Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Elao - App - Docker] Switch to systemd #407

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[Elao - App - Docker] Switch to systemd #407

wants to merge 2 commits into from

Conversation

nervo
Copy link
Member

@nervo nervo commented Dec 12, 2023
edited
Loading

@nervo nervo marked this pull request as draft December 12, 2023 12:06
@nervo nervo force-pushed the elao.app.docker/systemd branch 6 times, most recently from 30fbebb to 0c62b05 Compare December 15, 2023 15:27
@nervo nervo force-pushed the elao.app.docker/systemd branch 3 times, most recently from b25d27a to e0c7fe3 Compare April 12, 2024 12:52
@nervo nervo force-pushed the elao.app.docker/systemd branch 2 times, most recently from f6cf9bc to c489438 Compare November 21, 2024 19:47
@nervo nervo force-pushed the elao.app.docker/systemd branch 2 times, most recently from 067a3fc to 93ee0a9 Compare November 22, 2024 09:23
@nervo
Copy link
Member Author

nervo commented Nov 22, 2024
edited
Loading

Redis service refuse to start

# systemctl status redis
× redis-server.service - Advanced key-value store
     Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Fri 2024-11-22 10:44:34 CET; 1min 55s ago
       Docs: http://redis.io/documentation,
             man:redis-server(1)
    Process: 54 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no (code=exited, status=217/USER)
   Main PID: 54 (code=exited, status=217/USER)
        CPU: 1ms

Nov 22 10:44:34 elao-app-docker-test systemd[1]: redis-server.service: Scheduled restart job, restart counter is at 5.
Nov 22 10:44:34 elao-app-docker-test systemd[1]: Stopped redis-server.service - Advanced key-value store.
Nov 22 10:44:34 elao-app-docker-test systemd[1]: redis-server.service: Start request repeated too quickly.
Nov 22 10:44:34 elao-app-docker-test systemd[1]: redis-server.service: Failed with result 'exit-code'.
Nov 22 10:44:34 elao-app-docker-test systemd[1]: Failed to start redis-server.service - Advanced key-value store.

Logs in /var/log/redis/redis-server.lo complains about Address already in use...

14575:C 22 Nov 2024 07:34:49.370 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
14575:C 22 Nov 2024 07:34:49.370 # Redis version=7.0.15, bits=64, commit=00000000, modified=0, pid=14575, just started
14575:C 22 Nov 2024 07:34:49.370 # Configuration loaded
14575:M 22 Nov 2024 07:34:49.371 * monotonic clock: POSIX clock_gettime
14575:M 22 Nov 2024 07:34:49.371 * Running mode=standalone, port=6379.
14575:M 22 Nov 2024 07:34:49.371 # Server initialized
14575:M 22 Nov 2024 07:34:49.371 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
14575:M 22 Nov 2024 07:34:49.372 * Ready to accept connections
15640:C 22 Nov 2024 07:35:17.497 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
15640:C 22 Nov 2024 07:35:17.497 # Redis version=7.0.15, bits=64, commit=00000000, modified=0, pid=15640, just started
15640:C 22 Nov 2024 07:35:17.497 # Configuration loaded
15640:M 22 Nov 2024 07:35:17.497 * monotonic clock: POSIX clock_gettime
15640:M 22 Nov 2024 07:35:17.498 # Warning: Could not create server TCP listening socket 0.0.0.0:6379: bind: Address already in use
15640:M 22 Nov 2024 07:35:17.498 # Failed listening on port 6379 (TCP), aborting.

..but it looks more like a docker/systemd issue as seen on a journalctl -u redis-server.service:

Nov 22 09:44:51 elao-app-docker-test systemd[1]: Starting redis-server.service - Advanced key-value store...
Nov 22 09:44:51 elao-app-docker-test (s-server)[746]: redis-server.service: Failed to set up user namespacing for unprivileged user: Operation not permitted
Nov 22 09:44:51 elao-app-docker-test (s-server)[746]: redis-server.service: Failed at step USER spawning /usr/bin/redis-server: Operation not permitted
Nov 22 09:44:51 elao-app-docker-test systemd[1]: redis-server.service: Main process exited, code=exited, status=217/USER
Nov 22 09:44:51 elao-app-docker-test systemd[1]: redis-server.service: Failed with result 'exit-code'.
Nov 22 09:44:51 elao-app-docker-test systemd[1]: Failed to start redis-server.service - Advanced key-value store.
Nov 22 09:44:51 elao-app-docker-test systemd[1]: redis-server.service: Scheduled restart job, restart counter is at 5.
Nov 22 09:44:51 elao-app-docker-test systemd[1]: Stopped redis-server.service - Advanced key-value store.
Nov 22 09:44:51 elao-app-docker-test systemd[1]: redis-server.service: Start request repeated too quickly.
Nov 22 09:44:51 elao-app-docker-test systemd[1]: redis-server.service: Failed with result 'exit-code'.
Nov 22 09:44:51 elao-app-docker-test systemd[1]: Failed to start redis-server.service - Advanced key-value store.

Starting the server manually works:

su redis -s /bin/bash
/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no

That's why i guess it's coming from one of the systemd parameter:

[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

UMask=007
PrivateTmp=true
LimitNOFILE=65535
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ReadWritePaths=-/var/lib/redis
ReadWritePaths=-/var/log/redis
ReadWritePaths=-/var/run/redis

CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~ @privileged @resources

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you remove this line.
ReadWriteDirectories=-/etc/redis

# This restricts this service from executing binaries other than redis-server
# itself. This is really effective at e.g. making it impossible to an
# attacker to spawn a shell on the system, but might be more restrictive
# than desired. If you need to, you can permit the execution of extra
# binaries by adding an extra ExecPaths= directive with the command
# systemctl edit redis-server.service
NoExecPaths=/
ExecPaths=/usr/bin/redis-server /usr/lib /lib

[Install]
WantedBy=multi-user.target
Alias=redis.service

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nervo