I have a problem getting syncthing getting properly running under systemd. Here’s what I did:
- I have Cubietruck that is running armbian, a debian based system. Lately I upgraded this from jessie to stretch and this seems to include a change to systemd.
- As the machine shall serve as a server I want to run syncthing as a system service.
- syncthing and syncthing-inotify are by default run as root and of course I wanted to change that. So I did:
- Created a user “syncthing”: sudo adduser --quiet --system --group --disabled-password syncthing
- Restored my old config.xml, cert.pem, etc. from the previous jessie installation
- Changed /etc/systemd/system/syncthing.service and replaced “User=root” by “User=syncthing”
- Did the same with /etc/systemd/system/syncthing-inotify.service
- Disabled the old root start mechanism: systemctl disable firstname.lastname@example.org systemctl disable email@example.com
- Enabled syncthing with the new user: systemctl enable firstname.lastname@example.org systemctl enable email@example.com
- Started both services: systemctl start firstname.lastname@example.org systemctl start email@example.com
- I can - successfully - check now that both services are running: systemctl status firstname.lastname@example.org systemctl status email@example.com
This works at first glance, however I’m facing several issues:
- Syncthing is started in /etc/systemd/system/syncthing.service via the command line ExecStart=/usr/bin/syncthing -no-browser -no-restart -logfile=/var/log/syncthing.log -logflags=3 Though there is a “-logfile” command no such file is created, instead it spams into syslog. This happens independently of running it as root or an unpriviledged user. I want a separate log for syncthing, syslog is full of syncthing, hardly anything else to see there.
- When running unpriviledged the web interface becomes unreachable.
- When running unprivilegded syncthing-inotify runs into troubles with syncthing, the log becomes full of: “http post forbidden. missing API key”
- Syncthing starts to reject clients that it should know (and knows when ran as root): “Connection from XXXXXX-XXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX at [fe80::7e04:eaa8:5756:5cf5%eth0]:48792 (tcp-server) rejected: unknown device” “Failed to exchange Hello messages with XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX at 192.168.178.11:22000-192.168.178.32:39550/tcp-server: EOF”
Thus I was forced for the time being to return to using the root account :-/
I’m suspicious this is mostly a rights and configuration problem, however I don’t know what to check and correct. Could anyone give a complete instruction how to move syncthing from the default root-usage to an unpriviledged user?