Description of problem: munin-node.service does not start on f28 Version-Release number of selected component (if applicable): munin-node-2.0.33-5.fc27.noarch How reproducible: always Steps to Reproduce: 1. Install package munin-node 2. Try to restart it 3. Unit will hang and then report it failed because it couldn't find the pidfile Actual results: Unit enters failed state and does not start Expected results: service starts Additional info: Starting munin from the terminal works in that it creates the pidfile. systemd seems to be blocking on some sort of input: root 11070 10946 0 22:52 pts/0 00:00:00 systemctl restart munin-node.service root 11071 11070 0 22:52 pts/0 00:00:00 /usr/bin/systemd-tty-ask-password-agent --watch f27 did not have this behavior, but I can't tell if this is a systemd regression, a munin regression, or something else.
I can see also SELinux message immediately when munin-node start is requested: type=AVC msg=audit(05/10/2018 19:30:35.222:63751) : avc: denied { dac_override } for pid=545556 comm=munin-node capability=dac_override scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=capability permissive=0
Workaround is to move pid file one level up: In /etc/munin/munin-node.conf set: pid_file /var/run/munin-node.pid And in [service] section of /usr/lib/systemd/system/munin-node.service set: PIDFile=/var/run/munin-node.pid
Another workaround is: # cat /etc/tmpfiles.d/munin.conf D /var/run/munin 0775 root munin - The problem is the root user has no permission to write inside /var/run/munin in the provided configuration: # getfacl /var/run/munin/ getfacl: Removing leading '/' from absolute path names # file: var/run/munin/ # owner: munin # group: munin user::rwx group::r-x other::r-x but user root normally has dac_override capability, which, as the name implies, simply bypass DAC (discretionary access control, aka file permissions). However the service removes such capability, triggering a permission denied error to create the PID file. Giving explicit permission to the root user to write inside the directory solve the issue as write permission is granted without the use of dac_override.
Another option is to drop that file: # cat /etc/tmpfiles.d/fix_munin.conf a+ /var/run/munin/ - - - - user:root:rwx This is similar to the fix on Enrico, but work also if munin is run as non root.
Ok so seems my fix do not work: # LC_ALL=C getfacl /var/run/munin/ getfacl: Removing leading '/' from absolute path names # file: var/run/munin/ # owner: munin # group: munin user::rwx user:root:rwx #effective:r-x group::r-x mask::r-x other::r-x Seems the right tmpfiles snippet should be: a+ /var/run/munin/ - - - - user:root:rwx a+ /var/run/munin/ - - - - mask:rwx
Making /var/run/munin with permissions munin:root 0775 fixes the issue for me.
munin-2.0.40-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-60e7ab00eb
munin-2.0.40-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-e42294dd9f
munin-2.0.40-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d7fccd52d3
munin-2.0.40-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-60e7ab00eb
munin-2.0.40-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d7fccd52d3
munin-2.0.40-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-e42294dd9f
munin-2.0.40-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
munin-2.0.40-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
munin-2.0.40-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.