diff options
| author | Patrick Donnelly <batrick@batbytes.com> | 2016-01-28 03:17:14 +0100 |
|---|---|---|
| committer | Patrick Donnelly <batrick@batbytes.com> | 2016-01-28 16:50:00 +0100 |
| commit | b65d9c545792d562de8ae8dc13274d8f2c4aeb9b (patch) | |
| tree | cbfb47a90404cf1f2da210c748c89ade89846eb5 | |
| parent | Merge pull request #7337 from clever215/rbd_nbd (diff) | |
| download | ceph-b65d9c545792d562de8ae8dc13274d8f2c4aeb9b.tar.xz ceph-b65d9c545792d562de8ae8dc13274d8f2c4aeb9b.zip | |
systemd: Add systemd sandboxing to services.
This change makes it so the mon/osd/mds/radosgw daemons:
o Cannot write to /usr, /etc, and /boot.
o Cannot access /home, /root, or /run/user.
o Each daemon gets its own private /tmp and /var/tmp.
o All daemons get a private /dev without physical devices (exception: osd)
I'm not sure if the osd daemon needs access to a full /dev so I left
ProtectDevices out for ceph-osd@.service.
Signed-off-by: Patrick Donnelly <batrick@batbytes.com>
| -rw-r--r-- | systemd/ceph-mds@.service | 4 | ||||
| -rw-r--r-- | systemd/ceph-mon@.service | 4 | ||||
| -rw-r--r-- | systemd/ceph-osd@.service | 3 | ||||
| -rw-r--r-- | systemd/ceph-radosgw@.service | 4 |
4 files changed, 15 insertions, 0 deletions
diff --git a/systemd/ceph-mds@.service b/systemd/ceph-mds@.service index 708f42c8154..e12258058c7 100644 --- a/systemd/ceph-mds@.service +++ b/systemd/ceph-mds@.service @@ -11,6 +11,10 @@ EnvironmentFile=-/etc/sysconfig/ceph Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +PrivateDevices=yes +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-mds.target diff --git a/systemd/ceph-mon@.service b/systemd/ceph-mon@.service index 03a9b6c19e3..a8d427b5ab5 100644 --- a/systemd/ceph-mon@.service +++ b/systemd/ceph-mon@.service @@ -17,6 +17,10 @@ EnvironmentFile=-/etc/sysconfig/ceph Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +PrivateDevices=yes +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-mon.target diff --git a/systemd/ceph-osd@.service b/systemd/ceph-osd@.service index 82dabdfe38d..1e120c46f1b 100644 --- a/systemd/ceph-osd@.service +++ b/systemd/ceph-osd@.service @@ -12,6 +12,9 @@ Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-osd -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecStartPre=/usr/libexec/ceph/ceph-osd-prestart.sh --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-osd.target diff --git a/systemd/ceph-radosgw@.service b/systemd/ceph-radosgw@.service index fb09e190d61..66d9eb85a2d 100644 --- a/systemd/ceph-radosgw@.service +++ b/systemd/ceph-radosgw@.service @@ -10,6 +10,10 @@ LimitNPROC=1048576 EnvironmentFile=-/etc/sysconfig/ceph Environment=CLUSTER=ceph ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph +PrivateDevices=yes +ProtectHome=true +ProtectSystem=full +PrivateTmp=true [Install] WantedBy=ceph-radosgw.target |