From 96de1c97608b81ab80d4be3160ac05d11d4b23c8 Mon Sep 17 00:00:00 2001
From: Benoît Knecht <bknecht@protonmail.ch>
Date: Mon, 6 Dec 2021 09:29:43 +0100
Subject: systemd: Set PrivateDevices=false in ceph-mon@.service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `ceph-mon` daemon needs access to block devices to check the health of the
disk that backs its DB store (#24151).

Fixes: https://tracker.ceph.com/issues/52416
Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
---
 systemd/ceph-mon@.service.in | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'systemd')

diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in
index b7c92f278e3..2eba83c3cc9 100644
--- a/systemd/ceph-mon@.service.in
+++ b/systemd/ceph-mon@.service.in
@@ -20,7 +20,10 @@ LockPersonality=true
 MemoryDenyWriteExecute=true
 # Need NewPrivileges via `sudo smartctl`
 NoNewPrivileges=false
-PrivateDevices=yes
+# We need access to block devices to check the health of the disk backing the
+# monitor DB store. It can be set to `true` if you're not interested in that
+# feature.
+PrivateDevices=false
 PrivateTmp=true
 ProtectControlGroups=true
 ProtectHome=true
-- 
cgit v1.2.3