Problem with filemanager plugin and systemd

eric · May 21, 2018, 3:08am

I’ve tried to set up a filemanager site with caddy plugin http.filemanager.
My caddy version is Caddy 0.11.0 (non-commercial use only)
I have set database path in the Caddyfile, and trying to manage the daemon with systemctl.
systemctl start caddy
systemctl status caddy
and it shows me with failure

● caddy.service - Caddy HTTP/2 web server
   Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-05-21 10:14:00 CST; 35min ago
     Docs: https://caddyserver.com/docs
  Process: 31989 ExecStart=/usr/local/bin/caddy -conf /etc/caddy/Caddyfile -root /tmp (code=exited, status=1/FAILURE)
 Main PID: 31989 (code=exited, status=1/FAILURE)

5月 21 10:14:00 Host systemd[1]: Started Caddy HTTP/2 web server.
5月 21 10:14:00 Host caddy[31989]: Activating privacy features... done.
5月 21 10:14:00 Host caddy[31989]: 2018/05/21 10:14:00 open /etc/caddy/filemanager.db: read-only file system
5月 21 10:14:00 Host systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
5月 21 10:14:00 Host systemd[1]: caddy.service: Failed with result 'exit-code'.

I checked the privilege of the database file:

$ ls -la /etc/caddy/
总用量 60
drwxr-xr-x   2 www-data www-data  4096 5月  20 21:03 .
drwxr-xr-x 114 root     root     12288 5月  19 17:53 ..
-rw-r--r--   1 www-data www-data   999 5月  20 21:03 Caddyfile
-rw-r--r--   1 www-data www-data 65536 5月  20 21:19 filemanager.db

here is my Caddyfile:

$ cat /etc/caddy/Caddyfile 
file.mydomain:443 {
  log /var/log/caddy/fileserver.log {
    rotate_size 5
    rotate_age 20
    rotate_keep 20
    rotate_compress
  }
  tls myemail@gmail.com
  filemanager / /mnt/CloudDisk {
    url /
    database /etc/caddy/filemanager.db    
    allow_new false
    allow_publish true
    allow_edit false
    allow_commands false
    locale zh_cn
  }
}

the systemd file:

$ cat /etc/systemd/system/caddy.service | sed -e '/^;/d'
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal
User=www-data
Group=www-data
Environment=CADDYPATH=/etc/ssl/caddy
ExecStart=/usr/local/bin/caddy -conf /etc/caddy/Caddyfile -root /tmp
ExecReload=/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=full
ReadWriteDirectories=/etc/ssl/caddy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

I also tried to run caddy with user www-data in command line without systemd, and it works:

$ sudo -u www-data caddy -conf /etc/caddy/Caddyfile -root /tmp/
Activating privacy features... done.
https://file.mydomain
http://file.mydomain
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".

So it really confuse me why it can’t work with systemd…

eric · May 21, 2018, 3:49am

I’ve tried to delete database line in Caddyfile, and restart caddy. It said A database is going to be created for your File Manager instance at /etc/ssl/caddy/filemanager/4ed115735b4f7b1c8c9749fad3f9af19.db. It is highly recommended that you set the 'database' option to '4ed115735b4f7b1c8c9749fad3f9af19.db'

Then I set the database to /etc/ssl/caddy/filemanager/4ed115735b4f7b1c8c9749fad3f9af19.db and it works.

So for now i’m just asking why it can’t work if i set database to my custom path?

Whitestrake · May 21, 2018, 5:03am

The answer for this oddity is within the systemd unit file.

From the documentation:

Takes a boolean argument or the special values “full” or “strict”. If true, mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to “full”, the /etc directory is mounted read-only, too.

– systemd.exec

Immediately after that, we have this line:

Which explicitly grants Caddy the ability to read and write to this directory only. So regardless of the permissions on the host, systemd has made it impossible to write in /etc outside of that location.

eric · May 21, 2018, 7:02am

Great job! Thank you!

system · August 19, 2018, 7:02am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.