redis-server doesn't start as a service on Debian 10 because of status=227/NO_NEW_PRIVILEGES

Question

I have a Debian 10, on a Digital Ocean droplet, I'm trying to install and run Redis as a service, which won't start because and error related to NoNewPriviliges.

I've reviewed the similar question here, but the attempts yields no change.

I'm having a really hard time debugging this. I tried reading up on this, but I don't see what the problem could be.

The output from systemctl status redis-server.service is giving me the following output:

● redis-server.service - Advanced key-value store
   Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2020-08-09 08:41:06 UTC; 53s ago
     Docs: http://redis.io/documentation,
           man:redis-server(1)
  Process: 9553 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=227/NO_NEW_PRIVILEGES)

The /lib/systemd/system/redis-server.service file looks like this:

[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)
[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
ExecStop=/bin/kill -s TERM $MAINPID
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755
UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/redis
ReadWriteDirectories=-/var/log/redis
ReadWriteDirectories=-/var/run/redis
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
redis-server can write to its own config file when in cluster mode so we
permit writing there by default. If you are not using this feature, it is
recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis
[Install]
WantedBy=multi-user.target
Alias=redis.service

Comments are not for extended discussion; this conversation has been moved to chat. — terdon, Aug 12 '20 at 07:49
Don't know if the question is relevant more, though. Migrated to Ubuntu and everything just worked. — Repox, Aug 12 '20 at 18:57
Glad you found a solution that works for you! I just closed this since you won't be needing it any more. — terdon, Aug 12 '20 at 19:13

redis-server doesn't start as a service on Debian 10 because of status=227/NO_NEW_PRIVILEGES

redis-server can write to its own config file when in cluster mode so we

permit writing there by default. If you are not using this feature, it is

recommended that you replace the following lines with "ProtectSystem=full".

0 Answers0