You are not logged in.

#1 2024-11-01 16:41:14

barney
Member
Registered: 2020-12-14
Posts: 104

[Solved]Problems with reflector.sercvice

I want to configure reflector.service to be periodically started. I am following instructions on reflector wiki page.
When I type "sudo systemctl start reflector" I get this message:

Job for reflector.service failed because the control process exited with error code.
See "systemctl status reflector.service" and "journalctl -xeu reflector.service" for details.

The output of journalctl -xeu reflector.service is:

  A start job for unit reflector.service has begun execution.
░░
░░ The job identifier is 4112.
ное 01 17:31:08 living reflector[630255]: error: Permission denied
ное 01 17:31:08 living systemd[1]: reflector.service: Main process exited, code=exited, status=1/FA>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStart= process belonging to unit reflector.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
ное 01 17:31:08 living systemd[1]: reflector.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit reflector.service has entered the 'failed' state with result 'exit-code'.
ное 01 17:31:08 living systemd[1]: Failed to start Refresh Pacman mirrorlist with Reflector..
░░ Subject: A start job for unit reflector.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit reflector.service has finished with a failure.
░░
░░ The job identifier is 4112 and the job result is failed.
ное 01 17:31:08 living systemd[1]: reflector.service: Consumed 1.387s CPU time, 36.6M memory peak.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit reflector.service completed and consumed the indicated resources.

The output of "systemctl status reflector" is :

× reflector.service - Refresh Pacman mirrorlist with Reflector.
     Loaded: loaded (/usr/lib/systemd/system/reflector.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Fri 2024-11-01 17:37:27 CET; 1min 43s ago
 Invocation: 888ef6fa4f9a4fed823e75e8e4517499
TriggeredBy: ● reflector.timer
       Docs: https://wiki.archlinux.org/index.php/Reflector
    Process: 630692 ExecStart=/usr/bin/reflector @/etc/xdg/reflector/reflector.conf (code=exited, s>
   Main PID: 630692 (code=exited, status=1/FAILURE)
   Mem peak: 25.3M
        CPU: 1.334s

ное 01 17:36:57 living systemd[1]: Starting Refresh Pacman mirrorlist with Reflector....
ное 01 17:37:27 living reflector[630692]: error: Permission denied
ное 01 17:37:27 living systemd[1]: reflector.service: Main process exited, code=exited, status=1/FA>
ное 01 17:37:27 living systemd[1]: reflector.service: Failed with result 'exit-code'.
ное 01 17:37:27 living systemd[1]: Failed to start Refresh Pacman mirrorlist with Reflector..
ное 01 17:37:27 living systemd[1]: reflector.service: Consumed 1.334s CPU time, 25.3M memory peak.

Where I am doing wrong?

Last edited by barney (2024-11-05 15:26:52)

Offline

#2 2024-11-02 00:41:23

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,148

Re: [Solved]Problems with reflector.sercvice

Can you run reflector manually? What's in your reflector.conf?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2024-11-02 14:42:20

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

cfr wrote:

Can you run reflector manually? What's in your reflector.conf?

I can run reflector manually.
My reflector.conf:

# Reflector configuration file for the systemd service.
#
# Empty lines and lines beginning with "#" are ignored.  All other lines should
# contain valid reflector command-line arguments. The lines are parsed with
# Python's shlex modules so standard shell syntax should work. All arguments are
# collected into a single argument list.
#
# See "reflector --help" for details.

# Recommended Options

# Set the output path where the mirrorlist will be saved (--save).
--save /etc/pacman.d/mirrorlist
#--save /home/barney/mirrorlist

# Select the transfer protocol (--protocol).
--protocol https

# Select the country (--country).
# Consult the list of available countries with "reflector --list-countries" and
# select the countries nearest to you or the ones that you trust. For example:
# --country France,Germany

# Use only the  most recently synchronized mirrors (--latest).
#--latest 5
--latest 10

# Sort the mirrors by synchronization time (--sort).
#--sort age
--sort rate

Offline

#4 2024-11-02 15:44:31

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

The service has all sorts of context isolation, notably "ReadWritePaths=/etc/pacman.d/mirrorlist" - when did you introduce/comment the "#--save /home/barney/mirrorlist" thing?
In doubt edit the service and add "--verbose" to the reflector parameters - maybe it allows to gage the actual permission issue,  https://wiki.archlinux.org/title/Systemd#Drop-in_files

When posting the status, please skip "-x" (it's spam) and don't copy and paste out of the pager (it caps lines, see the trailing ">") - in doubt redirect the output into a file (or text editor)

Online

#5 2024-11-02 22:24:54

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

seth wrote:

The service has all sorts of context isolation, notably "ReadWritePaths=/etc/pacman.d/mirrorlist" - when did you introduce/comment the "#--save /home/barney/mirrorlist" thing?
In doubt edit the service and add "--verbose" to the reflector parameters - maybe it allows to gage the actual permission issue,  https://wiki.archlinux.org/title/Systemd#Drop-in_files

I have added the --verbose parameter and tried with --save /home/barney/mirrorlist and --save /etc/pacman.d/mirrorlist. The result is the same. The output of the status and jornalctl is the same. I don't know where goes the output of the reflector command when the service is started.

When posting the status, please skip "-x" (it's spam) and don't copy and paste out of the pager (it caps lines, see the trailing ">") - in doubt redirect the output into a file (or text editor)

From now on I will redirect the output into a file.

Offline

#6 2024-11-02 22:34:24

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

I don't know where goes the output of the reflector command when the service is started.

STDERR

Broadsword time.

[Service]
ExecStart=/usr/bin/strace -f -tt -o /tmp/reflector.strace /usr/bin/reflector @/etc/xdg/reflector/reflector.conf
ReadWritePaths=/etc/pacman.d/mirrorlist /tmp/reflector.strace

This should hopefully get you /tmp/reflector.strace to record the permission error.

Online

#7 2024-11-03 17:10:02

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

seth wrote:

I don't know where goes the output of the reflector command when the service is started.

STDERR

Is it possible to get the output to the terminal?

Broadsword time.

[Service]
ExecStart=/usr/bin/strace -f -tt -o /tmp/reflector.strace /usr/bin/reflector @/etc/xdg/reflector/reflector.conf
ReadWritePaths=/etc/pacman.d/mirrorlist /tmp/reflector.strace

This should hopefully get you /tmp/reflector.strace to record the permission error.

I have created the /etc/systemd/system/reflector.service.d/verbose.conf file with this content:

[Service]
ExecStart=
ExecStart=/usr/bin/strace -f -tt -o /tmp/reflector.strace /usr/bin/reflector @/etc/xdg/reflector/reflector.conf
ReadWritePaths=
ReadWritePaths=/etc/pacman.d/mirrorlist /tmp/reflector.strace

After that I isued the command "sudo systemctl daemon-reload" and also "sudo systemctl start reflector"
The same result, permission denied. I cannot get the output from strace in /tmp.
The output from "sudo journalctl -xeu reflector.service" is:
http://0x0.st/XGv2.txt
What I have noticed from the output from jurnalctl is the message:

ное 03 17:57:00 living (strace)[8640]: reflector.service: Failed to set up mount namespacing: /tmp/reflector.strace: No such file or directory
ное 03 17:57:00 living (strace)[8640]: reflector.service: Failed at step NAMESPACE spawning /usr/bin/strace: No such file or directory

Offline

#8 2024-11-03 18:40:35

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,142

Re: [Solved]Problems with reflector.sercvice

That looks like strace isn't installed. Can you run that strace command manually?

In lieu of getting strace to work inside a systemd unit (which may be difficult given the isolation protocols used by systemd), I think the service is denied access to /etc/pacman.d/mirrorlist and/or /etc/xdg/reflector/reflector.conf. Check/post the output of 'stat <file>' - is there anything weird there?

Also: reflector is a Python script, so you could also hack in some logging statements into the actual code to see what's going on.

Offline

#9 2024-11-03 19:14:16

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

Is it possible to get the output to the terminal?

STDERR is the terminal (by default) but systemd captures it.

Checked, you actually get those errors despite strace being installed PrivateTmp=false and /tmp/reflector.strace existing … sad

Another sanity check:

pacman -Qikk reflector

Online

#10 2024-11-03 23:06:42

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

seth wrote:

Checked, you actually get those errors despite strace being installed PrivateTmp=false and /tmp/reflector.strace existing … sad

PrivateTmp was true, I have changed that in drop-in file, issued the "sudo touch /tmp/reflector.strace", but the error is the same.

Seth wrote:

Another sanity check:

pacman -Qikk reflector

The output of the pacman command is:

Name            : reflector
Version         : 2023-2
Description     : A Python 3 module and script to retrieve and filter the latest Pacman mirror list.
Architecture    : any
URL             : https://xyne.dev/projects/reflector
Licenses        : GPL2
Groups          : None
Provides        : None
Depends On      : python
Optional Deps   : rsync: rate rsync mirrors [installed]
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 155,34 KiB
Packager        : Daniel M. Capella <polyzen@archlinux.org>
Build Date      : пет, 05 апр 2024 07:52:39 CEST
Install Date    : нед, 19 мај 2024 08:43:51 CEST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

backup file: reflector: /etc/xdg/reflector/reflector.conf (Modification time mismatch)
backup file: reflector: /etc/xdg/reflector/reflector.conf (Size mismatch)
backup file: reflector: /etc/xdg/reflector/reflector.conf (SHA256 checksum mismatch)
reflector: 28 total files, 0 altered files

I don't know what is the meaning of the Modification time mismatch and SHA256 checksum mismatch or if that is important, but I know that I have modified the reflector.conf file.

Offline

#11 2024-11-04 07:48:49

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

cat /etc/xdg/reflector/reflector.conf

I know that I have modified the reflector.conf file.

The idea was to reset that because you'll run into trouble w/ the service if you try to access paths that are not allowed by the context isolation.

Don't ignore

twelveeighty wrote:

I think the service is denied access to /etc/pacman.d/mirrorlist and/or /etc/xdg/reflector/reflector.conf. Check/post the output of 'stat <file>' - is there anything weird there?

PrivateTmp was true

I know, it's supposed to be - I just wanted to point out that stracing in the heavily restricted service indeed ha multiple obstacles.

Online

#12 2024-11-05 11:43:26

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

seth wrote:

The idea was to reset that because you'll run into trouble w/ the service if you try to access paths that are not allowed by the context isolation.

I don't know how to return to the orginal file.

Don't ignore

twelveeighty wrote:

I think the service is denied access to /etc/pacman.d/mirrorlist and/or /etc/xdg/reflector/reflector.conf. Check/post the output of 'stat <file>' - is there anything weird there?

PrivateTmp was true

I know, it's supposed to be - I just wanted to point out that stracing in the heavily restricted service indeed ha multiple obstacles.

The suspicious for stat output was that mirrorlist file was owned by barney. I have corrected that, but the error remains. It is very strange that access to strace is restricted (I know that strace is installed and running). There must be something wrong in a unit file for reflector service, but I don't know enough for unit files to debug that.

Offline

#13 2024-11-05 12:42:04

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

I don't know how to return to the orginal file.

In doubt remove the file and re-install reflector.

The suspicious for stat output was that mirrorlist file was owned by barney

Can you post the current stat outputs?

It is very strange that access to strace is restricted

The service uses systemd-run for context isolation, basically in a chrooted environment.
That's also gonna be the cause of your error, so we cannot just disable it.

Online

#14 2024-11-05 14:58:25

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

seth wrote:

Can you post the current stat outputs?

It is very strange that access to strace is restricted

The service uses systemd-run for context isolation, basically in a chrooted environment.
That's also gonna be the cause of your error, so we cannot just disable it.

The problem was that mirrorlist was owned by barney, but service cannot be started with strace. After I have changed the ownership of mirrorlist file and removed the drop-in for reflector service everything is working fine. I don't know why service is not working with strace?
Thanks Seth.

Offline

#15 2024-11-05 15:03:45

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

I don't know why service is not working with strace?

seth wrote:

The service uses systemd-run for context isolation, basically in a chrooted environment.
That's also gonna be the cause of your error, so we cannot just disable it.

Thanks Seth.

Nope.

twelveeigthy wrote:

I think the service is denied access to /etc/pacman.d/mirrorlist and/or /etc/xdg/reflector/reflector.conf. Check/post the output of 'stat <file>' - is there anything weird there?

wink

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Online

#16 2024-11-05 15:30:56

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

seth wrote:

I don't know why service is not working with strace?

seth wrote:

The service uses systemd-run for context isolation, basically in a chrooted environment.
That's also gonna be the cause of your error, so we cannot just disable it.

Is it possible to temporary change the unit file so the service can be started with strace, for diagnostic purposes?

Offline

#17 2024-11-05 15:33:05

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

Yes, sure - you remove all the constraints you find in there, but that's then akin to running it manually (which then didn't cause any issues)

Online

#18 2024-11-05 21:30:20

barney
Member
Registered: 2020-12-14
Posts: 104

Re: [Solved]Problems with reflector.sercvice

Sorry to bother you Seth, I am learning. I was thinking that the service process is with UID 0 (even in chroot environment)  so it has all rights to write to file owned by (in this case ) barney. I don't know how the process is restricted to write to a file owned by a different user then root. Somehow this is accomplished in the unit file.

Offline

#19 2024-11-05 22:11:37

seth
Member
Registered: 2012-09-03
Posts: 59,004

Re: [Solved]Problems with reflector.sercvice

less /usr/lib/systemd/system/reflector.service

See the entire private/protect/restrict keys?
https://man.archlinux.org/man/systemd.e … SANDBOXING

Online

Board footer

Powered by FluxBB