redis-sentinel service does not start after upgrading to SLES 15 SP4

保哥 • 2023年3月29日 17:29 • 笔记 • 阅读 2

最近将redis服务器从SUSE Linux Enterprise Server (SLES) 15 SP3升级到SUSE Linux Enterprise Server (SLES) 15 SP4之后，redis sentinel服务不能正常启动。可以在日志中找到此错误消息：

"Sentinel config file /etc/redis/sentinel-redis.conf is not writable: Permission denied. Exiting..."q

但是redis sentinel可以手动启动，而不会出现以下问题：

/usr/sbin/redis-sentinel /etc/redis/sentinel-redis.conf &

该问题是由ystemd服务沙盒功能阻止了redis sentinel写入/etc/redis引起的。redis-sentinel的设计需要对其自己的配置文件具有写访问权限，如果无法写入它将退出。
查看systemd.exec的man

 ProtectSystem=
           Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-only for processes invoked
           by this unit. If set to "full", the /etc/ directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API
           file system subtrees /dev/, /proc/ and /sys/ (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any
           modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this
           setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used,
           ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. This setting cannot ensure protection
           in all cases. In general it has the same limitations as ReadOnlyPaths=, see below. Defaults to off.

查看redis-sentinel@redis.service单元的详细属性。

# /bin/systemctl show 'redis-sentinel@redis.service' | sort 
[Unit] 
Description=Redis Sentinel instance: %i 
After=network.target 
PartOf=redis-sentinel.target 
[Service] 
Type=notify 
User=redis 
Group=redis 
PrivateTmp=true 
# added automatically, for details please see 
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectClock=yes 
ProtectControlGroups=yes 
ProtectHome=yes 
ProtectHostname=yes 
ProtectKernelLogs=yes 
ProtectKernelModules=yes 
ProtectKernelTunables=yes 
ProtectProc=default 
ProtectSystem=full  
# end of automatic additions 
PIDFile=/run/redis/sentinel-%i.pid 
ExecStart=/usr/sbin/redis-sentinel /etc/redis/sentinel-%i.conf 
LimitNOFILE=10240 
Restart=on-failure 
[Install] 
WantedBy=multi-user.target redis.target

我们确实看到ProtectSystem=full选项。 redis-sentinel service does not start after upgrading to SLES 15 SP4