[pve-devel] [PATCH ceph v2 6/6] fix #6816: patches: make ceph-exporter use custom keyring

[Max R. Carrara]

Add a patch that sets the CEPH_KEYRING env var for the ceph-exporter
daemon, telling it to use our custom keyring file. The patch also
sets the group of the daemon to `www-data` so that the daemon can
access the custom keyring.

Fixes: #6816
Signed-off-by: Max R. Carrara <m.carrara at proxmox.com>
---
 ...orter-use-custom-keyring-and-set-gro.patch | 32 +++++++++++++++++++
 patches/series                                |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 patches/0042-systemd-ceph-exporter-use-custom-keyring-and-set-gro.patch

diff --git a/patches/0042-systemd-ceph-exporter-use-custom-keyring-and-set-gro.patch b/patches/0042-systemd-ceph-exporter-use-custom-keyring-and-set-gro.patch
new file mode 100644
index 0000000000..f939b1d5af
--- /dev/null
+++ b/patches/0042-systemd-ceph-exporter-use-custom-keyring-and-set-gro.patch
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Max R. Carrara" <m.carrara at proxmox.com>
+Date: Tue, 16 Sep 2025 16:34:51 +0200
+Subject: [PATCH] systemd: ceph-exporter: use custom keyring and set group to
+ www-data
+
+With the help of `Environment=`, set the CEPH_KEYRING env var to point
+to our custom keyring file location for the `ceph-exporter` daemon.
+
+Additionally, set the group of the `ceph-exporter` daemon to
+`www-data`, so that it can access this keyring.
+
+Signed-off-by: Max R. Carrara <m.carrara at proxmox.com>
+---
+ systemd/ceph-exporter.service.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/systemd/ceph-exporter.service.in b/systemd/ceph-exporter.service.in
+index f4f6d05c4b4..4e55939d201 100644
+--- a/systemd/ceph-exporter.service.in
++++ b/systemd/ceph-exporter.service.in
+@@ -6,8 +6,9 @@ Before=ceph.target
+ Wants=network-online.target local-fs.target ceph.target ceph-mon.target
+ 
+ [Service]
++Environment="CEPH_KEYRING=/etc/pve/ceph/ceph.client.exporter.keyring"
+ ExecReload=/bin/kill -HUP $MAINPID
+-ExecStart=@CMAKE_INSTALL_PREFIX@/bin/ceph-exporter -f --id %i --setuser ceph --setgroup ceph
++ExecStart=@CMAKE_INSTALL_PREFIX@/bin/ceph-exporter -f --id exporter --setuser ceph --setgroup www-data
+ LockPersonality=true
+ NoNewPrivileges=true
+ PrivateDevices=yes
diff --git a/patches/series b/patches/series
index d775a8a068..f5c7b9eafa 100644
--- a/patches/series
+++ b/patches/series
@@ -39,3 +39,4 @@
 0039-mgr-fix-module-import-by-making-NOTIFY_TYPES-in-py-m.patch
 0040-pybind-rbd-disable-on_progress-callbacks-to-prevent-.patch
 0041-systemd-services-fix-installing-ceph-volume.patch
+0042-systemd-ceph-exporter-use-custom-keyring-and-set-gro.patch
-- 
2.47.3