Add non root support

[cyayon]

Hi,

I am trying to start ctrld daemon on linux with systemd service.
I do not manage to start with another user than root.

i got a systemd error : ctrld.service: Main process exited, code=exited, status=217/USER

Here is the service :

[Unit]
Description=Control-D
After=network.target [email protected]
[email protected]

[Service]
User=ctrld
ExecStart=/opt/ctrld/ctrld run -c /etc/controld/ctrld.toml
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

I tried to chmod/chown correctly (even 777) for /etc/controld for the socket file. But no way.

thanks.

[cuonglm]

Could you please run journalctl -xe -u ctrld, then see the log what was failed?

[cyayon]

Sep 13 13:57:41 xxx systemd[1]: Started Control-D.
░░ Subject: A start job for unit ctrld.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ctrld.service has finished successfully.
░░
░░ The job identifier is 43130.
Sep 13 13:57:41 xxx systemd[1]: ctrld.service: Main process exited, code=exited, status=217/USER
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStart= process belonging to unit ctrld.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 217.
Sep 13 13:57:41 xxx systemd[1]: ctrld.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit ctrld.service has entered the 'failed' state with result 'exit-code'.

[cuonglm]

Wait, did you run ctrld as non-root user?

If yes, then thing wont work, ctrld requires root privileges to work at this moment.

[cyayon]

Yes, I got errors and unable to start when trying to run ctrld as User != root.
With systems you can configure to allow fine tuning privileges.
For example, to allow a process to bind a port <1024, you need AmbientCapabilities=CAP_NET_BIND_SERVICE (show example).
Could you please describe required privileges ?

thanks.

[cuonglm]

Yes, I got errors and unable to start when trying to run ctrld as User != root.

With systems you can configure to allow fine tuning privileges.

For example, to allow a process to bind a port <1024, you need AmbientCapabilities=CAP_NET_BIND_SERVICE (show example).

Could you please describe required privileges ?

thanks.

For now, we have a check if ctrld is run as root, otherwise, ctrld will exit immediately.

We may tidy thing up and relaxing the check in future release.

[cyayon]

ok, thanks.
could you please provide this as future enhancement ?

[cuonglm]

@cyayon Does [email protected] exist in your system?

I was able to get ctrld running with this service file, after chown -R cuonglm /etc/controld:

$ cat /etc/systemd/system/ctrld.service 
[Unit]
Description=Control-D

[Service]
User=cuonglm
ExecStart=/opt/ctrld/ctrld run -c /etc/controld/ctrld.toml
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Log:

$ sudo systemctl status ctrld          
● ctrld.service - Control-D
     Loaded: loaded (/etc/systemd/system/ctrld.service; disabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-02-01 18:17:45 +07; 6min ago
   Main PID: 1345238 (ctrld)
      Tasks: 16 (limit: 18795)
     Memory: 14.8M
        CPU: 402ms
     CGroup: /system.slice/ctrld.service
             └─1345238 /opt/ctrld/ctrld run -c /etc/controld/ctrld.toml

Feb 01 18:17:45 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: Started Control-D.
Feb 01 18:17:45 cuonglm-ThinkPad-X1-Carbon-Gen-9 ctrld[1345238]: Feb  1 18:17:45.575 WRN stop probing "[ff02::fb]:5353": network unreachable or invalid
$ sudo journalctl -n 11 -u ctrld
Feb 01 18:15:56 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: Started Control-D.
Feb 01 18:15:56 cuonglm-ThinkPad-X1-Carbon-Gen-9 ctrld[1344818]: Feb  1 18:15:56.657 FTL failed to write config file error="open /etc/controld/ctrld.toml: permission denied"
Feb 01 18:15:56 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: ctrld.service: Main process exited, code=exited, status=1/FAILURE
Feb 01 18:15:56 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: ctrld.service: Failed with result 'exit-code'.
Feb 01 18:16:39 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: Started Control-D.
Feb 01 18:16:40 cuonglm-ThinkPad-X1-Carbon-Gen-9 ctrld[1344996]: Feb  1 18:16:40.073 WRN stop probing "[ff02::fb]:5353": network unreachable or invalid
Feb 01 18:17:45 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: Stopping Control-D...
Feb 01 18:17:45 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: ctrld.service: Deactivated successfully.
Feb 01 18:17:45 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: Stopped Control-D.
Feb 01 18:17:45 cuonglm-ThinkPad-X1-Carbon-Gen-9 systemd[1]: Started Control-D.
Feb 01 18:17:45 cuonglm-ThinkPad-X1-Carbon-Gen-9 ctrld[1345238]: Feb  1 18:17:45.575 WRN stop probing "[ff02::fb]:5353": network unreachable or invalid

[cuonglm]

For now, we have a check if ctrld is run as root, otherwise, ctrld will exit immediately.

Sorry for not to be clear, this restriction is applied to service related commands: ctrld start, ctrld stop ..., which have to call the underlying system service manager, so always requires root privileges.