"failed to execute command: permission denied" Ubuntu 18.04.3 LTS - linux

Trying to set up a game server for Ark on an old HP ProLiant running Ubuntu (version 18.04.3 LTS, 64-bit). Specs are 72GB RAM, Intel Xeon X5650 # 2.67 GHz x2. I'm learning Ubuntu along the way, so I barely know what I'm doing and realize I could just be making some silly error... but I'm totally lost. I managed to get a lot done thanks to Google, but even Google can't seem to help me anymore.
I've been using multiple guides to help me set it up.
https://ark.gamepedia.com/Dedicated_Server_Setup#Linux_.28via_systemd.29
http://arksurvivalevolved.gamewalkthrough-universe.com/dedicatedservers/linux/Default.aspx
https://survivetheark.com/index.php?/forums/topic/87419-guide-cluster-setup/
I've gone over every step in those guides multiple times and at least managed to get to this point where I'm stuck at this "permission denied" error.
I've tried every solution presented under this Google search: https://www.google.com/search?q=linux+%22failed+to+execute+command%3A+permission+denied%22
Additionally, I've tried executing the command to start the server with and without "sudo".
My guess is that the file it's trying to access is not permissible for some reason, but I can't seem to find a working solution for me.
[Unit]
Description=ARK: Survival Evolved dedicated server
Wants=network-online.target
After=syslog.target network.target nss-lookup.target network-online.target
[Service]
ExecStartPre=/home/kinare/steamcmd +login anonymous +force_install_dir /home/kinare/ark +app_update 376030
ExecStart=/home/kinare/ark/ShooterGame/Binaries/Linux/ShooterGameServer.exe Ragnarok?SessionName="Togerland - PVE Ragnarok"?AltSaveDirectoryName=RagSave?Port=7777?QueryPort=27015 -NoTransferFromFiltering -exclusivejoin -clusterid=Togerland
ShooterGameServer.exe Aberration_P?SessionName="Togerland - PVE Aberration"?AltSaveDirectoryName=AbSave?Port=7779?QueryPort=27017 -NoTransferFromFiltering -exclusivejoin -clusterid=Togerland
WorkingDirectory=/home/kinare/ark/ShooterGame/Binaries/Linux
LimitNOFILE=500000
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s INT $MAINPID
User=steam
Group=steam
[Install]
WantedBy=multi-user.target
Only including 2 of 6 maps that are within the cluster there to save space, hopefully that's enough.
Expected result should be it not failing to start... Error message:
ark-dedicated.service - ARK: Survival Evolved dedicated server
Loaded: loaded (/etc/systemd/system/ark-dedicated.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2019-10-18 15:35:19 EDT; 56s ago
Process: 6383 ExecStartPre=/home/kinare/steamcmd +login anonymous +force_install_dir /home/kinare/ark +app_update 376030 (code=exited, status=203/EXEC)
Oct 18 15:35:19 togerland-server systemd[1]: Starting ARK: Survival Evolved dedicated server...
Oct 18 15:35:19 togerland-server systemd[6383]: ark-dedicated.service: Failed to execute command: Permission denied
Oct 18 15:35:19 togerland-server systemd[6383]: ark-dedicated.service: Failed at step EXEC spawning /home/kinare/steamcmd: Permission denied
Oct 18 15:35:19 togerland-server systemd[1]: ark-dedicated.service: Control process exited, code=exited status=203
Oct 18 15:35:19 togerland-server systemd[1]: ark-dedicated.service: Failed with result 'exit-code'.
Oct 18 15:35:19 togerland-server systemd[1]: Failed to start ARK: Survival Evolved dedicated server.

your systemd service uses user and group steam
...
User=steam
Group=steam
...
you are starting your ark server from the home of kinare
ExecStart=/home/kinare/ark/ShooterGame/Binaries...
and your system logs says: 'Permission denied':
Oct 18 15:35:19 togerland-server systemd[6383]: ark-dedicated.service: Failed to execute command: Permission denied
does the steam user have permissions to read files in /home/kinare?
You can solve this in a few ways:
give the steam user permissions to read from /home/kinare
# change the group of all files and dirs in /home/kinare to steam
chgrp -R steam /home/kinare
# give the group read rights on all files and dirs /home/kinare
chmod -R g+r /home/kinare
# allow the group to open folders under /home/kinare
find /home/kinare -type d -exec chmod 750 {} \;
use service account
move your ark and steam to the home of the steam user (/home/steam) and change
your unit file as needed. keep in mind that you need change the permissions of
the files in /home/steam. This is preferred, you use a service account instead
of your admin user kinare
change the user and group used in your systemd service file
User=kinare
Group=kinare
ark will now run as the user kinare. This is less preferred, see:
https://unix.stackexchange.com/questions/314725/what-is-the-difference-between-user-and-service-account
hope this helps, good luck

Related

Failed to resolve unit specifiers in /var/bot/error-$(date+%Y_%m_%d_%I_%M_%p).log: Invalid slot

I want to run NodeJS code as service, but whenever I add output to log files I get error with syntax.
● bot.service - simple NodeJS bot
Loaded: bad-setting (Reason: Unit bot.service has a bad unit file setting.)
Active: inactive (dead)
Dec 21 17:33:36 ubuntu systemd[1]: /etc/systemd/system/bot.service:9: Failed to resolve unit specifiers in /var/bot/error-$(date+%Y_%m_%d_%I_%M_%p).log: Invalid slot
Dec 21 17:33:36 ubuntu systemd[1]: bot.service: Unit configuration has fatal error, unit will not be started.
bot.service:
[Unit]
Description=simple NodeJS bot
After=network-online.target
[Service]
Restart=on-failure
SyslogIdentifier=bot
WorkingDirectory=/home/ubuntu/bot
ExecStart=/home/ubuntu/.nvm/versions/node/v16.6.2/bin/node /home/ubuntu/bot/out/index.js >> /var/bot/bot.log 2> /var/bot/"error-$(date+%Y_%m_%d_%I_%M_%p).log"
# limit CPU and RAM quota for our service
# Not necessary, but i am running other servers, so i need it
CPUAccounting=true
MemoryAccounting=true
SyslogIdentifier=bot
[Install]
WantedBy=multi-user.target
The problem comes from the % sign. You need to escape it (%%) if you want the command to be accepted by systemd

Apache2: Failed to set up mount namespacing: Permission denied

I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true.
But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied.
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.
I checked the permissions for tmp:
root#5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root#5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp
Any idea which permissions are wrong?
This can work...
sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service
This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.
Edit apache config (the clean way):
sudo systemctl edit apache2.service
Add this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)
[Service]
PrivateDevices=false
PrivateTmp=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
Maybe only necessary:
ProtectHome=false
ProtectSystem=false
Then
sudo systemctl start apache2.service
sudo systemctl status apache2.service # Just to check the output
I saw this on apache2 and memcached. Also with systemd-logind. In this last case ssh connection speed was affected. ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). As mention here and here the problem is solved enabling nesting (also here) on the Proxmox containers.
Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.
Related
Nested containers in LXD | Ubuntu
Roadmap - Proxmox VE 7.1 The real fix is to upgrade host?
Failed to reset devices.list...Operation not permitted · Issue #2004 · lxc/lxd

Linux Service Application permission to create files

I have application written in go, that locate in to ~/work/bin directory and(should, but it don't) creates files in to ./images/
It runs as service with following configuration:
Description=My Application Description
After=network.target
[Service]
User=AdminName
Group=www-data
ExecStart=/home/AdminName/work/bin/Application
[Install]
WantedBy=multi-user.target
What should i modify to add permission on create files? Should i create and add group or modify folder attributes? Or change destignation folder to somthing public with right permission?
Warning Code on attempt to create file:
● Application.service Loaded: loaded
(/etc/systemd/system/Application.service; enabled; vendor preset:
enabled) Active: active (running) since Tue 2019-12-10 15:02:09
MSK; 50min ago Main PID: 28262 (Application) CGroup:
/system.slice/Application.service
└─28262 /home/AdminName/work/bin/Application
Dec 10 15:02:09 **** systemd[1]: Started Application.service. Dec 10
15:02:09 **** Application[28262]: Started... Dec 10 15:02:28 ****
systemd[1]: [/etc/systemd/system/Application.service:1] Assignment
outside of section. Ignoring. Dec 10 15:02:28 **** systemd[1]:
[/etc/systemd/system/Application.service:2] Assignment outside of
section. Ignoring.
Use WorkingDirectory=/path/to/directory/where/images/directory/lives.
Also, it's not a good idea to run a service from a user's home
directory, nor is it a good idea to write data to a relative path. –
Jonathon Reinhart 2 hours ago
Solved

Prometheus 2.0 centos service won't start, because "Opening storage failed", "permission denied"

context: I've added some scripts to an empty centos VM to install some monitoring tools including prometheus 2.0.
problem: Once installed in the non-root sudo user's home directory, I copy the prometheus.service that I wrote to "/etc/systemd/system", run sudo systemctl daemon-reload, sudo systemctl enable prometheus.service, sudo systemctl start prometheus.service but the service fails.
note: I can run the prometheus binary in the terminal directly using the same command without any problems, but I can't run it as a service.
Here's my .service file:
[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target
[Service]
User=centos
ExecStart=/home/centos/prometheus/prometheus --config.file="/home/centos/prometheus/prometheus.yml" --storage.tsdb.path="/home/centos/prometheus/data"
[Install]
WantedBy=multi-user.target
Here's some of the log:
...
Nov 21 12:41:55 localhost.localdomain prometheus[1554]: level=info ts=2017-11-21T17:41:55.114757834Z caller=main.go:314 msg="Starting TSDB"
Nov 21 12:41:55 localhost.localdomain prometheus[1554]: level=error ts=2017-11-21T17:41:55.114819195Z caller=main.go:323 msg="Opening storage failed" err="mkdir \": permission denied"
Nov 21 12:41:55 localhost.localdomain systemd[1]: prometheus.service: control process exited, code=exited status=1
Nov 21 12:41:55 localhost.localdomain systemd[1]: Failed to start Prometheus Server.
...
I'm new to linux services management, I've spent a lot of time reading online but I'm not sure how permissions works for services, and why it can't create the directory it needs to create.
I've tried:
Changing "SELINUX=enforcing" to "SELINUX=permissive"
Changing the permission to the prometheus directory to 777
...
You also have to set up --web.console.templates and --web.console.libraries. You can copy these directories from exctracted archive. For example:
sudo cp -R ~/prometheus-2.0.0.linux-amd64/consoles /etc/prometheus
sudo cp -R ~/prometheus-2.0.0.linux-amd64/console_libraries /etc/prometheus
Example of working service (change path for yours):
[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target
[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml \
--storage.tsdb.path=/var/lib/prometheus/ \
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries
[Install]
WantedBy=multi-user.target
P.S. Inspired by suggestions here.
Data directory for Prometheus should have write permissions for prometheus application user. If you're running it from a container and external mounting the data directory, you can set 777 permissions on original folder.
If SELinux is stopping startup always consult journalctl -xe to view the SELinux alerts. There are recommended actions to be taken.
I have setup prometheus with SELinux on CentOS 8 without problems. And I don't agree with people that recommend disabling SELinux.
For reference Redhat has a good video for you to watch:
https://www.youtube.com/watch?v=_WOKRaM-HI4&t=1464s
Here is my prometheus.service file.
[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target
[Service]
User=prometheus
#Restart=on-failure
#Change this line if you download the
#Prometheus on different path user
ExecStart=/home/prometheus/prometheus-2.22.0.linux-amd64/prometheus \
--config.file=/home/prometheus/prometheus-2.22.0.linux-amd64/prometheus.yml \
--storage.tsdb.path=/home/prometheus/prometheus-2.22.0.linux-amd64/data \
--web.listen-address="0.0.0.0:9091"
[Install]
WantedBy=multi-user.target

Systemd script fail

I want to run a script at system startup in a Debian 9 box. My script works when run standalone, but fails under systemd.
My script just copies a backup file from a remote server to the local machine:
#!/bin/sh
set -e
/usr/bin/sshpass -p "PASSWORD" /usr/bin/scp -p USER#10.0.0.2:ORIGINPATH/backupserver.zip DESTINATIONPATH/backupserver/
Just for privacy I replaced password, user, and paths above.
I wrote the following systemd service unit:
[Unit]
Description=backup script
[Service]
Type=oneshot
ExecStart=PATH/backup.sh
[Install]
WantedBy=default.target
Then I set permissions for the script:
chmod 744 PATH/backup.sh
And installed the service:
chmod 664 /etc/systemd/system/backup.service
systemctl daemon-reload
systemctl enable backup.service
When I reboot the script fails:
● backup.service - backup script
Loaded: loaded (/etc/systemd/system/backup.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2017-05-13 13:39:54 -03; 47min ago
Main PID: 591 (code=exited, status=1/FAILURE)
Result of journalctl -xe:
mai 16 23:34:27 rodrigo-acer systemd[1]: backup.service: Main process exited, code=exited, status=6/NOTCONFIGURED
mai 16 23:34:27 rodrigo-acer systemd[1]: Failed to start backup script.
mai 16 23:34:27 rodrigo-acer systemd[1]: backup.service: Unit entered failed state.
mai 16 23:34:27 rodrigo-acer systemd[1]: backup.service: Failed with result 'exit-code'.
What could be wrong?
Solved guys. There was 2 problems:
1 - I had to change the service unit file to make the service run only after network was up. The unit section was changed to:
[Unit]
Description = World server backup
Wants = network-online.target
After = network.target network-online.target
2 - The root user did not have the remote host added to the known host list, unlike the ordinary user I used to test the script.
Failed with result 'exit-code' you could try this on your last line:
# REQUIRED FOR SYSTEMD: 0 means clean no error
exit 0
You may also need to add:
Type=forking
to the systemd entry similar to: https://serverfault.com/questions/751030/systemd-ignores-return-code-while-starting-service
If your service or script does not fork add a & at the end to run it in the background, and exit with 0 fast. Otherwise it will be like a startup that times out and takes forever / seems like frozen service.

Resources