diff --git a/charmcraft.yaml b/charmcraft.yaml
index 9a295c2..39554a0 100644
--- a/charmcraft.yaml
+++ b/charmcraft.yaml
@@ -2,10 +2,12 @@ type: charm
 
 parts:
   charm:
+    charm-entrypoint: "hooks/install"
     build-packages:
       - tox
       - git
       - python3-dev
+      - libffi-dev
     override-build: |
       apt-get install ca-certificates -y
       tox -e build-reactive
@@ -31,9 +33,9 @@ bases:
       - name: ubuntu
         channel: "22.04"
         architectures: [amd64, s390x, ppc64el, arm64]
-      - name: ubuntu
-        channel: "22.10"
-        architectures: [amd64, s390x, ppc64el, arm64]
       - name: ubuntu
         channel: "23.04"
         architectures: [amd64, s390x, ppc64el, arm64]
+      - name: ubuntu
+        channel: "23.10"
+        architectures: [amd64, s390x, ppc64el, arm64]
diff --git a/requirements.txt b/requirements.txt
index c539e82..b3dc23f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,16 +8,13 @@
 # requirements.txt
 setuptools<50.0.0  # https://github.com/pypa/setuptools/commit/04e3df22df840c6bb244e9b27bc56750c44b7c85
 
-# Build requirements
-cffi==1.14.6; python_version < '3.6'  # cffi 1.15.0 drops support for py35.
-charm-tools==2.8.4
+# NOTE: newer versions of cryptography require a Rust compiler to build,
+# see
+# * https://github.com/openstack-charmers/zaza/issues/421
+# * https://mail.python.org/pipermail/cryptography-dev/2021-January/001003.html
+#
+cryptography<3.4
+
+git+https://github.com/juju/charm-tools.git
 
 simplejson
-
-# Newer versions use keywords that didn't exist in python 3.5 yet (e.g.
-# "ModuleNotFoundError")
-# NOTE(lourot): This might look like a duplication of test-requirements.txt but
-# some tox targets use only test-requirements.txt whereas charm-build uses only
-# requirements.txt
-importlib-metadata<3.0.0; python_version < '3.6'
-importlib-resources<3.0.0; python_version < '3.6'
diff --git a/src/reactive/ceph_fs.py b/src/reactive/ceph_fs.py
index a9bbe94..8dc9898 100644
--- a/src/reactive/ceph_fs.py
+++ b/src/reactive/ceph_fs.py
@@ -1,4 +1,4 @@
-# Copyright 2016 Canonical Ltd
+# Copyright 2024 Canonical Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,6 +23,9 @@ from charmhelpers.core.hookenv import (
 import charms_openstack.bus
 import charms_openstack.charm as charm
 
+import os
+import subprocess
+
 
 charms_openstack.bus.discover()
 
@@ -41,6 +44,9 @@ charm.use_defaults(
 def config_changed():
     ceph_mds = reactive.endpoint_from_flag('ceph-mds.pools.available')
     with charm.provide_charm_instance() as cephfs_charm:
+        host = cephfs_charm.hostname
+        exists = os.path.exists('/var/lib/ceph/mds/ceph-%s/keyring' % host)
+
         cephfs_charm.configure_ceph_keyring(ceph_mds.mds_key())
         cephfs_charm.render_with_interfaces([ceph_mds])
         if reactive.is_flag_set('config.changed.source'):
@@ -52,6 +58,22 @@ def config_changed():
         reactive.set_flag('config.rendered')
         cephfs_charm.assess_status()
 
+        # If the keyring file existed before this call, then the new
+        # provided key implies a rotation.
+        if exists:
+            svc = 'ceph-mds@%s.service' % host
+            try:
+                # Reset the failure count first, as the service may fail
+                # to come up due to the way the restart-map is handled.
+                subprocess.check_call(['sudo', 'systemctl',
+                                       'reset-failed', svc])
+                subprocess.check_call(['sudo', 'systemctl', 'restart', svc])
+            except subprocess.CalledProcessError as exc:
+                # The service can be temporarily masked when booting, so
+                # skip that class of errors.
+                ch_core.hookenv.log('Failed to restart MDS service: %s' %
+                                    str(exc))
+
 
 @reactive.when('ceph-mds.connected')
 def storage_ceph_connected(ceph):