Мар 162019

Ну и сразу, чтоб два раза не вставать, про redis. Который не всегда запускается через systemctl


(code=exited, status=227/NO_NEW_PRIVILEGES) Main PID: 24283 (code=exited, status=227/NO_NEW_PRIVILEGES)

Проблема в конфиге /etc/systemd/system/redis.service

Я закомментировал у себя всё, что касается ентого дела (цитирую доку):
Takes a boolean argument. If true, ensures that the service process and all its children can
never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=, or LockPersonality= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. Also see No New Privileges Flag.

Примерно так:

кусок конфига
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".