Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    kopano-konnectd

    Kopano Groupware Core
    3
    17
    814
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • thctlo
      thctlo last edited by

      hai,

      Im setting up a new server i noticed the following.

      ( small bug )
      systemctl cat kopano-konnectd
      shows :
      ExecStartPre=/usr/sbin/kopano-konnectd setup

      but by default kopano is running as user kopano.
      /etc/kopano is owned by root.

      Great idea to have it generated at first start, but its unable to write the key. :-(
      results in :

      systemctl status kopano-konnectd.service
● kopano-konnectd.service - Kopano Konnect Daemon
   Loaded: loaded (/lib/systemd/system/kopano-konnectd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2018-12-18 16:23:30 CET; 10s ago
  Process: 29652 ExecStart=/usr/sbin/kopano-konnectd serve --log-timestamp=false (code=exited, status=1/FAILURE)
 Main PID: 29652 (code=exited, status=1/FAILURE)

Dec 18 16:23:30 mail1 systemd[1]: Started Kopano Konnect Daemon.
Dec 18 16:23:30 mail1 kopano-konnectd[29652]: level=info msg="serve start"
Dec 18 16:23:30 mail1 kopano-konnectd[29652]: level=warning msg="missing --encryption-secret parameter, using random encyption secret with 32 bytes"
Dec 18 16:23:30 mail1 kopano-konnectd[29652]: level=warning msg="missing --signing-private-key parameter, using random 2048 bit signing key" alg=PS256
Dec 18 16:23:30 mail1 systemd[1]: kopano-konnectd.service: Main process exited, code=exited, status=1/FAILURE
Dec 18 16:23:30 mail1 systemd[1]: kopano-konnectd.service: Unit entered failed state.
Dec 18 16:23:30 mail1 systemd[1]: kopano-konnectd.service: Failed with result 'exit-code'.
      1 Reply Last reply Reply Quote 0
      • fbartels
        fbartels Kopano last edited by

        Hi @thctlo ,

        which os did you have this on?

        Regards Felix

        Resources:
        https://kopano.com/blog/how-to-get-kopano/
        https://documentation.kopano.io/
        https://kb.kopano.io/

        Support overview:
        https://kopano.com/support/

        1 Reply Last reply Reply Quote 0
        • thctlo
          thctlo last edited by thctlo

          Debian 9, clean install, running the command manualy works fine but as root.

          I forgot to mention.

          kopano-konnectd:
          Installed: 0.16.1-0+24.1

          pulled yesterday from the downloads site.

          1 Reply Last reply Reply Quote 0
          • fbartels
            fbartels Kopano last edited by

            I can install and run konnect just fine on a Debian 9 test installation. konnect is also 0.16.1-0+24.1

            Regards Felix

            Resources:
            https://kopano.com/blog/how-to-get-kopano/
            https://documentation.kopano.io/
            https://kb.kopano.io/

            Support overview:
            https://kopano.com/support/

            1 Reply Last reply Reply Quote 0
            • thctlo
              thctlo last edited by thctlo

              and you run as kopano then you will see…
              from my syslog

              Dec 18 15:08:56 mail1 systemd[1]: Starting Kopano Konnect Daemon...
Dec 18 15:08:56 mail1 kopano-konnectd[28648]: mkdir: cannot create directory ‘/etc/kopano/konnectkeys’: Read-only file system
Dec 18 15:08:56 mail1 kopano-konnectd[28648]: setup: creating new RSA private key at /etc/kopano/konnectkeys/konnect-20181218-ef22.pem ...
Dec 18 15:08:56 mail1 kopano-konnectd[28648]: genpkey: Can't open "/etc/kopano/konnectkeys/konnect-20181218-ef22.pem" for writing, No such file or directory
Dec 18 15:08:56 mail1 kopano-konnectd[28648]: setup: creating new secret key at /etc/kopano/konnectd-encryption-secret.key ...
Dec 18 15:08:56 mail1 kopano-konnectd[28648]: Can't open /etc/kopano/konnectd-encryption-secret.key for writing, Read-only file system
Dec 18 15:08:56 mail1 kopano-konnectd[28648]: 140162808624512:error:0200101E:system library:fopen:Read-only file system:../crypto/bio/bss_file.c:74:fopen('/etc/kopano/konnectd-encryption-secret.key','wb')
Dec 18 15:08:56 mail1 kopano-konnectd[28648]: 140162808624512:error:2006D002:BIO routines:BIO_new_file:system lib:../crypto/bio/bss_file.c:83:
Dec 18 15:08:56 mail1 systemd[1]: Started Kopano Konnect Daemon.
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="serve start"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=warning msg="missing --encryption-secret parameter, using random encyption secret with 32 bytes"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=warning msg="missing --signing-private-key parameter, using random 2048 bit signing key" alg=PS256
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="encryption set up with 32 key size"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=warning msg="limiting access token duration to 240 seconds because of lower KOPANO_SERVER_SESSION_TIMEOUT"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="kc server identifier backend connection set up" client="KCC(file:///run/kopano/server.sock)"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="identifier set up" security="A256GCM:A256GCMKW"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="using identifier backed identity manager"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="identity manager set up" claims=[name family_name given_name email email_verified] name=kc scopes=[offline_access kopano/gc profile email konnect/id konnect/raw_sub]
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="set provider signing key" alg=PS256 id= type="*rsa.PrivateKey"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="set provider validation key" id= type="*rsa.PublicKey"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="oidc token signing set up"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="serve started"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="starting http listener" listenAddr="127.0.0.1:8777"
Dec 18 15:08:56 mail1 kopano-konnectd[28656]: level=info msg="ready to handle requests"

               ls -al /etc | grep kopano
drwxr-xr-x   6 root root    4096 Dec 18 16:21 kopano

              I suggest, in the installer of kopano-connectd add a separated folder in /etc/kopano/konnectd put there the needed files.

              1 Reply Last reply Reply Quote 0
              • fbartels
                fbartels Kopano last edited by

                well actually the binary runs as the user “konnect”.

                root@felix-debian-9-supported-master:~# ls -la /etc/kopano/
total 120
drwxr-xr-x  8 root    root      29 Dec 19 14:37 .
drwxr-xr-x 82 root    root     155 Dec 19 14:37 ..
-rw-r--r--  1 root    root     173 Oct  5 15:48 admin.cfg
-rw-r--r--  1 root    root     671 Oct  5 15:48 autorespond.cfg
-rw-r--r--  1 root    root     937 Oct  5 15:48 backup.cfg
-rw-r--r--  1 root    root    6404 Nov  5 16:41 dagent.cfg
-rw-r--r--  1 root    root    6379 Nov  5 18:52 dagent.cfg.save
-rw-r--r--  1 root    root    3922 Oct  5 15:48 gateway.cfg
-rw-r--r--  1 root    root    2666 Oct  5 15:48 ical.cfg
-rw-r--r--  1 root    root    6084 Dec  3 09:58 konnectd.cfg
-rw-------  1 konnect root      32 Dec 19 14:37 konnectd-encryption-secret.key
lrwxrwxrwx  1 root    root      49 Dec 19 14:37 konnectd-signing-private-key.pem -> /etc/kopano/konnectkeys/konnect-20181219-711e.pem
drwx------  2 konnect root       3 Dec 19 14:37 konnectkeys
-rw-r-----  1 root    kopano  2218 Nov  5 16:48 ldap.cfg
-rw-r--r--  1 root    root     786 Oct  5 15:48 migration-pst.cfg
-rw-r--r--  1 root    root    2258 Oct  5 15:48 monitor.cfg
-rw-r--r--  1 root    root    1799 Oct  5 15:49 presence.cfg
drwxr-xr-x  2 root    root       6 Dec 19 14:32 quotamail
-rw-r--r--  1 root    root    2954 Oct  5 15:48 search.cfg
-rw-r--r--  1 root    root   16753 Nov  5 16:40 server.cfg
-rw-r--r--  1 root    root   16746 Nov  5 18:50 server.cfg.save
-rw-r--r--  1 root    root    1470 Oct 18 13:52 spamd.cfg
-rw-r--r--  1 root    root    5191 Oct  5 15:48 spooler.cfg
drwxr-xr-x  2 root    root       5 Oct  5 15:48 ssl
drwxr-xr-x  2 root    root       4 Oct  5 15:48 sslkeys
-rw-r--r--  1 root    root    1332 Oct  5 15:48 unix.cfg
drwxr-xr-x  8 root    root       8 Oct  5 15:48 userscripts
drwxr-xr-x  2 root    root      20 Dec 19 14:32 webapp
-rw-r--r--  1 root    root    9832 Oct  5 15:49 webmeetings.cfg
root@felix-debian-9-supported-master:~# ps aux | grep konnect
konnect   3530  0.0  0.2 113060  5556 ?        Ssl  14:37   0:00 /usr/libexec/kopano/konnectd serve --identifier-client-path=/usr/share/kopano-konnect/identifier-webapp --identifier-registration-conf= --iss=https://localhost --log-timestamp=false --signing-private-key=/etc/kopano/konnectd-signing-private-key.pem --validation-keys-path=/etc/kopano/konnectkeys --encryption-secret=/etc/kopano/konnectd-encryption-secret.key kc

                Regards Felix

                Resources:
                https://kopano.com/blog/how-to-get-kopano/
                https://documentation.kopano.io/
                https://kb.kopano.io/

                Support overview:
                https://kopano.com/support/

                1 Reply Last reply Reply Quote 0
                • thctlo
                  thctlo last edited by thctlo

                  so now its even more wrong.

                  -rw-------  1 konnect root      32 Dec 19 14:37 konnectd-encryption-secret.key

                  and

                  drwx------  2 konnect root       3 Dec 19 14:37 konnectkeys

                  who “owns” /etc/kopano ?
                  so konnect cant write there ? in my default install not, are you sure it works fine at your side, because here not…

                  1 Reply Last reply Reply Quote 0
                  • fbartels
                    fbartels Kopano last edited by fbartels

                    you can see who owns my /etc/kopano in my last reply.

                    I am not at a 100% with my systemd knowledge, but I would assume that the command in ExecStartPre is actually ran by the root user.

                    Sadly I am completely missing what you are trying to achieve. What command are you running and how?

                    Are you just seeing the commands in the systemd unit and try to run them by hand?

                    Regards Felix

                    Resources:
                    https://kopano.com/blog/how-to-get-kopano/
                    https://documentation.kopano.io/
                    https://kb.kopano.io/

                    Support overview:
                    https://kopano.com/support/

                    1 Reply Last reply Reply Quote 0
                    • thctlo
                      thctlo last edited by thctlo

                      its pretty simple what i do here.

                      apt install kopano-konnectd

                      And the result is above.

                      fbartels 1 Reply Last reply Reply Quote 0
                      • thctlo
                        thctlo last edited by thctlo

                        apt-get remove --purge kopano-konnectd
                        Reading package lists… Done
                        Building dependency tree
                        Reading state information… Done
                        The following packages will be REMOVED:
                        kopano-konnectd*
                        0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
                        After this operation, 15.8 MB disk space will be freed.
                        Do you want to continue? [Y/n] Y
                        (Reading database … 65424 files and directories currently installed.)
                        Removing kopano-konnectd (0.16.1-0+24.1) …
                        (Reading database … 65368 files and directories currently installed.)
                        Purging configuration files for kopano-konnectd (0.16.1-0+24.1) …

                        so its gone.
                        reinstalled it.

                        apt install kopano-konnectd

ps fax  | grep konnectd
 7628 pts/0    S+     0:00                      \_ grep konnectd
 7582 ?        Ssl    0:00 /usr/libexec/kopano/konnectd serve --identifier-client-path=/usr/share/kopano-konnect/identifier-webapp --identifier-registration-conf= --iss=https://localhost --log-timestamp=false kc

                        so it started yes…

                        root@mail1:/etc/kopano# ls -al
total 116
drwxr-xr-x   6 root root  4096 Dec 19 16:31 .
drwxr-xr-x 109 root root 12288 Dec 18 15:08 ..
-rw-r--r--   1 root root   265 Dec 18 13:49 admin.cfg
-rw-r--r--   1 root root  1032 Dec 12 01:07 autorespond
-rw-r--r--   1 root root   671 Dec 12 01:07 autorespond.cfg
-rw-r--r--   1 root root   937 Dec 12 01:07 backup.cfg
-rw-r--r--   1 root root  6382 Dec 12 01:07 dagent.cfg
-rw-r--r--   1 root root  3922 Dec 12 01:07 gateway.cfg
-rw-r--r--   1 root root  2666 Dec 12 01:07 ical.cfg
-rw-r--r--   1 root root  6084 Dec  3 09:58 konnectd.cfg
-rw-r--r--   1 root root  2077 Dec 18 14:09 ldap.cfg
-rw-r--r--   1 root root  2258 Dec 12 01:07 monitor.cfg
drwxr-xr-x   2 root root  4096 Dec 17 15:58 quotamail
-rw-r--r--   1 root root  2954 Dec 12 01:07 search.cfg
-rw-r--r--   1 root root 16796 Dec 18 15:07 server.cfg
-rw-r--r--   1 root root  5191 Dec 12 01:07 spooler.cfg
drwxr-xr-x   2 root root  4096 Dec 18 12:12 ssl
-rw-r--r--   1 root root  1332 Dec 12 01:07 unix.cfg
drwxr-xr-x   8 root root  4096 Dec  6 16:44 userscripts
drwxr-xr-x   2 root root  4096 Dec 18 09:47 webapp

                        no keys ?

                        and the syslog part.

                        Dec 19 16:31:04 mail1 systemd[1]: Starting Kopano Konnect Daemon...
Dec 19 16:31:04 mail1 kopano-konnectd[7574]: mkdir: cannot create directory ‘/etc/kopano/konnectkeys’: Read-only file system
Dec 19 16:31:04 mail1 kopano-konnectd[7574]: setup: creating new RSA private key at /etc/kopano/konnectkeys/konnect-20181219-fae3.pem ...
Dec 19 16:31:04 mail1 kopano-konnectd[7574]: genpkey: Can't open "/etc/kopano/konnectkeys/konnect-20181219-fae3.pem" for writing, No such file or directory
Dec 19 16:31:04 mail1 kopano-konnectd[7574]: setup: creating new secret key at /etc/kopano/konnectd-encryption-secret.key ...
Dec 19 16:31:04 mail1 kopano-konnectd[7574]: Can't open /etc/kopano/konnectd-encryption-secret.key for writing, Read-only file system
Dec 19 16:31:04 mail1 kopano-konnectd[7574]: 140447356368256:error:0200101E:system library:fopen:Read-only file system:../crypto/bio/bss_file.c:74:fopen('/etc/kopano/konnectd-encryption-secret.key','wb')
Dec 19 16:31:04 mail1 kopano-konnectd[7574]: 140447356368256:error:2006D002:BIO routines:BIO_new_file:system lib:../crypto/bio/bss_file.c:83:
Dec 19 16:31:04 mail1 systemd[1]: Started Kopano Konnect Daemon.
Dec 19 16:31:04 mail1 kopano-konnectd[7582]: level=info msg="serve start"
Dec 19 16:31:04 mail1 kopano-konnectd[7582]: level=warning msg="missing --encryption-secret parameter, using random encyption secret with 32 bytes"
Dec 19 16:31:04 mail1 kopano-konnectd[7582]: level=warning msg="missing --signing-private-key parameter, using random 2048 bit signing key" alg=PS256
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="encryption set up with 32 key size"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=warning msg="limiting access token duration to 240 seconds because of lower KOPANO_SERVER_SESSION_TIMEOUT"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="kc server identifier backend connection set up" client="KCC(file:///run/kopano/server.sock)"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="identifier set up" security="A256GCM:A256GCMKW"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="using identifier backed identity manager"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="identity manager set up" claims=[name family_name given_name email email_verified] name=kc scopes=[offline_access kopano/gc profile email konnect/id konnect/raw_sub]
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="set provider signing key" alg=PS256 id= type="*rsa.PrivateKey"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="set provider validation key" id= type="*rsa.PublicKey"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="oidc token signing set up"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="serve started"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="starting http listener" listenAddr="127.0.0.1:8777"
Dec 19 16:31:05 mail1 kopano-konnectd[7582]: level=info msg="ready to handle requests"

                        so tell me how did you do it without runing it manual : /usr/sbin/kopano-konnectd setup
                        Not that i do mind running it manual. but its a bug

                        1 Reply Last reply Reply Quote 0
                        • fbartels
                          fbartels Kopano @thctlo last edited by

                          @thctlo said in kopano-konnectd:

                          apt install kopano-konnectd

                          that is absolutely the same that I did. The main difference may be that all our test systems are running in lxc and there systemd sometimes seems to behave a bit differently. the mkdir: cannot create directory ‘/etc/kopano/konnectkeys’: Read-only file system was providing a clue that I am currently investigating.

                          Regards Felix

                          Resources:
                          https://kopano.com/blog/how-to-get-kopano/
                          https://documentation.kopano.io/
                          https://kb.kopano.io/

                          Support overview:
                          https://kopano.com/support/

                          1 Reply Last reply Reply Quote 0
                          • thctlo
                            thctlo last edited by thctlo

                            ah great, im not in cointainers, it’s a setup for my production server here and konnectd looked interesting so i installed it.
                            if you need more info, just ask.

                            1 Reply Last reply Reply Quote 0
                            • longsleep
                              longsleep Kopano last edited by

                              Thanks for reporting - this is a problem with older systemds (which have unfixed https://github.com/systemd/systemd/issues/5308 which leads to the ExecStartPre command running in restricted (read-only) environment since ProtectSystem is wrongfully activated even when PermissionsStartOnly is given.

                              Not sure yet if we can fix this without sacrificing ProtectSystem on those systems. A manual workaround after installation is to run the setup script manually with the correct user.

                              USER=konnect /usr/sbin/kopano-konnectd setup

                              This will setup some ready to use keys and give permissions correctly so that an subsequent start from Konnect should pick them up properly.

                              longsleep 1 Reply Last reply Reply Quote 0
                              • longsleep
                                longsleep Kopano @longsleep last edited by

                                @longsleep said in kopano-konnectd:

                                Not sure yet if we can fix this without sacrificing ProtectSystem on those systems. A manual workaround after installation is to run the setup script manually with the correct user.

                                After thinkin about it i might have a solution. We can move the setup call to postinst of the packaging which always runs unrestricted and does not rely on proper systemd behavior. @fbartels @thctlo what do you think about that?

                                1 Reply Last reply Reply Quote 0
                                • thctlo
                                  thctlo last edited by thctlo

                                  Yes, that look as a good workaround.

                                  But if the folder is oblicated why not put the folder : /etc/kopano/konnectd in the file kopano-konnectd.install
                                  Then its created at install.
                                  If i may, I suggest a structure of :
                                  /etc/kopano/konnect/rsa
                                  /etc/kopano/konnect/secret

                                  something like that, split up pubkeys and privkeys.
                                  or
                                  use the install command to setup the folder with :
                                  install -d /etc/kopano/konnect -o konnect -g kopano -m 640

                                  And now you can set the correct user:group on /etc/kopano/konnect and sub folders.
                                  But thats what i think should be done.

                                  Then running : /usr/sbin/kopano-konnectd setup wil work also.

                                  longsleep 1 Reply Last reply Reply Quote 0
                                  • longsleep
                                    longsleep Kopano @thctlo last edited by

                                    @thctlo said in kopano-konnectd:

                                    But if the folder is oblicated why not put the folder : /etc/kopano/konnectd in the file kopano-konnectd.install

                                    This would not make a difference. No folder is writable since systemd creates a new mount namespace which prevents that for security reasons (as defined by the restrictions in the service file).

                                    Folder permissions and/or ownership is unrelated. Of coursethe actual service process needs to access those files but that is what setup is making sure (if the setup can write, since it is supposed to run unrestricted but is not on older systemds).

                                    Regarding different folder structure in general well, it is simple to have a single folder for keys. Also note that konnect can use other types of keys (non rsa).

                                    1 Reply Last reply Reply Quote 0
                                    • thctlo
                                      thctlo last edited by

                                      Hai, ok so this is handeled by the setting : ProtectSystem=full and PermissionsStartOnly=true

                                      You dont see these often, i’ll have a deeper look at this.
                                      Thank you for the clarification.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post