Bug 1577511
Summary: | Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Colin Henry <colin.henry> |
Component: | tigervnc | Assignee: | Jan Grulich <jgrulich> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | a.korsunsky, alessandro.suardi, coreyt, fedora, jgrulich, shur, vonsch, waclaw66 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tigervnc-1.8.0-10.fc27 tigervnc-1.8.0-10.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-16 19:32:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Colin Henry
2018-05-12 16:07:25 UTC
Sort of a me-too; started getting this after upgrading from F27 to F28 and perhaps related to systemd 238 issue 8085 in dealing with PID files in non-root-owned directories? F28 updated as of today (1.8.0-7 vncserver packages as well). Anyway, I do have the "protocol" Result for unit failure: [root@torrent system]# systemctl status vncserver-bt@:2.service ● vncserver-bt@:2.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver-bt@.service; enabled; vendor preset: disabled) Active: failed (Result: protocol) since Mon 2018-05-14 12:17:16 CEST; 1min 18s ago Process: 3624 ExecStart=/sbin/runuser -l bt -c /usr/bin/vncserver :2 (code=exited, status=0/SUCCESS) Process: 3622 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :2 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) May 14 12:17:11 torrent systemd[1]: Starting Remote desktop service (VNC)... May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: New main PID 3657 does not belong to service, and PID file is not owned by root. Refusing. May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: New main PID 3657 does not belong to service, and PID file is not owned by root. Refusing. May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: Failed with result 'protocol'. May 14 12:17:16 torrent systemd[1]: Failed to start Remote desktop service (VNC). ...but Xvnc process appears to have started up fine: [root@torrent ~]# ps -ef|grep Xvnc bt 3657 1 0 12:17 ? 00:00:02 /usr/bin/Xvnc :2 -auth /home/bt/.Xauthority -desktop torrent:2 (bt) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/bt/.vnc/passwd -rfbport 5902 -rfbwait 30000 ...and it even works upon connection from external vncviewer client (OL7.5). Double-funny that I stumbled into this issue while debugging the vncserver systemd service startup failure for my host, due to a 3-year old bug in my own editing of the script where I had 'kill %2' instead of 'kill :2' for the Xvnc shutdown part. So now I fixed a 3-year old bug of mine which didn't prevent Xvnc startup, and found that systemd claims the service fails to start when it's in fact not true for me but is true for someone else... Available for cross-checking of environments. Bug 1583159 seems related. Alessandro Suardi, you could try resolving your issue with the unit file that i uploaded in the bug: https://bugzilla.redhat.com/attachment.cgi?id=1443332 Alexander Korsunsky, I'm getting the same error even using your unit file: Jun 04 11:25:59 thor systemd[1]: Starting Remote desktop service (VNC)... Jun 04 11:26:03 thor vncserver[29077]: New 'thor:1 (cthornburg)' desktop is thor:1 Jun 04 11:26:03 thor vncserver[29077]: Starting applications specified in /home/cthornburg/.vnc/xstartup Jun 04 11:26:03 thor vncserver[29077]: Log file is /home/cthornburg/.vnc/thor:1.log Jun 04 11:26:03 thor systemd[1]: vncserver@:1.service: Can't convert PID files /home/cthornburg/.vnc/thor:1.pid O_PATH file descriptor to proper file descriptor: Permission denied Jun 04 11:26:03 thor systemd[1]: vncserver@:1.service: Failed with result 'protocol'. Jun 04 11:26:03 thor systemd[1]: Failed to start Remote desktop service (VNC). coreyt, Yes, this is an SELinux issue. To test, you can temporarily disable it with `setenforce 0`. After testing, reenable it with `setenforce 1`. There is a Fedora bug here: Bug 1418463, but that got ignored and is now EOL without ever being fixed. In general it seems to me that the TigerVNC package in Fedora/RHEL is rather unmaintained, and the documentation doesn't follow best practices for systemd/SELinux. You have 2 options: you just hack your policy to allow PID files in peoples home directory like this: Create a file called `systemd-tigervnc.te` ---------8<---------8<---------8<--------- module systemd-tigervnc 1.0; require { type init_t; type user_home_t; class file { open read unlink }; } #============= init_t ============== allow init_t user_home_t:file { open read unlink }; ---------8<---------8<---------8<--------- Then run: checkmodule -M -m -o /tmp/systemd-tigervnc.mod systemd-tigervnc.te semodule_package -o /tmp/systemd-tigervnc.pp -m /tmp/systemd-tigervnc.mod semodule -X 300 -i /tmp/systemd-tigervnc.pp This is basically what audit2allow would do. Another option is to change the service file to be stored in /run rather than /home: https://github.com/TigerVNC/tigervnc/issues/606#issuecomment-370963701 tigervnc-1.8.0-10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f67d10ae9e tigervnc-1.8.0-10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-817f36c368 tigervnc-1.8.0-10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f67d10ae9e tigervnc-1.8.0-10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-817f36c368 tigervnc-1.8.0-10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. tigervnc-1.8.0-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Unfortunatelly still the same error with tigervnc-server-1.8.0-10.fc28.x86_64.rpm: čec 07 22:39:20 fedora systemd[1]: Starting Remote desktop service (VNC)... čec 07 22:39:23 fedora vncserver[9503]: New 'fedora:1 (waclaw)' desktop is fedora:1 čec 07 22:39:23 fedora vncserver[9503]: Starting applications specified in /home/waclaw/.vnc/xstartup čec 07 22:39:23 fedora vncserver[9503]: Log file is /home/waclaw/.vnc/fedora:1.log čec 07 22:39:23 fedora audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 čec 07 22:39:23 fedora audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 čec 07 22:39:23 fedora audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 čec 07 22:39:23 fedora systemd[1]: vncserver@:1.service: Can't convert PID files /home/waclaw/.vnc/fedora:1.pid O_PATH file descriptor to proper file descriptor: Permission denied čec 07 22:39:23 fedora systemd[1]: vncserver@:1.service: Can't convert PID files /home/waclaw/.vnc/fedora:1.pid O_PATH file descriptor to proper file descriptor: Permission denied čec 07 22:39:23 fedora dbus-daemon[9531]: [session uid=1000 pid=9529] Activating service name='org.freedesktop.systemd1' requested by ':1.0' (uid=1000 pid=9542 comm="systemctl --user import-environment DISPLAY XAUTHO" label="system_u:system_r:unconfined_service_t:s0") čec 07 22:39:23 fedora dbus-daemon[9531]: [session uid=1000 pid=9529] Activated service 'org.freedesktop.systemd1' failed: Process org.freedesktop.systemd1 exited with status 1 on tigervnc-server-1.9.0-2.fc29.x86_64 (Fedora 29 pre-beta) I am getting... # systemctl status vncserver@:1.service ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@:1.service; disabled; vendor preset: disabled) Active: failed (Result: timeout) since Mon 2018-08-27 14:51:51 CDT; 2min 44s ago Process: 8378 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS) Process: 8373 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) Aug 27 14:50:21 localhost.localdomain systemd[1]: Starting Remote desktop service (VNC)... Aug 27 14:50:24 localhost.localdomain vncserver[8378]: New 'localhost.localdomain:1 (vncuser)' desktop is localhost.localdomain:1 Aug 27 14:50:24 localhost.localdomain vncserver[8378]: Starting applications specified in /home/vncuser/.vnc/xstartup Aug 27 14:50:24 localhost.localdomain vncserver[8378]: Log file is /home/vncuser/.vnc/localhost.localdomain:1.log Aug 27 14:50:24 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/vncuser/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission d> Aug 27 14:50:24 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/vncuser/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission d> Aug 27 14:51:51 localhost.localdomain systemd[1]: vncserver@:1.service: Start operation timed out. Terminating. Aug 27 14:51:51 localhost.localdomain systemd[1]: vncserver@:1.service: Failed with result 'timeout'. Aug 27 14:51:51 localhost.localdomain systemd[1]: Failed to start Remote desktop service (VNC). OK it appears that that problem was that I should have used Type=notify in the system control file. Sorry for the diversion. |