Мар 162019
 

Ну и сразу, чтоб два раза не вставать, про redis. Который не всегда запускается через systemctl

Симптом:

(code=exited, status=227/NO_NEW_PRIVILEGES) Main PID: 24283 (code=exited, status=227/NO_NEW_PRIVILEGES)

Проблема в конфиге /etc/systemd/system/redis.service

Я закомментировал у себя всё, что касается ентого дела (цитирую доку):
Takes a boolean argument. If true, ensures that the service process and all its children can
never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=, or LockPersonality= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. Also see No New Privileges Flag.

Примерно так:

кусок конфига
#PrivateDevices=yes
#ProtectHome=yes
#ReadOnlyDirectories=/
#ReadWriteDirectories=-/var/lib/redis
#ReadWriteDirectories=-/var/log/redis
#ReadWriteDirectories=-/var/run/redis
#NoNewPrivileges=true
#CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
#MemoryDenyWriteExecute=true
#ProtectKernelModules=true
#ProtectKernelTunables=true
#ProtectControlGroups=true
#RestrictRealtime=true
#RestrictNamespaces=true
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
#ProtectSystem=true

Работает…