自己构建的 ceph 发现 mon 起不来,报错如下:

Apr 03 11:14:30 debian systemd[1]: Started Ceph cluster monitor daemon.
░░ Subject: A start job for unit ceph-mon@debian.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit ceph-mon@debian.service has finished successfully.
░░ 
░░ The job identifier is 6997.
Apr 03 11:14:31 debian ceph-mon[374601]: 2026-04-03T11:14:31.084+0800 ffffaf907040 -1 load: jerasure load: lrc load dlopen(/usr/lib/ceph/erasure-code/libec_isa.so): /usr/lib/ceph/erasure-code/libec_isa.so: cannot make segment writable for relocation: Operation not permitted
Apr 03 11:14:31 debian systemd[1]: ceph-mon@debian.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ An ExecStart= process belonging to unit ceph-mon@debian.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Apr 03 11:14:31 debian systemd[1]: ceph-mon@debian.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit ceph-mon@debian.service has entered the 'failed' state with result 'exit-code'.

临时解决方案

根据 claude-sonnet 4.6 的说法:

现在最快能让服务跑起来的办法就是 systemd override,直接关掉那个内存保护:

bashmkdir -p /etc/systemd/system/ceph-mon@.service.d/

cat > /etc/systemd/system/ceph-mon@.service.d/override.conf << 'EOF'
[Service]
MemoryDenyWriteExecute=false
EOF

systemctl daemon-reload
systemctl restart ceph-mon@$(hostname)
systemctl status ceph-mon@$(hostname)

同样的问题也会出现在 ceph-osd 和 ceph-mds,可以一并处理。

for svc in ceph-mon ceph-osd ceph-mds; do
  mkdir -p /etc/systemd/system/${svc}@.service.d/
  cat > /etc/systemd/system/${svc}@.service.d/override.conf << 'EOF'
[Service]
MemoryDenyWriteExecute=false
EOF
done

systemctl daemon-reload
systemctl restart ceph-mon@$(hostname)

这个方法不需要重新编译,直接解决 Operation not permitted 的问题。

MemoryDenyWriteExecute=false 只是关闭了一个进程级别的内存安全加固选项,它的作用是:阻止进程将同一块内存页同时标记为"可写"和"可执行"。
唯一的代价是理论上轻微降低了安全加固等级,即如果 ceph-mon 进程被攻击者利用漏洞控制,攻击者稍微容易一点点注入可执行代码。对于内网存储集群这个风险几乎可以忽略。

这个办法可以临时解决,但不确定是否有风险,需要充分验证后再使用。

彻底解决方案

下面给出了一个彻底解决方案:

唯一正确的根本解法:编译时禁用 ISA 插件
debian/rules 里找到 cmake 参数,加入 -DWITH_EC_ISA_PLUGIN=OFF

bashgrep -n "cmake\|CMAKE" ~/build-ceph/ceph/ceph-16.2.7/debian/rules | head -20

找到 cmake 调用的那行,加入该参数后重新编译。

永久解决方案暂未验证。

最后修改:2026 年 04 月 03 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏