Syncthing: Systemd hardening options prevent service start
Hello,
After updating to v1.0.0, service fails to start with this exit status: 228/SECCOMP.
I found this article, which gave me a hint about the issue:
the kernel I am using seems not to support seccomp
A solution for me was to comment out these lines in the unit:
# SystemCallArchitectures=native
# MemoryDenyWriteExecute=true
Problem is, as you can guess from my version information, I cannot update the kernel to support these options, as the machine is a OpenVZ VPS and I have no control on the hypervisor.
Relates to #5286
Version Information
Syncthing Version: v1.0.0
OS Version: Ubuntu 16.04 / Kernel 2.6.32-openvz-042stab120.18-amd64
serl
All 2 comments
Nonetheless, you鈥檝e solved the problem. Outdated kernels and other software will always be around, but we cannot be forever prevented from using new features.
calmh
on 12 Jan 2019
Using the Snap version and this service, I had to comment exactly those :
[Unit]
Description=Syncthing - Open Source Continuous File Synchronization
Documentation=man:syncthing(1)
[Service]
ExecStart=/snap/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4
# Hardening
ProtectSystem=full
PrivateTmp=true
#SystemCallArchitectures=native
#MemoryDenyWriteExecute=true
#NoNewPrivileges=true
[Install]
WantedBy=default.target
OS: elementary OS 5.0 Juno x86_64
Kernel: 4.15.0-47-generic
Uptime: 26 mins
Packages: 2251
Shell: bash 4.4.19
Resolution: 1920x1080
DE: Pantheon
WM: Mutter(Gala)
Theme: Elementary [GTK3]
Icons: Elementary [GTK3]
Terminal: io.elementary.t
CPU: Intel i5-3570K (4) @ 4.100GHz
GPU: NVIDIA GeForce GTX 660 Ti
Memory: 3042MiB / 7920MiB
Perhaps it would be useful to #4015.
NatoBoram
on 16 Mar 2019
Related issues
gabriel-fallen
路
4Comments
itsbrianburton
路
4Comments
calmh
路
3Comments
tomasz1986
路
3Comments
tomasz1986
路
3Comments
Most helpful comment
Using the Snap version and this service, I had to comment exactly those :
Perhaps it would be useful to #4015.