update source to Ceph Pacific 16.2.2

[ceph.git] / ceph / systemd / ceph-mon@.service.in

diff --git a/ceph/systemd/ceph-mon@.service.in b/ceph/systemd/ceph-mon@.service.in
index d3121d59dcf06f8b5c697a0a4b173c9a37676917..994cdfd2869593f65148f39f7f096fccb206fab0 100644 (file)
--- a/ceph/systemd/ceph-mon@.service.in
+++ b/ceph/systemd/ceph-mon@.service.in
@@ -10,28 +10,32 @@ Before=remote-fs-pre.target ceph-mon.target
 Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target ceph-mon.target
 
 [Service]
-LimitNOFILE=1048576
-LimitNPROC=1048576
-EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
-ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
+EnvironmentFile=-@SYSTEMD_ENV_FILE@
 ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
+LimitNOFILE=1048576
+LimitNPROC=1048576
 LockPersonality=true
 MemoryDenyWriteExecute=true
 # Need NewPrivileges via `sudo smartctl`
 NoNewPrivileges=false
 PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=full
-PrivateTmp=true
-TasksMax=infinity
 Restart=on-failure
-StartLimitInterval=30min
-StartLimitBurst=5
 RestartSec=10
+RestrictSUIDSGID=true
+StartLimitBurst=5
+StartLimitInterval=30min
+TasksMax=infinity
 
 [Install]
 WantedBy=ceph-mon.target