Failure to run from a podman container on localhost has no access to /var/syncthing

mcepl · April 9, 2023, 7:50pm

Hello,

I have switched to MicroOS (host system for containers) as my desktop machine and I would like to run syncthing/syncthing from Docker on it.

With some help from pandoc generate systemd I have created this user-level systemd service file:

[Unit]
Description=Podman container-syncthing.service
Documentation=https://github.com/syncthing/syncthing/blob/main/README-Docker.md \
	https://docs.syncthing.net/intro/getting-started.html#getting-started
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman run \
        --name=syncthing \
        --privileged \
	--cidfile=%t/%n.ctr-id \
	--cgroups=no-conmon \
	--rm \
	--sdnotify=conmon \
	-d \
	--network=host \
	-e STGUIADDRESS= \
	-e PUID=1000 -e PGID=100 \
	-v /home/matej/.config/syncthing:/var/syncthing \
	-v /home/matej/.local/share/orgmode:/var/syncthing/orgmode \
	-v /home/matej/Obrázky/sthing:/var/syncthing/fotky \
	-v /home/matej/.gnupg:/var/syncthing/gnupg \
	-v /home/matej/.password-store:/var/syncthing/passstore \
	-v /home/matej/Knihy:/var/syncthing/knihy \
	--hostname=my-syncthing \
        --hostuser=matej \
        --user=matej \
                syncthing/syncthing:latest
ExecStop=/usr/bin/podman stop \
	--ignore -t 10 \
	--cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
	-f \
	--ignore -t 10 \
	--cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target

Unfortunately, it doesn’t run because apparently it runs under a weird user and directories are not accessible:

100511    7293  4.4  0.1 732488 17916 ?        Ssl  21:48   0:00 /bin/syncthing -home /var/syncthing/config

This is the piece of podman log in question:

2023/04/09 19:44:17 WARNING: chmod /var/syncthing/config: operation not permitted
[start] 2023/04/09 19:44:17 INFO: syncthing v1.23.4 "Fermium Flea" (go1.20.2 linux-amd64) docker@build.syncthing.net 2023-04-05 13:25:55 UTC [noupgrade]
[start] 2023/04/09 19:44:17 INFO: Generating ECDSA key and certificate for syncthing...
[start] 2023/04/09 19:44:17 WARNING: Failed to load/generate certificate: save cert: open /var/syncthing/config/cert.pem: permission denied
[monitor] 2023/04/09 19:44:17 INFO: Syncthing exited: exit status 1

Any idea, what could be wrong? Yes, I can force this working with sudo chmod 777 ~/.config/syncthing, but I would rather find a proper solution.

Any ideas what I do wrong?

bt90 · April 10, 2023, 8:18am

You really had me confused for a second.

You could try to change the UID/GID mapping:

https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode

https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-container-uid-from-uid-amount

mcepl · April 10, 2023, 9:21pm

That seems to help, thank you!

system · May 10, 2023, 9:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.