Hello,
I’ve been scratching my head for some days now.
I have an issue related to the syncOwnership option.
I am working with 2 cloud providers (Amazon AWS & Google Cloud Platform). I created an NFS drive on both of them and it is shared by all of my machines within their respective cloud.
Since I have to work with those 2 providers in parallel, I decided to use Syncthing to synchronize some of the folders on the NFS drives, as currently they are being mirrored by me manually which started to be a pain.
On both clouds, I selected a single virtual machine to be the synchronizer (Syncthing runner). On both of them, I created a dedicated user called syncuser. My goal is to have this syncuser work in lingering mode and overwatch selected folders on the NFS.
I set up Syncthing according to the documentation (I used apt-get to install it) and I can confirm that everything works as intended. The only thing that I just can not get to work is the syncOwnership option that I much desire to use.
I keep encountering the following error, whenever a user that is not syncthing-process owner creates a file:
INFO: Puller (folder "/nfs/sync_test" (ogxg4-thtcn), item "example.txt"): syncing: finishing: setting metadata: lchown /nfs/sync_test/.syncthing.example.txt.tmp: operation not permitted
I tried the 2 approaches:
- user service
- system service
With the user service, logged in as syncuser, I created an unit file under the following path and filled it in with default values:
~/.config/systemd/user/syncthing.service
I uncommented the AmbientCapabilities=CAP_CHOWN CAP_FOWNER line.
With this setup, I get the aforementioned error. I checked the capabilities:
syncuser@aws:~$ pgrep syncthing
441875
441887
syncuser@aws:~$ cat /proc/441875/status |grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
syncuser@aws:~$ cat ~/.config/systemd/user/syncthing.service | grep Ambient
AmbientCapabilities=CAP_CHOWN CAP_FOWNER
It looks that the capabilities were not given.
I based my work on this topic. According to it, the CapEff should hold the 0000000000000009 value.
I tried another approach and created an override:
systemctl --user edit syncthing.service
And added the following lines there:
[Service]
AmbientCapabilities=CAP_CHOWN CAP_FOWNER
And that revealed an underlying issue - the capabilities can not be set:
May 14 09:38:53 aws systemd[961]: syncthing.service: Failed with result 'exit-code'.
May 14 09:38:54 aws systemd[961]: syncthing.service: Scheduled restart job, restart counter is at 1.
May 14 09:38:54 aws systemd[961]: Started syncthing.service - Syncthing - Open Source Continuous File Synchronization.
May 14 09:38:54 aws (yncthing)[441999]: syncthing.service: Failed to apply ambient capabilities (before UID change): Operation not permitted
May 14 09:38:54 aws systemd[961]: syncthing.service: Main process exited, code=exited, status=218/CAPABILITIES
So I decided to go for the system service instead.
I created a unit file under /etc/systemd/system/syncthing@.service and pasted the default values and again, I uncommented the AmbientCapabilities= line.
I launched the service with:
sudo systemctl start syncthing@syncuser.service
And verified the capabilities again (on both machines):
syncuser@gcp:/etc/systemd/system$ ps aux | grep syncthing
syncuser 442342 0.0 0.0 1249268 18048 ? Ssl 09:47 0:00 /usr/bin/syncthing serve --no-browser --no-restart --logflags=0
syncuser 442351 0.7 0.0 1251700 29596 ? SNl 09:47 0:01 /usr/bin/syncthing serve --no-browser --no-restart --logflags=0
syncuser@gcp:/etc/systemd/system$ cat /proc/442342/status |grep Cap
CapInh: 0000000000200109
CapPrm: 0000000000000009
CapEff: 0000000000000009
CapBnd: 000001ffffffffff
CapAmb: 0000000000000009
and noticed that the capabilities are there - Syncthing running from syncuser, with the chown capabilities.
What happens on the other machine then? This:
Puller (folder "/nfs/sync_test" (ogxg4-thtcn), item "file.txt"): syncing: finishing: setting metadata: lchown /nfs/sync_test/.syncthing.file.txt.tmp: operation not permitted
So even though the capabilities have been granted, I still get the chown command denied.
Is there anything that I am clearly missing? I was wondering whether this could be an NFS-related issue? Some kind of under-the-hood block for non-root users? I use no_root_squash on my NFS servers and the entire ownerhship synchronization process works when I launch syncthing as root - but I’d like to avoid that.
