最近将redis服务器从SUSE Linux Enterprise Server (SLES) 15 SP3升级到SUSE Linux Enterprise Server (SLES) 15 SP4之后,redis sentinel服务不能正常启动。可以在日志中找到此错误消息:
"Sentinel config file /etc/redis/sentinel-redis.conf is not writable: Permission denied. Exiting..."q
但是redis sentinel可以手动启动,而不会出现以下问题:
/usr/sbin/redis-sentinel /etc/redis/sentinel-redis.conf &
该问题是由ystemd服务沙盒功能阻止了redis sentinel写入/etc/redis引起的。redis-sentinel的设计需要对其自己的配置文件具有写访问权限,如果无法写入它将退出。
查看systemd.exec的man
ProtectSystem= Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-only for processes invoked by this unit. If set to "full", the /etc/ directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev/, /proc/ and /sys/ (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used, ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. This setting cannot ensure protection in all cases. In general it has the same limitations as ReadOnlyPaths=, see below. Defaults to off.
查看redis-sentinel@redis.service单元的详细属性。
# /bin/systemctl show 'redis-sentinel@redis.service' | sort [Unit] Description=Redis Sentinel instance: %i After=network.target PartOf=redis-sentinel.target [Service] Type=notify User=redis Group=redis PrivateTmp=true # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=default ProtectSystem=full # end of automatic additions PIDFile=/run/redis/sentinel-%i.pid ExecStart=/usr/sbin/redis-sentinel /etc/redis/sentinel-%i.conf LimitNOFILE=10240 Restart=on-failure [Install] WantedBy=multi-user.target redis.target
我们确实看到ProtectSystem=full选项。
解决方案
(一)方案一
原创文章,作者:保哥,如若转载,请注明出处:https://www.shizhanxia.com/1224.html
评论列表(1条)