Am 28.05.2017 um 11:13 schrieb Chris Lamb:
Urgh. This makes it very difficult for me to justify this change, alas. :( It sounds like you want to get out of this old container to be honest and not spend your time and effort trying to work around all its problems and issues. (You also *want* the hardening!)
Well, there is obviously a limit on how far broken platforms can and should be supported ;-)
I guess the proper thing here, would simply be to document this in the release notes. Perhaps in a general form, as there might be more packages affected[1] and more users might run ancient or strange kernels for whatever reason (Hosting environments, bad ARM devices that need vendor kernels, ...).
In any case, if someone else runs into this, the attached drop-in, placed into /etc/systemd/system/redis-server.service.d/override.conf, can work around those platform limitations. This will obviously remove the "PrivateDevices" restriction from redis-server.
Regards, Marc [1] phpsessionclean.service from php-common fails on ProtectSystem=true
[Service] # needed to work on kernels < 3.5 that have seccomp enabled but lack "no_new_privs" PrivateDevices=no # needed to work on kernels that have some different behaviour in symlink handling # (not sure exactly what and why) ReadWriteDirectories= ReadWriteDirectories=-/var/lib/redis ReadWriteDirectories=-/var/log/redis ReadWriteDirectories=-/run/redis ReadWriteDirectories=-/etc/redis
