Bug 1577511 - Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration.
Summary: Job for vncserver@:1.service failed because the service did not take the step...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: tigervnc
Version: 28
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Jan Grulich
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-12 16:07 UTC by Colin Henry
Modified: 2018-08-27 20:31 UTC (History)
8 users (show)

Fixed In Version: tigervnc-1.8.0-10.fc27 tigervnc-1.8.0-10.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-16 19:32:50 UTC
Type: Bug


Attachments (Terms of Use)

Description Colin Henry 2018-05-12 16:07:25 UTC
Description of problem:
Configuring Tigervnc on a fresh install of Fedora 28 as per the instructions at https://docs.fedoraproject.org/f28/system-administrators-guide/infrastructure-services/TigerVNC.html fails with the error:

Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration.

Version-Release number of selected component (if applicable):

tigervnc-server-1.8.0-7.fc28.x86_64
tigervnc-license-1.8.0-7.fc28.noarch
tigervnc-server-minimal-1.8.0-7.fc28.x86_64


How reproducible:
Install a fresh installation of Fedora 28 on VMware Workstation 14 for Windows. Follow the instructions on https://docs.fedoraproject.org/f28/system-administrators-guide/infrastructure-services/TigerVNC.html. The systemctl start vncserver@:1.service will error:

[root@localhost ~]# systemctl start vncserver@:1.service
Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status vncserver@:1.service" and "journalctl -xe" for details.
[root@localhost ~]#


Actual results:
Service errors on starup

Expected results:
No error on service start

Additional info:

Here's what I've done:

===== 
Host 1:

[chenry@localhost ~]$ sudo su -

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chenry: 
[root@localhost ~]# dnf install -y tigervnc-server
Fedora 28 - x86_64 - Updates                                             6.8 MB/s | 6.7 MB     00:00    
Fedora 28 - x86_64                                                       7.5 MB/s |  60 MB     00:08    
Last metadata expiration check: 0:00:03 ago on Sat 12 May 2018 16:26:09 BST.
Dependencies resolved.
=========================================================================================================
 Package                      Arch                Version                      Repository           Size
=========================================================================================================
Installing:
 tigervnc-server              x86_64              1.8.0-7.fc28                 fedora              230 k

Transaction Summary
=========================================================================================================
Install  1 Package

Total download size: 230 k
Installed size: 556 k
Downloading Packages:
tigervnc-server-1.8.0-7.fc28.x86_64.rpm                                  388 kB/s | 230 kB     00:00    
---------------------------------------------------------------------------------------------------------
Total                                                                    179 kB/s | 230 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                 1/1 
  Installing       : tigervnc-server-1.8.0-7.fc28.x86_64                                             1/1 
  Running scriptlet: tigervnc-server-1.8.0-7.fc28.x86_64                                             1/1 
  Verifying        : tigervnc-server-1.8.0-7.fc28.x86_64                                             1/1 

Installed:
  tigervnc-server.x86_64 1.8.0-7.fc28                                                                    

Complete!
[root@localhost ~]# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service
[root@localhost ~]# sed -i -e 's/<USER>/chenry/g' /etc/systemd/system/vncserver@.service
[root@localhost ~]# grep chenry /etc/systemd/system/vncserver@.service
# 2. Replace chenry with the actual user name and edit vncserver
#    (ExecStart=/usr/sbin/runuser -l chenry -c "/usr/bin/vncserver %i"
#     PIDFile=/home/chenry/.vnc/%H%i.pid)
ExecStart=/usr/sbin/runuser -l chenry -c "/usr/bin/vncserver %i"
PIDFile=/home/chenry/.vnc/%H%i.pid
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# sudo su - chenry
[chenry@localhost ~]$ vncpasswd
Password:
Verify:
Would you like to enter a view-only password (y/n)? n
[chenry@localhost ~]$ logout
[root@localhost ~]# systemctl start vncserver@:1.service
Job for vncserver@:1.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status vncserver@:1.service" and "journalctl -xe" for details.
[root@localhost ~]# systemctl status vncserver@:1.service
● vncserver@:1.service - Remote desktop service (VNC)
   Loaded: loaded (/etc/systemd/system/vncserver@.service; disabled; vendor preset: disabled)
   Active: failed (Result: protocol) since Sat 2018-05-12 16:34:31 BST; 56s ago
  Process: 2843 ExecStart=/usr/sbin/runuser -l chenry -c /usr/bin/vncserver :1 (code=exited, status=0/SUCCESS)
  Process: 2841 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)

May 12 16:34:27 localhost.localdomain systemd[1]: Starting Remote desktop service (VNC)...
May 12 16:34:31 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/chenry/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission denied
May 12 16:34:31 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/chenry/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission denied
May 12 16:34:31 localhost.localdomain systemd[1]: vncserver@:1.service: Failed with result 'protocol'.
May 12 16:34:31 localhost.localdomain systemd[1]: Failed to start Remote desktop service (VNC).
[root@localhost ~]# 

=====
On second Fedora 28 host:

[root@localhost ~]# vncviewer 192.168.0.222:5901

TigerVNC Viewer 64-bit v1.8.0
Built on: 2018-02-10 01:12
Copyright (C) 1999-2017 TigerVNC Team and many others (see README.txt)
See http://www.tigervnc.org for information on TigerVNC.
Can't open display: 
[root@localhost ~]# 

=====
Back on first host:

[root@localhost ~]# firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh samba-client mdns
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@localhost ~]#  firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.224" service name=vnc-server accept'
success
[root@localhost ~]# firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh samba-client mdns
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.0.224" service name="vnc-server" accept
[root@localhost ~]# 

=====
Back on second host:

[chenry@localhost ~]$ vncviewer -via chenry@192.168.0.222:1

TigerVNC Viewer 64-bit v1.8.0
Built on: 2018-02-10 01:12
Copyright (C) 1999-2017 TigerVNC Team and many others (see README.txt)
See http://www.tigervnc.org for information on TigerVNC.
ssh: Could not resolve hostname 192.168.0.222:1: Name or service not known

Sat May 12 16:43:26 2018
 DecodeManager: Detected 2 CPU core(s)
 DecodeManager: Creating 2 decoder thread(s)
 CConn:       unable connect to socket: Connection refused (111)

This brings up a VNC connection dialogue which asks for the server to connect to, which was supplied in the command, re-entering the server again brings up an error dialogue with the text:

"unable connect to socket: Connection refused (111)"

Comment 1 Alessandro Suardi 2018-05-14 10:40:30 UTC
Sort of a me-too; started getting this after upgrading from F27 to F28 and
 perhaps related to systemd 238 issue 8085 in dealing with PID files in
 non-root-owned directories?

F28 updated as of today (1.8.0-7 vncserver packages as well).

Anyway, I do have the "protocol" Result for unit failure:

[root@torrent system]# systemctl status vncserver-bt@:2.service
● vncserver-bt@:2.service - Remote desktop service (VNC)
   Loaded: loaded (/etc/systemd/system/vncserver-bt@.service; enabled; vendor preset: disabled)
   Active: failed (Result: protocol) since Mon 2018-05-14 12:17:16 CEST; 1min 18s ago
  Process: 3624 ExecStart=/sbin/runuser -l bt -c /usr/bin/vncserver :2 (code=exited, status=0/SUCCESS)
  Process: 3622 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :2 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)

May 14 12:17:11 torrent systemd[1]: Starting Remote desktop service (VNC)...
May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: New main PID 3657 does not belong to service, and PID file is not owned by root. Refusing.
May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: New main PID 3657 does not belong to service, and PID file is not owned by root. Refusing.
May 14 12:17:16 torrent systemd[1]: vncserver-bt@:2.service: Failed with result 'protocol'.
May 14 12:17:16 torrent systemd[1]: Failed to start Remote desktop service (VNC).

...but Xvnc process appears to have started up fine:

[root@torrent ~]# ps -ef|grep  Xvnc
bt        3657     1  0 12:17 ?        00:00:02 /usr/bin/Xvnc :2 -auth /home/bt/.Xauthority -desktop torrent:2 (bt) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/bt/.vnc/passwd -rfbport 5902 -rfbwait 30000

 ...and it even works upon connection from external vncviewer client (OL7.5).


Double-funny that I stumbled into this issue while debugging the vncserver
 systemd service startup failure for my host, due to a 3-year old bug in my
 own editing of the script where I had 'kill %2' instead of 'kill :2' for
 the Xvnc shutdown part.

So now I fixed a 3-year old bug of mine which didn't prevent Xvnc startup,
 and found that systemd claims the service fails to start when it's in fact
 not true for me but is true for someone else...

Available for cross-checking of environments.

Comment 2 Alexander Korsunsky 2018-05-28 13:58:32 UTC
Bug 1583159 seems related.

Alessandro Suardi, you could try resolving your issue with the unit file that i uploaded in the bug:

https://bugzilla.redhat.com/attachment.cgi?id=1443332

Comment 3 coreyt 2018-06-04 16:30:14 UTC
Alexander Korsunsky,

I'm getting the same error even using your unit file:

Jun 04 11:25:59 thor systemd[1]: Starting Remote desktop service (VNC)...
Jun 04 11:26:03 thor vncserver[29077]: New 'thor:1 (cthornburg)' desktop is thor:1
Jun 04 11:26:03 thor vncserver[29077]: Starting applications specified in /home/cthornburg/.vnc/xstartup
Jun 04 11:26:03 thor vncserver[29077]: Log file is /home/cthornburg/.vnc/thor:1.log
Jun 04 11:26:03 thor systemd[1]: vncserver@:1.service: Can't convert PID files /home/cthornburg/.vnc/thor:1.pid O_PATH file descriptor to proper file descriptor: Permission denied
Jun 04 11:26:03 thor systemd[1]: vncserver@:1.service: Failed with result 'protocol'.
Jun 04 11:26:03 thor systemd[1]: Failed to start Remote desktop service (VNC).

Comment 4 Alexander Korsunsky 2018-06-10 09:36:45 UTC
coreyt,

Yes, this is an SELinux issue. To test, you can temporarily disable it with `setenforce 0`.

After testing, reenable it with `setenforce 1`.

There is a Fedora bug here: Bug 1418463, but that got ignored and is now EOL without ever being fixed. In general it seems to me that the TigerVNC package in Fedora/RHEL is rather unmaintained, and the documentation doesn't follow best practices for systemd/SELinux.

You have 2 options: you just hack your policy to allow PID files in peoples home directory like this:

Create a file called `systemd-tigervnc.te`

---------8<---------8<---------8<---------

module systemd-tigervnc 1.0;

require {
	type init_t;
	type user_home_t;
	class file { open read unlink };
}

#============= init_t ==============
allow init_t user_home_t:file { open read unlink };


---------8<---------8<---------8<---------

Then run: 

checkmodule -M -m -o /tmp/systemd-tigervnc.mod systemd-tigervnc.te
semodule_package -o /tmp/systemd-tigervnc.pp -m /tmp/systemd-tigervnc.mod
semodule -X 300 -i /tmp/systemd-tigervnc.pp

This is basically what audit2allow would do.


Another option is to change the service file to be stored in /run rather than /home: https://github.com/TigerVNC/tigervnc/issues/606#issuecomment-370963701

Comment 5 Fedora Update System 2018-06-13 11:29:52 UTC
tigervnc-1.8.0-10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f67d10ae9e

Comment 6 Fedora Update System 2018-06-13 11:50:43 UTC
tigervnc-1.8.0-10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-817f36c368

Comment 7 Fedora Update System 2018-06-13 23:00:38 UTC
tigervnc-1.8.0-10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f67d10ae9e

Comment 8 Fedora Update System 2018-06-14 13:48:24 UTC
tigervnc-1.8.0-10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-817f36c368

Comment 9 Fedora Update System 2018-06-16 19:32:50 UTC
tigervnc-1.8.0-10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2018-06-16 20:16:53 UTC
tigervnc-1.8.0-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Václav Nováček 2018-07-07 20:56:59 UTC
Unfortunatelly still the same error with tigervnc-server-1.8.0-10.fc28.x86_64.rpm:

čec 07 22:39:20 fedora systemd[1]: Starting Remote desktop service (VNC)...
čec 07 22:39:23 fedora vncserver[9503]: New 'fedora:1 (waclaw)' desktop is fedora:1
čec 07 22:39:23 fedora vncserver[9503]: Starting applications specified in /home/waclaw/.vnc/xstartup
čec 07 22:39:23 fedora vncserver[9503]: Log file is /home/waclaw/.vnc/fedora:1.log
čec 07 22:39:23 fedora audit[1]: AVC avc:  denied  { read } for  pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
čec 07 22:39:23 fedora audit[1]: AVC avc:  denied  { read } for  pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
čec 07 22:39:23 fedora audit[1]: AVC avc:  denied  { read } for  pid=1 comm="systemd" name="fedora:1.pid" dev="sdc3" ino=5915841 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
čec 07 22:39:23 fedora systemd[1]: vncserver@:1.service: Can't convert PID files /home/waclaw/.vnc/fedora:1.pid O_PATH file descriptor to proper file descriptor: Permission denied
čec 07 22:39:23 fedora systemd[1]: vncserver@:1.service: Can't convert PID files /home/waclaw/.vnc/fedora:1.pid O_PATH file descriptor to proper file descriptor: Permission denied
čec 07 22:39:23 fedora dbus-daemon[9531]: [session uid=1000 pid=9529] Activating service name='org.freedesktop.systemd1' requested by ':1.0' (uid=1000 pid=9542 comm="systemctl --user import-environment DISPLAY XAUTHO" label="system_u:system_r:unconfined_service_t:s0")
čec 07 22:39:23 fedora dbus-daemon[9531]: [session uid=1000 pid=9529] Activated service 'org.freedesktop.systemd1' failed: Process org.freedesktop.systemd1 exited with status 1

Comment 12 Michael Shurtleff 2018-08-27 19:57:13 UTC
on tigervnc-server-1.9.0-2.fc29.x86_64 (Fedora 29 pre-beta) I am getting...

# systemctl status vncserver@:1.service
● vncserver@:1.service - Remote desktop service (VNC)
   Loaded: loaded (/etc/systemd/system/vncserver@:1.service; disabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Mon 2018-08-27 14:51:51 CDT; 2min 44s ago
  Process: 8378 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS)
  Process: 8373 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)

Aug 27 14:50:21 localhost.localdomain systemd[1]: Starting Remote desktop service (VNC)...
Aug 27 14:50:24 localhost.localdomain vncserver[8378]: New 'localhost.localdomain:1 (vncuser)' desktop is localhost.localdomain:1
Aug 27 14:50:24 localhost.localdomain vncserver[8378]: Starting applications specified in /home/vncuser/.vnc/xstartup
Aug 27 14:50:24 localhost.localdomain vncserver[8378]: Log file is /home/vncuser/.vnc/localhost.localdomain:1.log
Aug 27 14:50:24 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/vncuser/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission d>
Aug 27 14:50:24 localhost.localdomain systemd[1]: vncserver@:1.service: Can't convert PID files /home/vncuser/.vnc/localhost.localdomain:1.pid O_PATH file descriptor to proper file descriptor: Permission d>
Aug 27 14:51:51 localhost.localdomain systemd[1]: vncserver@:1.service: Start operation timed out. Terminating.
Aug 27 14:51:51 localhost.localdomain systemd[1]: vncserver@:1.service: Failed with result 'timeout'.
Aug 27 14:51:51 localhost.localdomain systemd[1]: Failed to start Remote desktop service (VNC).

Comment 13 Michael Shurtleff 2018-08-27 20:31:32 UTC
OK it appears that that problem was that I should have used Type=notify in the system control file. Sorry for the diversion.


Note You need to log in before you can comment on or make changes to this bug.