On Tue, 2021-12-28 at 17:13 +0000, Chris Lamb wrote:
> That's interesting, because there is a specific allowance made so
> that
> Redis can write to its own logfiles. Specifically:
>
> ReadWriteDirectories=-/var/log/redis
On my systems they are already ReadWritePaths, not ReadWriteDirectories
(except for /etc/redis and / )
> Ah, perhaps your version of systemd is newer?
I am running systemd 247.3-6 on the affected systems, but Kernel
5.15.8-1-default. On Kernel 5.14 and older it seems to work fine.
> Can you reset or
> otherwise reinstate the "ReadWriteDirectories" lines along with the
> rest of the file and replace the start with "ReadWritePaths=" and let
> me know how you get on?
That sadly didn't help much, but setting ProtectSystem to "strict",
following the systemd.exec manpage, and removing
"ReadOnlyDirectories=/" solved the problem for me.
My only guess is that it's some issue with (Kernel) namespaces either
on my System specifically or with Kernel 5.15 in general.
ProtectSystem=
Takes a boolean argument or the special values "full" or "strict".
If true, mounts the /usr/ and the boot loader directories (/boot and /efi)
read-only for processes invoked by this unit. If set to "full", the /etc/
directory is mounted read-only, too. If set to "strict" the entire
file system hierarchy is mounted read-only, except for the API file system
subtrees /dev/, /proc/ and /sys/ (protect these directories using
PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
This setting ensures that any modification of the vendor-supplied operating
system (and optionally its configuration, and local mounts) is prohibited for
the service. It is recommended to enable this setting for all
long-running services, unless they are involved with system updates or need to
modify the operating system in other ways. If this option is used,
ReadWritePaths= may be used to exclude specific directories from
being made read-only. This setting is implied if DynamicUser= is set. This
setting cannot ensure protection in all cases. In general it has the same
limitations as ReadOnlyPaths=, see below. Defaults to off.
Regards,
Johannes Bülow
