最近将redis服务器从SUSE Linux Enterprise Server (SLES) 15 SP3升级到SUSE Linux Enterprise Server (SLES) 15 SP4之后,redis sentinel服务不能正常启动。可以在日志中找到此错误消息:
"Sentinel config file /etc/redis/sentinel-redis.conf is not writable: Permission denied. Exiting..."q
但是redis sentinel可以手动启动,而不会出现以下问题:
/usr/sbin/redis-sentinel /etc/redis/sentinel-redis.conf &
该问题是由ystemd服务沙盒功能阻止了redis sentinel写入/etc/redis引起的。redis-sentinel的设计需要对其自己的配置文件具有写访问权限,如果无法写入它将退出。
查看systemd.exec的man
ProtectSystem=
Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-only for processes invoked
by this unit. If set to "full", the /etc/ directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API
file system subtrees /dev/, /proc/ and /sys/ (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any
modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this
setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used,
ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. This setting cannot ensure protection
in all cases. In general it has the same limitations as ReadOnlyPaths=, see below. Defaults to off.
查看redis-sentinel@redis.service单元的详细属性。
# /bin/systemctl show 'redis-sentinel@redis.service' | sort [Unit] Description=Redis Sentinel instance: %i After=network.target PartOf=redis-sentinel.target [Service] Type=notify User=redis Group=redis PrivateTmp=true # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=default ProtectSystem=full # end of automatic additions PIDFile=/run/redis/sentinel-%i.pid ExecStart=/usr/sbin/redis-sentinel /etc/redis/sentinel-%i.conf LimitNOFILE=10240 Restart=on-failure [Install] WantedBy=multi-user.target redis.target
我们确实看到ProtectSystem=full选项。
解决方案
(一)方案一
声明:本网站刊载的所有内容,包括文字、图片、音频、视频、软件、程序、以及网页版式设计等如无特殊说明或标注,均在网上搜集。仅供访问者个人学习、研究或欣赏,禁止商业性或盈利性用途,访问者应遵守著作权法的规定,在使用时征得本站和原著作权人的同意并支付许可使用费。本网站刊登内容,如有侵权请权利人予以告知,本站将立即予以删除。
[赞]