Could not run as daemon on CentOS 7.7

ejzhang · June 15, 2021, 6:47am

I installed Syncthing on CentOS 7.7, it is run in shell narmaly, but run as daemon with tomcat user failed. the journal say “Error opening database: open /usr/tomcat/.config/syncthing/index-v0.14.0.db/LOCK: read-only file system” I check the fcontext is “system_u:object_r:temp_t1”

thanks very much!

/etc/systemd/system/syncthing@tomcat.service [Unit] Description=Syncthing - Open Source Continuous File Synchronization for %I Document=man:syncthing(1) After=network.target StartLimitIntervalSec=60 StartLimitBurst=4

[Service] User=%I ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0 Restart=on-failure SucessExitStatus=3 4 RestartForceExitStatus=3 4

Hardening

ProtectSystem=full PrivateTmp=true SystemCallArchitectures=native Memory DenyWriteExecute=true NoNewPrivileges=true

[Install] WantedBy=multi-user.target

bt90 · June 15, 2021, 6:55am

Is the tomcat user able to write in that folder?

ejzhang · June 15, 2021, 6:57am

yes, the tomcat running OK.

Nummer378 · June 15, 2021, 7:12am

The hardening options from systemd probably don’t let you write into that folder.

I’m on the phone right now so I can’t check, but I think you can do this:

sudo systemctl edit syncthing@tomcat

Then enter this into the override file, save and exit:

[Service]

ReadWritePaths=/usr/tomcat

ejzhang · June 15, 2021, 7:19am

thank you, i will try it later

ejzhang · June 15, 2021, 9:48am

I found the way in Syncthing won't start after a power outage.

I modify the service configuration as ProtectSystem=strict ReadWritePaths=/usr/tomcat/.config/syncthing PrivateTmp=true SystemCallArchitectures=native MemoryDenyWriteExecute=true NoNewPrivileges=true

ejzhang · June 15, 2021, 10:08am

But the listenning ip is 127.0.0.1, how to change it? The GUI address is “0.0.0.0:8384” in /usr/tomcat/.config/syncthing/config.xml.

AudriusButkevicius · June 15, 2021, 10:28am

Have you checked the systemd unit file? Perhaps it’s being overridden there?

imsodin · June 15, 2021, 10:53am

You are likely just interpreting the logs wrong. There’s two distinct lines:

[YPOXT] INFO: GUI and API listening on 0.0.0.0:8384
[YPOXT] INFO: Access the GUI via the following URL: http://127.0.0.1:8384/

The former is relevant, the latter is just how to access it from localhost (0.0.0.0 is just a placeholder meaning “accessible from everywhere”).

ejzhang · June 15, 2021, 1:35pm

thank you!

system · July 15, 2021, 1:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.