SUSE Support

Here When You Need Us

redis-sentinel service does not start after upgrading to SLES 15 SP4

This document (000021009) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4

Situation

After the migration from SLES 15 SP3 to SLES 15 SP4, redis-sentinel services doesn´t start anymore. This error messages can be found in the logs: 
"Sentinel config file /etc/redis/sentinel-redis.conf is not writable: Permission denied. Exiting..."q
but redis-sentinel can be started manually without problems with:
/usr/sbin/redis-sentinel /etc/redis/sentinel-redis.conf &
redis package affected 6.2.6-150400.3.11.1

Resolution

Please upgrade to redis-6.2.6-150400.3.16.1


As workaround it's also possible to add  ReadWritePaths=/etc/redis  into the [Service] section of /usr/lib/systemd/system/redis-sentinel@.service file: 
[Unit]
Description=Redis Sentinel instance: %i
After=network.target
PartOf=redis-sentinel.target


[Service]
Type=notify
User=redis
Group=redis
PrivateTmp=true
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=default
ProtectSystem=full                          
# end of automatic additions
PIDFile=/run/redis/sentinel-%i.pid
ExecStart=/usr/sbin/redis-sentinel /etc/redis/sentinel-%i.conf
LimitNOFILE=10240
Restart=on-failure
ReadWritePaths=/etc/redis

[Install]
WantedBy=multi-user.target redis.target

Then run: 
systemctl daemon-reload
 

Cause

The problem is caused by the systemd service sandboxing feature enabled in redis-sentinel@.service which prevents redis-sentinel to write into /etc/redis.  
#==[ Command ]======================================# 
# /bin/systemctl show 'redis-sentinel@redis.service' | sort 

[Unit] 
Description=Redis Sentinel instance: %i 
After=network.target 
PartOf=redis-sentinel.target 

[Service] 

Type=notify 
User=redis 
Group=redis 
PrivateTmp=true 
# added automatically, for details please see 
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectClock=yes 
ProtectControlGroups=yes 
ProtectHome=yes 
ProtectHostname=yes 
ProtectKernelLogs=yes 
ProtectKernelModules=yes 
ProtectKernelTunables=yes 
ProtectProc=default 
ProtectSystem=full  
# end of automatic additions 
PIDFile=/run/redis/sentinel-%i.pid 
ExecStart=/usr/sbin/redis-sentinel /etc/redis/sentinel-%i.conf 
LimitNOFILE=10240 
Restart=on-failure 

[Install] 
WantedBy=multi-user.target redis.target

redis-sentinel by design needs to have write access on its own configuration file otherwise it will exit if it cannot write to it.

Additional Information

https://manpages.opensuse.org/Tumbleweed/systemd/systemd.exec.5.en.html#SANDBOXING

From man systemd.exec 
       ProtectSystem=
           Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-only for processes invoked
           by this unit. If set to "full", the /etc/ directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API
           file system subtrees /dev/, /proc/ and /sys/ (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any
           modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this
           setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used,
           ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. This setting cannot ensure protection
           in all cases. In general it has the same limitations as ReadOnlyPaths=, see below. Defaults to off.

https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021009
  • Creation Date: 09-Mar-2023
  • Modified Date:20-Mar-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center