On Tue, 2021-12-28 at 17:13 +0000, Chris Lamb wrote: > That's interesting, because there is a specific allowance made so > that > Redis can write to its own logfiles. Specifically: > > ReadWriteDirectories=-/var/log/redis On my systems they are already ReadWritePaths, not ReadWriteDirectories (except for /etc/redis and / )
> Ah, perhaps your version of systemd is newer? I am running systemd 247.3-6 on the affected systems, but Kernel 5.15.8-1-default. On Kernel 5.14 and older it seems to work fine. > Can you reset or > otherwise reinstate the "ReadWriteDirectories" lines along with the > rest of the file and replace the start with "ReadWritePaths=" and let > me know how you get on? That sadly didn't help much, but setting ProtectSystem to "strict", following the systemd.exec manpage, and removing "ReadOnlyDirectories=/" solved the problem for me. My only guess is that it's some issue with (Kernel) namespaces either on my System specifically or with Kernel 5.15 in general. ProtectSystem= Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-only for processes invoked by this unit. If set to "full", the /etc/ directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev/, /proc/ and /sys/ (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used, ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. This setting cannot ensure protection in all cases. In general it has the same limitations as ReadOnlyPaths=, see below. Defaults to off. Regards, Johannes Bülow