For the /etc/ceph/* stuff it does write a few things there. The /etc/ceph/ceph.conf and also various cephx key files under different names. I thought /etc/ceph/* would be a safe thing to do because I won't know in advance what all the key names are going to be that it could create. I could probably tighten it up a little bit to something like:
I don't think the charm or ceph writes anything else to that directory. Here's what a current deployment looks like under /etc/ceph/
root@ip-172-31-2-78:/etc/ceph# ls -lh
total 8.0K
-rw------- 1 root root 63 Apr 28 19:03 ceph.client.admin.keyring
lrwxrwxrwx 1 root root 27 Apr 28 19:01 ceph.conf -> /etc/alternatives/ceph.conf
-rw-r--r-- 1 root root 92 Feb 22 21:15 rbdmap
Yeah no problem!
For the /etc/ceph/* stuff it does write a few things there. The /etc/ceph/ceph.conf and also various cephx key files under different names. I thought /etc/ceph/* would be a safe thing to do because I won't know in advance what all the key names are going to be that it could create. I could probably tighten it up a little bit to something like:
owner /etc/ceph/ceph.conf rw ceph.client. * rw
owner /etc/ceph/
owner /etc/ceph/rbdmap rw
I don't think the charm or ceph writes anything else to that directory. Here's what a current deployment looks like under /etc/ceph/ 172-31- 2-78:/etc/ ceph# ls -lh admin.keyring es/ceph. conf
root@ip-
total 8.0K
-rw------- 1 root root 63 Apr 28 19:03 ceph.client.
lrwxrwxrwx 1 root root 27 Apr 28 19:01 ceph.conf -> /etc/alternativ
-rw-r--r-- 1 root root 92 Feb 22 21:15 rbdmap