Unable to get access to mounted folder/path - syncthink

[Neurothiker]

Dear experts,

I'm really in trouble with getting access with SYNCTHINK to >restricted< folder.

System:
TrueNAS-13.0-U6.1 Core
Plugin:
Syncthink 1.27.2
13.2-RELEASE-p10

Current situation:

Prepared folder as >resticted< on truenas, only defined user via login & credentials
SYNCTHINK installed
Service stopped for mounting
Path with restriced folder mapped to ~/synkthink/.../mnt
ACL for SYNCTHINK enabled with Full Permissions to the >restricted< folder
Service started
Login SYNCTHINK for folder preparation

Error messages:

2024-02-28 11:03:06: Loading ignores: lstat /mnt/Daten/Daten/Papa/chris/Truenas_Sync/.stignore: permission denied

2024-02-28 11:03:06: Failed to create folder root directory stat /mnt/Daten/Daten/Papa/chris/Truenas_Sync: permission denied

2024-02-28 11:03:06: Error on folder "Datensynchronisation" (Truenas_Sync): stat /mnt/Daten/Daten/Papa/chris/Truenas_Sync: permission denied

My trouble is to find only instructions with an older version of Truenas and only with enterprise version of SYNCTHINK so I'm not able to transfer this knowledge to the currents version....

I would be delighted if someone could help me with my thoughts.

Thanks a lot

Neuro

 

[joeschmuck]

You are talking about SyncThing, not SyncThink. I have the same issue but have not looked too hard into it. Maybe you will figure it our before I do.

 

[Neurothiker]

You are talking about SyncThing, not SyncThink. I have the same issue but have not looked too hard into it. Maybe you will figure it our before I do.

however written, it doesn't work...

 

[anodos]

You probably need to grant CAP_DAC_OVERRIDE and a few other capabilities to syncthing (basically run it with elevated privileges to be able to chown and alter permissions) -- this may possibly be skipped if you're only syncing data. Failure to lstat means the process most likely can't traverse to the specified path (e.g. you have some path component where execute bit is missing).

 

[Neurothiker]

You are talking about SyncThing, not SyncThink. I have the same issue but have not looked too hard into it. Maybe you will figure it our before I do.

From your experience, where could be the problem, Truenas, Synkthing, BSD?

 

[Neurothiker]

You probably need to grant CAP_DAC_OVERRIDE and a few other capabilities to syncthing (basically run it with elevated privileges to be able to chown and alter permissions) -- this may possibly be skipped if you're only syncing data. Failure to lstat means the process most likely can't traverse to the specified path (e.g. you have some path component where execute bit is missing).

What rights other than those of >Full Access< should be set and "few other capabilities"...???

 

[anodos]

What rights other than those of >Full Access< should be set and "few other capabilities"...???

CAP_DAC_OVERRIDE allows for ignoring ACL for basic permissions checks
CAP_FOWNER allows syncthing to bypass permissions check for changing owner of a file and other places where kernel checks inode_owner_or_capable()
Those are probably most relevant capabilities. See man 7 capabilities for more explanation.

As far as filesystem permissions go, all unix-like operating systems (Linux, FreeBSD, MacOS, etc) have strict checks for whether a process can basically traverse to a path (on Windows the ability to bypass this check is granted to user sessions IIRC). If you grant full access to the directory /mnt/Daten/Daten/Papa/chris/Truenas_Sync, then the syncthing process also needs execute (either via group membership or other) on `/mnt/`, /mnt/Daten/, /mnt/Daten/Daten, etc.

 

[Neurothiker]

CAP_DAC_OVERRIDE allows for ignoring ACL for basic permissions checks
CAP_FOWNER allows syncthing to bypass permissions check for changing owner of a file and other places where kernel checks inode_owner_or_capable()
Those are probably most relevant capabilities. See man 7 capabilities for more explanation.

As far as filesystem permissions go, all unix-like operating systems (Linux, FreeBSD, MacOS, etc) have strict checks for whether a process can basically traverse to a path (on Windows the ability to bypass this check is granted to user sessions IIRC). If you grant full access to the directory /mnt/Daten/Daten/Papa/chris/Truenas_Sync, then the syncthing process also needs execute (either via group membership or other) on `/mnt/`, /mnt/Daten/, /mnt/Daten/Daten, etc.

Tanks for reply.
I'll check it....

 

[Neurothiker]

Ok, I changed some permissions and no error messages
but
the local-link, see below pic. mounting.png, shows me a loop (smb://truenas.local/papa/Truenas_Sync/Daten/Daten/Papa/chris) and not the remote folder itself.
Instead to show to >smb://truenas.local/papa/Truenas_Sync< I have this link >smb://truenas.local/papa/Truenas_Sync/Daten/Daten/Papa/chris< with no access as an owner in the direktory from the remote NB - the sync from NB to NAS works fine...in the wrong folder.
_

Ok, only the initial sync was successfull...
New folders or data will not be synced in NAS direction...

 

[joeschmuck]

It would be nice to have a good tutorial on how to setup SyncThing. I plan to follow the older tutorial for the Enterprise version and see how that works out. I know there are some things that are different but maybe I will figure it out. I think I'm missing some fundamental information on how this works. The video says to create a dataset /data1 or the first server and /data2 on the second server. Why? Is this the location where tracking the synchronized files will reside?

I was able to get both servers to link up but sharing data, nope. My goal is to sync both servers, well selected datasets and to duplicate the data between the two, including permissions/ACLs/owner, all that good stuff.

I think all I need is how to setup SyncThing sharing. As I said, I will eventually figure it out. No rush. I can sync via my Windoze computer, but it's just not very fast and a completely manual operation.

Time to make dinner, S.O.S. (Shit on a shingle) and using maple sausage, YUMMY Easy, cheap, satisfying. My standards are very basic.

@anodos I might ask you for some assistance if I really can't figure this out myself. If I can figure it out myself then I am apt to remember it better next year.

 

[Neurothiker]

It would be nice to have a good tutorial on how to setup SyncThing. I plan to follow the older tutorial for the Enterprise version and see how that works out. I know there are some things that are different but maybe I will figure it out. I think I'm missing some fundamental information on how this works. The video says to create a dataset /data1 or the first server and /data2 on the second server. Why? Is this the location where tracking the synchronized files will reside?

I was able to get both servers to link up but sharing data, nope. My goal is to sync both servers, well selected datasets and to duplicate the data between the two, including permissions/ACLs/owner, all that good stuff.

I think all I need is how to setup SyncThing sharing. As I said, I will eventually figure it out. No rush. I can sync via my Windoze computer, but it's just not very fast and a completely manual operation.

Time to make dinner, S.O.S. (Shit on a shingle) and using maple sausage, YUMMY Easy, cheap, satisfying. My standards are very basic.

@anodos I might ask you for some assistance if I really can't figure this out myself. If I can figure it out myself then I am apt to remember it better next year.

GM,

I have the problem to understand the mounting routing in Truenas-scale - I should mount into Jail/Synkthing ?! - see my comment above.
In addition to the actual SyncThing user, I also shared an additional guest account under the Folder owner for Synkthing with all the additional options - so I had access for SyncThing.

 

[Neurothiker]

GM,

I'll inform you that I switched to UNISON for Truenas/Clients Syncronisation and it works fine for me and my requirements.

thx