Description of problem: Configuring Tigervnc on a fresh install of Fedora 28 as per the instructions at https://docs.fedoraproject.org/f28/system-administrators-guide/infrastructure-services/TigerVNC.html fails with the error: Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration. Version-Release number of selected component (if applicable): tigervnc-server-1.8.0-7.fc28.x86_64 tigervnc-license-1.8.0-7.fc28.noarch tigervnc-server-minimal-1.8.0-7.fc28.x86_64 How reproducible: Install a fresh installation of Fedora 28 on VMware Workstation 14 for Windows. Follow the instructions on https://docs.fedoraproject.org/f28/system-administrators-guide/infrastructure-services/TigerVNC.html. The systemctl start vncserver@:1.service will error: [root@localhost ~]# systemctl start vncserver@:1.service Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration. See "systemctl status vncserver@:1.service" and "journalctl -xe" for details. [root@localhost ~]# Actual results: Service errors on starup Expected results: No error on service start Additional info: Here's what I've done: ===== Host 1: [chenry@localhost ~]$ sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for chenry: [root@localhost ~]# dnf install -y tigervnc-server Fedora 28 - x86_64 - Updates 6.8 MB/s | 6.7 MB 00:00 Fedora 28 - x86_64 7.5 MB/s | 60 MB 00:08 Last metadata expiration check: 0:00:03 ago on Sat 12 May 2018 16:26:09 BST. Dependencies resolved. ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: tigervnc-server x86_64 1.8.0-7.fc28 fedora 230 k Transaction Summary ========================================================================================================= Install 1 Package Total download size: 230 k Installed size: 556 k Downloading Packages: tigervnc-server-1.8.0-7.fc28.x86_64.rpm 388 kB/s | 230 kB 00:00 --------------------------------------------------------------------------------------------------------- Total 179 kB/s | 230 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : tigervnc-server-1.8.0-7.fc28.x86_64 1/1 Running scriptlet: tigervnc-server-1.8.0-7.fc28.x86_64 1/1 Verifying : tigervnc-server-1.8.0-7.fc28.x86_64 1/1 Installed: tigervnc-server.x86_64 1.8.0-7.fc28 Complete! [root@localhost ~]# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service [root@localhost ~]# sed -i -e 's/<USER>/chenry/g' /etc/systemd/system/vncserver@.service [root@localhost ~]# grep chenry /etc/systemd/system/vncserver@.service # 2. Replace chenry with the actual user name and edit vncserver # (ExecStart=/usr/sbin/runuser -l chenry -c "/usr/bin/vncserver %i" # PIDFile=/home/chenry/.vnc/%H%i.pid) ExecStart=/usr/sbin/runuser -l chenry -c "/usr/bin/vncserver %i" PIDFile=/home/chenry/.vnc/%H%i.pid [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# sudo su - chenry [chenry@localhost ~]$ vncpasswd Password: Verify: Would you like to enter a view-only password (y/n)? n [chenry@localhost ~]$ logout [root@localhost ~]# systemctl start vncserver@:1.service Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration. See "systemctl status vncserver@:1.service" and "journalctl -xe" for details. [root@localhost ~]# systemctl status vncserver@:1.service ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@.service; disabled; vendor preset: disabled) Active: failed (Result: protocol) since Sat 2018-05-12 16:34:31 BST; 56s ago Process: 2843 ExecStart=/usr/sbin/runuser -l chenry -c /usr/bin/vncserver :1 (code=exited, status=0/SUCCESS) Process: 2841 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) May 12 16:34:27 localhost.localdomain systemd[1]: Starting Remote desktop service (VNC)... May 12 16:34:31 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/chenry/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission denied May 12 16:34:31 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/chenry/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission denied May 12 16:34:31 localhost.localdomain systemd[1]: vncserver@:1.service: Failed with result 'protocol'. May 12 16:34:31 localhost.localdomain systemd[1]: Failed to start Remote desktop service (VNC). [root@localhost ~]# ===== On second Fedora 28 host: [root@localhost ~]# vncviewer 192.168.0.222:5901 TigerVNC Viewer 64-bit v1.8.0 Built on: 2018-02-10 01:12 Copyright (C) 1999-2017 TigerVNC Team and many others (see README.txt) See http://www.tigervnc.org for information on TigerVNC. Can't open display: [root@localhost ~]# ===== Back on first host: [root@localhost ~]# firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ssh samba-client mdns ports: 1025-65535/udp 1025-65535/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@localhost ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.224" service name=vnc-server accept' success [root@localhost ~]# firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ssh samba-client mdns ports: 1025-65535/udp 1025-65535/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.0.224" service name="vnc-server" accept [root@localhost ~]# ===== Back on second host: [chenry@localhost ~]$ vncviewer -via chenry.0.222:1 TigerVNC Viewer 64-bit v1.8.0 Built on: 2018-02-10 01:12 Copyright (C) 1999-2017 TigerVNC Team and many others (see README.txt) See http://www.tigervnc.org for information on TigerVNC. ssh: Could not resolve hostname 192.168.0.222:1: Name or service not known Sat May 12 16:43:26 2018 DecodeManager: Detected 2 CPU core(s) DecodeManager: Creating 2 decoder thread(s) CConn: unable connect to socket: Connection refused (111) This brings up a VNC connection dialogue which asks for the server to connect to, which was supplied in the command, re-entering the server again brings up an error dialogue with the text: "unable connect to socket: Connection refused (111)"
Sort of a me-too; started getting this after upgrading from F27 to F28 and perhaps related to systemd 238 issue 8085 in dealing with PID files in non-root-owned directories? F28 updated as of today (1.8.0-7 vncserver packages as well). Anyway, I do have the "protocol" Result for unit failure: [root@torrent system]# systemctl status vncserver-bt@:2.service ● vncserver-bt@:2.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver-bt@.service; enabled; vendor preset: disabled) Active: failed (Result: protocol) since Mon 2018-05-14 12:17:16 CEST; 1min 18s ago Process: 3624 ExecStart=/sbin/runuser -l bt -c /usr/bin/vncserver :2 (code=exited, status=0/SUCCESS) Process: 3622 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :2 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) May 14 12:17:11 torrent systemd[1]: Starting Remote desktop service (VNC)... May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: New main PID 3657 does not belong to service, and PID file is not owned by root. Refusing. May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: New main PID 3657 does not belong to service, and PID file is not owned by root. Refusing. May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: Failed with result 'protocol'. May 14 12:17:16 torrent systemd[1]: Failed to start Remote desktop service (VNC). ...but Xvnc process appears to have started up fine: [root@torrent ~]# ps -ef|grep Xvnc bt 3657 1 0 12:17 ? 00:00:02 /usr/bin/Xvnc :2 -auth /home/bt/.Xauthority -desktop torrent:2 (bt) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/bt/.vnc/passwd -rfbport 5902 -rfbwait 30000 ...and it even works upon connection from external vncviewer client (OL7.5). Double-funny that I stumbled into this issue while debugging the vncserver systemd service startup failure for my host, due to a 3-year old bug in my own editing of the script where I had 'kill %2' instead of 'kill :2' for the Xvnc shutdown part. So now I fixed a 3-year old bug of mine which didn't prevent Xvnc startup, and found that systemd claims the service fails to start when it's in fact not true for me but is true for someone else... Available for cross-checking of environments.
Bug 1583159 seems related. Alessandro Suardi, you could try resolving your issue with the unit file that i uploaded in the bug: https://bugzilla.redhat.com/attachment.cgi?id=1443332
Alexander Korsunsky, I'm getting the same error even using your unit file: Jun 04 11:25:59 thor systemd[1]: Starting Remote desktop service (VNC)... Jun 04 11:26:03 thor vncserver[29077]: New 'thor:1 (cthornburg)' desktop is thor:1 Jun 04 11:26:03 thor vncserver[29077]: Starting applications specified in /home/cthornburg/.vnc/xstartup Jun 04 11:26:03 thor vncserver[29077]: Log file is /home/cthornburg/.vnc/thor:1.log Jun 04 11:26:03 thor systemd[1]: vncserver@:1.service: Can't convert PID files /home/cthornburg/.vnc/thor:1.pid O_PATH file descriptor to proper file descriptor: Permission denied Jun 04 11:26:03 thor systemd[1]: vncserver@:1.service: Failed with result 'protocol'. Jun 04 11:26:03 thor systemd[1]: Failed to start Remote desktop service (VNC).
coreyt, Yes, this is an SELinux issue. To test, you can temporarily disable it with `setenforce 0`. After testing, reenable it with `setenforce 1`. There is a Fedora bug here: Bug 1418463, but that got ignored and is now EOL without ever being fixed. In general it seems to me that the TigerVNC package in Fedora/RHEL is rather unmaintained, and the documentation doesn't follow best practices for systemd/SELinux. You have 2 options: you just hack your policy to allow PID files in peoples home directory like this: Create a file called `systemd-tigervnc.te` ---------8<---------8<---------8<--------- module systemd-tigervnc 1.0; require { type init_t; type user_home_t; class file { open read unlink }; } #============= init_t ============== allow init_t user_home_t:file { open read unlink }; ---------8<---------8<---------8<--------- Then run: checkmodule -M -m -o /tmp/systemd-tigervnc.mod systemd-tigervnc.te semodule_package -o /tmp/systemd-tigervnc.pp -m /tmp/systemd-tigervnc.mod semodule -X 300 -i /tmp/systemd-tigervnc.pp This is basically what audit2allow would do. Another option is to change the service file to be stored in /run rather than /home: https://github.com/TigerVNC/tigervnc/issues/606#issuecomment-370963701
tigervnc-1.8.0-10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f67d10ae9e
tigervnc-1.8.0-10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-817f36c368
tigervnc-1.8.0-10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f67d10ae9e
tigervnc-1.8.0-10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-817f36c368
tigervnc-1.8.0-10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
tigervnc-1.8.0-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Unfortunatelly still the same error with tigervnc-server-1.8.0-10.fc28.x86_64.rpm: čec 07 22:39:20 fedora systemd[1]: Starting Remote desktop service (VNC)... čec 07 22:39:23 fedora vncserver[9503]: New 'fedora:1 (waclaw)' desktop is fedora:1 čec 07 22:39:23 fedora vncserver[9503]: Starting applications specified in /home/waclaw/.vnc/xstartup čec 07 22:39:23 fedora vncserver[9503]: Log file is /home/waclaw/.vnc/fedora:1.log čec 07 22:39:23 fedora audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 čec 07 22:39:23 fedora audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 čec 07 22:39:23 fedora audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 čec 07 22:39:23 fedora systemd[1]: vncserver@:1.service: Can't convert PID files /home/waclaw/.vnc/fedora:1.pid O_PATH file descriptor to proper file descriptor: Permission denied čec 07 22:39:23 fedora systemd[1]: vncserver@:1.service: Can't convert PID files /home/waclaw/.vnc/fedora:1.pid O_PATH file descriptor to proper file descriptor: Permission denied čec 07 22:39:23 fedora dbus-daemon[9531]: [session uid=1000 pid=9529] Activating service name='org.freedesktop.systemd1' requested by ':1.0' (uid=1000 pid=9542 comm="systemctl --user import-environment DISPLAY XAUTHO" label="system_u:system_r:unconfined_service_t:s0") čec 07 22:39:23 fedora dbus-daemon[9531]: [session uid=1000 pid=9529] Activated service 'org.freedesktop.systemd1' failed: Process org.freedesktop.systemd1 exited with status 1
on tigervnc-server-1.9.0-2.fc29.x86_64 (Fedora 29 pre-beta) I am getting... # systemctl status vncserver@:1.service ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@:1.service; disabled; vendor preset: disabled) Active: failed (Result: timeout) since Mon 2018-08-27 14:51:51 CDT; 2min 44s ago Process: 8378 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS) Process: 8373 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) Aug 27 14:50:21 localhost.localdomain systemd[1]: Starting Remote desktop service (VNC)... Aug 27 14:50:24 localhost.localdomain vncserver[8378]: New 'localhost.localdomain:1 (vncuser)' desktop is localhost.localdomain:1 Aug 27 14:50:24 localhost.localdomain vncserver[8378]: Starting applications specified in /home/vncuser/.vnc/xstartup Aug 27 14:50:24 localhost.localdomain vncserver[8378]: Log file is /home/vncuser/.vnc/localhost.localdomain:1.log Aug 27 14:50:24 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/vncuser/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission d> Aug 27 14:50:24 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/vncuser/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission d> Aug 27 14:51:51 localhost.localdomain systemd[1]: vncserver@:1.service: Start operation timed out. Terminating. Aug 27 14:51:51 localhost.localdomain systemd[1]: vncserver@:1.service: Failed with result 'timeout'. Aug 27 14:51:51 localhost.localdomain systemd[1]: Failed to start Remote desktop service (VNC).
OK it appears that that problem was that I should have used Type=notify in the system control file. Sorry for the diversion.