memcached currently runs as "nobody". Running services as nobody is an antipattern, since it allows one service running as nobody to run code with the same privileges as a different service running as nobody. The default unit in buster runs memcached as "memcached"
Also, memcached in buster ships a systemd-memcached-wrapper which simply points to /etc/memcached.conf, so it would also be an option to switch to that and possibly no longer customise the systemd unit at all.
- update systemd related hacks/puppet code/whatever
- ensure the service is run under the memcache user
The following roles/profiles need to be migrated to use memcached_user: 'memcache'
cloud
- hieradata/cloud.yaml
- hieradata/cloud/eqiad1/deployment-prep/common.yaml
- hieradata/role/codfw/wmcs/openstack/codfw1dev/control.yaml
- hieradata/role/eqiad/wmcs/openstack/eqiad1/control.yaml
idp
- hieradata/role/common/idp_test.yaml
- hieradata/common/profile/idp/memcached.yaml
rest
- hieradata/common/profile/memcached.yaml (& role)
CCing cloud-services-team for the cloud related