Change Details

memcached currently runs as "nobody". Running services as nobody is an antipattern, since it allows one service running as nobody to run code with the same privileges as a different service running as nobody. The default unit in buster runs memcached as "memcached" Also, memcached in buster ships a systemd-memcached-wrapper which simply points to /etc/memcached.conf, so it would also be an option to switch to that and possibly no longer customise the systemd unit at all. [] update systemd related hacks/puppet code/whatever [] ensure the service is run under the `memcached user` The following roles/profiles need to be migrated to use the memcached user: [] hieradata/cloud.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/cloud/eqiad1/deployment-prep/common.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/common/profile/memcached.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/role/codfw/wmcs/openstack/codfw1dev/control.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/role/eqiad/wmcs/openstack/eqiad1/control.yaml: profile::memcached::memcached_user: 'nobody' CCing #cloud-services as almost all are cloud related

memcached currently runs as "nobody". Running services as nobody is an antipattern, since it allows one service running as nobody to run code with the same privileges as a different service running as nobody. The default unit in buster runs memcached as "memcached" Also, memcached in buster ships a systemd-memcached-wrapper which simply points to /etc/memcached.conf, so it would also be an option to switch to that and possibly no longer customise the systemd unit at all. [] update systemd related hacks/puppet code/whatever [] ensure the service is run under the `memcache` user The following roles/profiles need to be migrated to use the memcached user: [] hieradata/cloud.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/cloud/eqiad1/deployment-prep/common.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/common/profile/memcached.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/role/codfw/wmcs/openstack/codfw1dev/control.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/role/eqiad/wmcs/openstack/eqiad1/control.yaml: profile::memcached::memcached_user: 'nobody' CCing #cloud-services as almost all are cloud related

memcached currently runs as "nobody". Running services as nobody is an antipattern, since it allows one service running as nobody to run code with the same privileges as a different service running as nobody. The default unit in buster runs memcached as "memcached" Also, memcached in buster ships a systemd-memcached-wrapper which simply points to /etc/memcached.conf, so it would also be an option to switch to that and possibly no longer customise the systemd unit at all. [] update systemd related hacks/puppet code/whatever [] ensure the service is run under the `memcached` user` The following roles/profiles need to be migrated to use the memcached user: [] hieradata/cloud.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/cloud/eqiad1/deployment-prep/common.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/common/profile/memcached.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/role/codfw/wmcs/openstack/codfw1dev/control.yaml: profile::memcached::memcached_user: 'nobody' [] hieradata/role/eqiad/wmcs/openstack/eqiad1/control.yaml: profile::memcached::memcached_user: 'nobody' CCing #cloud-services as almost all are cloud related