podman syncthing permission denied error

[tazihad]

This my podman quadlet for syncthing:

[Unit]
Description=Podman syncthing.service
Wants=network-online.target
After=network-online.target

[Service]
Restart=on-failure
TimeoutStartSec=900

[Container]
Image=docker.io/syncthing/syncthing:latest
ContainerName=syncthing
AutoUpdate=registry
PublishPort=127.0.0.1:8384:8384
PublishPort=22000:22000/tcp
PublishPort=22000:22000/udp
PublishPort=21027:21027/udp
#UserNS=keep-id:uid=2024,gid=2024
UserNS=keep-id

Volume=%h/.config/syncthing:/var/syncthing/config:Z

# Folders to share
Volume=%h/syncthing:/var/syncthing:Z

[Install]
WantedBy=default.target

host id:

uid=2024(zihad) gid=2024(zihad) groups=2024(zihad),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The problem is selinux.

Here's my issue. Syncthing looks to be working great. But when I put a file to sync folder manually syncthing is unable to sync because of permission denied error. but If I restart podman service. the issue is fixed and permission denied error gone. I have found out why the issue happens.

ls -lZ
total 9764
-rw-r--r--. 1 zihad zihad system_u:object_r:container_file_t:s0:c170,c468  387601 Aug 20 21:55 92s02t8qlu1.jpg
-rw-r--r--. 1 zihad zihad system_u:object_r:container_file_t:s0:c170,c468 3236570 Aug 26 01:38 IMG_20240826_013817.jpg
-rw-r--r--. 1 zihad zihad system_u:object_r:container_file_t:s0:c170,c468 4099652 Aug 26 02:08 IMG_20240826_020837.jpg
-rw-r--r--. 1 zihad zihad unconfined_u:object_r:container_file_t:s0         91173 Aug 20 21:45 IMG_fdsfdsfdsf_26.jpg

As you can see the file I manually pasted on the sync folder is labelled with unconfined_u. Hence syncthing is getting permission denied. :Z seems not autorelabelling. What am I missing here?
Note that I can fix the permission error temporarily by

podman unshare chcon -R -t container_file_t ~/syncthing

This relabels the file that I put manually.

podman version 5.2.1
Fedora Kinoite 40

[tazihad]

for now it works by disabling selinux

[Container]
Image=docker.io/syncthing/syncthing:latest
ContainerName=syncthing
AutoUpdate=registry
PublishPort=127.0.0.1:8384:8384
PublishPort=22000:22000/tcp
PublishPort=22000:22000/udp
PublishPort=21027:21027/udp
#UserNS=keep-id:uid=2024,gid=2024
UserNS=keep-id
SecurityLabelDisable=true

[Arcitec]

Disabling SELinux is always the correct solution when you want to share HOME USER data with a container. Because you DO NOT want the container to do SELinux relabeling of your home user's files!

The purpose of SELinux labels and :z and :Z is to give containers solo access to files.

Since your Syncthing files are owned by your home user, you should NEVER use SELinux labels.

[Arcitec]

Oh and this does nothing at all:

[Unit]
Description=Podman syncthing.service
Wants=network-online.target
After=network-online.target

You can delete that section. You cannot set Unit targets for systemd Podman user-level services.

[Arcitec]

Since it will probably help a lot of people, here's my detailed configuration for Syncthing, with fully documenting comments for every parameter and the reasons. It's better than the config above.

Here are the steps to activate it:

• Ensure that the Podman Quadlet directory exists: mkdir -p ~/.config/containers/systemd
• Save the container configuration below as ~/.config/containers/systemd/syncthing.container.
• Read through the configuration and make any changes you want based on the comments. The defaults I have provided are correct for 99.9% of people.
• Note: The special %h keyword means "path to current user's home directory". Always use that instead of hardcoded paths.
• Ensure that all necessary volume directories exist, since Podman containers refuse to start if the volumes don't exist: mkdir -p ~/.config/syncthing-container ~/Sync
• Generate the service files with systemctl --user daemon-reload (this command must be run anytime you edit your .container file).
• Start it now: systemctl --user start syncthing. (Note: You do NOT "enable" these services. You just have to start it once. They are transient, generated services that are automatically created and started at every system startup, when they have an [Install] section, as we do below.)
• Always manage the container via systemctl, never via external tools. So if you want to stop the container, use systemctl --user stop syncthing and if you want to restart it, use systemctl --user restart syncthing. (Note: If you edit the .container config, you must always do a daemon-reload and a service restart afterwards!)
• You can check the container status with podman ps and systemctl --user status syncthing.
• Enable Podman's auto-updates so that the container updates itself to the latest Syncthing version automatically every day (you only have to run this command once, ever): systemctl --user enable --now podman-auto-update.timer
• Note: The automatic updates run at a random time between 0-15 minutes after midnight every day. If you miss the timer, it runs automatically at the next system startup/wakeup instead.
• Note: If the automatic updates break the service so that the container cannot start, then it automatically and immediately rolls itself back to the previous container image version. So you never have to worry about it.
• If you added any extra sync directories (except for the default ~/Sync which is already pre-configured), then you will need to add them in Syncthing's Web UI, via their internal container path, such as /var/syncthing/data-Obsidian-Vault.

[Container]
# Which image to run in the container.
# NOTE: It must be a fully-qualified name for auto-updates to work, meaning that
# it needs a "registry hostname" prefix and a ":version" suffix.
Image=docker.io/syncthing/syncthing:latest

# Tell podman-auto-update that we want the latest version from the registry.
AutoUpdate=registry

# The container should have a recognizable name to discourage external management.
# NOTE: The container should never be manually started or stopped with external
# tools. Always use the systemd service for those tasks.
# NOTE: If nothing is provided, the default is "systemd-%N".
#ContainerName=systemd-%N

# Using the host's network means that the container appears natively on the local
# network, which allows automatic discovery by other local Syncthing devices.
# NOTE: You can disable this line to put the container in a sandboxed subnet
# instead, but then you'll need to manually add host's IP and port in clients,
# and you will have to set up a public internet IP if you want syncing available
# everywhere. Whereas with "Host" networking, Syncthing automatically uses either
# local network transfers or internet relay transfers based on current conditions.
Network=host

# Generate a unique container hostname based on the host's with a "st-" prefix.
# NOTE: We cannot use a suffix instead, since hostnames may end in a ".domain".
HostName=st-%H

# Map the host's user and group ID to the same values inside the container,
# to ensure that all files remain owned by the user that runs the server.
UserNS=keep-id
Environment=PUID=%U PGID=%G

# Disable SELinux labels since we're syncing normal user files, and security
# labels would interfere with the host's normal filesystem permissions.
# NOTE: Never use SELinux when a container deals with the user's own files!
SecurityLabelDisable=true

# The Web UI will only be bound to localhost (on the host).
# NOTE: The "PublishPort" settings have no effect when Host networking is used,
# but if you switch to a private container network, you can use these settings.
#PublishPort=127.0.0.1:8384:8384

# File transfer ports (for TCP, QUIC UDP, and discovery broadcast receival).
#PublishPort=22000:22000/tcp
#PublishPort=22000:22000/udp
#PublishPort=21027:21027/udp

# Store the Syncthing config in a unique directory on the host.
# NOTE: We don't use any ":z" or ":Z" SELinux relabeling suffixes, since we've
# disabled SELinux labels for this container.
Volume=%h/.config/syncthing-container:/var/syncthing/config

# Map the default Syncthing share to the host user's "~/Sync".
Volume=%h/Sync:/var/syncthing/Sync

# Additional sync volumes. Must be manually added in the Web UI too.
# NOTE: Don't escape spaces in paths. Podman will do that automatically.
#Volume=%h/Documents/Obsidian Vault:/var/syncthing/data-Obsidian-Vault

[Service]
# Extend startup timeout to 15 minutes to allow time to pull the images.
TimeoutStartSec=900

# Automatically restart service if it exits for any reason (for 100% uptime).
# NOTE: Use "on-failure" to only restart when container exits with errors.
# NOTE: Regardless of the choice, it respects systemctl commands (ie. "stop").
Restart=always

[Install]
# Start by default on every boot (before the graphical login manager).
# NOTE: Rootless "user" services will not start until the user has logged in.
WantedBy=multi-user.target default.target

[Arcitec]

As a sidenote: Podman 5.3.0 fixed a serious bug. If you use an older version of Podman, then Podman Quadlet services WILL NOT WORK if your system contains a mixture of cgroup v1 and cgroup v2. The services will fail to start and will shut themselves down immediately.

You can check your own system with this command:

grep -i cgroup /proc/mounts

If your system contains only one cgroup, you will see something like this, which will work perfectly:

cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)

If your system has multiple cgroups (most commonly added by VPNs such as PIA and Mullvad, which use it for Split Tunneling (per-app VPN bypass)), then Podman Quadlets will not work, unless you update Podman to 5.3.0 or newer. Here's an example of a "broken" system:

cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
none on /opt/piavpn/etc/cgroup/net_cls type cgroup (rw,relatime,seclabel,net_cls)

If your system is broken, the ONLY option is to either delete the extra cgroups (which may or may not be possible depending on how your VPN app creates its group, so you may have to uninstall the VPN app to get rid of it), or to upgrade Podman to 5.3.0 or newer.

[tazihad]

@Arcitec Thanks for excellent write up. I have changed my settings accordingly.

[Arcitec]

@tazihad I'm glad to help! One of the biggest things you gain from this config is that Network=host will make Syncthing able to detect when all of your sync devices are on the same local network.

It then establishes local discovery connections, which you can check in the Web UI under the "Discovery" counter, where it will say "IPv4 local". That feature doesn't work properly without Network=host.

With local IPv4 discovery, you will have much faster syncing and detection of file changes, usually propagating changes within 15 seconds. Without it, Syncthing instead has to use the global internet relays which will usually have many minutes of delay before syncing even starts.

So I'd always recommend host networking for Syncthing. It's one of the only services where that really helps. But if you have other containers which do some kind of local discovery, you can consider the same change. :)