Run as a (HTTPS) service with systemd - Debian

Pydio Cells
1

Hi,
I am follow this great tutorial:
https://pydio.com/en/docs/kb/deployment/install-cells-debianubuntu
My setup is a Debian 11 (lxc container)
HTTPS protocol and Let’s Encrypt

…but grpc and proxy service’s can’t start with systemd :frowning:

If I su - pydio and start cells manually, it is running fine, all services loaded successfully.

I add CADDYPATH environment variable to my cells.service file - and now working fine the cells systemd service :slight_smile:

Here is a sample:

[Unit]
Description=Pydio Cells
Documentation=https://pydio.com
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/opt/pydio/bin/cells

[Service]
User=pydio
Group=pydio
WorkingDirectory=/home/pydio
PermissionsStartOnly=true

AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/opt/pydio/bin/cells start
Restart=on-failure
StandardOutput=journal
StandardError=inherit
LimitNOFILE=65536
TimeoutStopSec=5
KillSignal=INT
SendSIGKILL=yes
SuccessExitStatus=0

Environment=CELLS_LOGS_LEVEL=production
Environment=CELLS_ENABLE_METRICS=false
Environment=CELLS_WORKING_DIR=/var/cells
Environment=CADDYPATH=/var/cells/certs

[Install]
WantedBy=multi-user.target

2

Did you try adding another environment variable for gRPC, namely:

Environment=CELLS_GRPC_EXTERNAL=33060

Are you using nginx or Apache?

3

This is a
Pydio Cells Home Edition
Version: 2.2.2

And I am not using any external proxy

4

Oh — in that case, it means that Pydio Cells must serve HTTPS directly on its own, and that means that the pydio user needs to have permission to open port 443.

On the tutorial that you followed, did you manage to give that permission by using the following command:

sudo setcap 'cap_net_bind_service=+ep' /opt/pydio/bin/cells

Did you get any errors when running this? You can test if the command worked with

sudo getcap /opt/pydio/bin/cells

which should return:

/opt/pydio/bin/cells = cap_net_bind_service+ep

I’m actually not quite sure if this is your issue since your cells.service file does, indeed, include AmbientCapabilities=CAP_NET_BIND_SERVICE, which should essentially do the same thing… also, if su - pydio allows you to start Cells manually, it would seem that everything is fine.

I have no experience whatsoever with LXC, but perhaps there are some limitations when running inside a container? For instance, maybe systemd is more restricted in what it can and cannot do — imagine that it might not be able to execute AmbientCapabilities=CAP_NET_BIND_SERVICE? I’m wildly speculating here, as said, I have no knowledge of how the LXC containers work…

5

This topic was automatically closed 35 days after the last reply. New replies are no longer allowed.