dnscrypt-wrapper start with systemctl failed.

[zw963]

Following is a example

/usr/sbin/dnscrypt-wrapper \
    -r 8.8.4.4:53 \
    -a 0.0.0.0:22335 \
    --provider-name=2.dnscrypt-cert.domain.com \
    --crypt-secretkey-file=/root/.dnskey/1.key \
    --provider-cert-file=/root/.dnskey/1.cert \
    -d \
    -VVV \
    -l /tmp/dnscrypt-wrapper.log

It worked when invoked from terminal in VPS, but, when start with
systemctl, it failed.

[cofyc]

Could you provide your systemd dnscrypt-wrapper.service and logs when you start it?

[zw963]

@cofyc , Sorry for confuse, I deploy again, and got following error:

[root@li1260-37 system]# cat /etc/systemd/system/dnscrypt-wrapper.service 
     [Unit]
     Description=dnscrypt-wrapper Service
     After=network.target

     [Service]
     Type=simple
     User=dnscrypt-wrapper
     ExecStart=/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.domain.com --crypt-secretkey-file=/root/.dnskey/1.key --provider-cert-file=/root/.dnskey/1.cert -d -VVV -l /var/log/dnscrypt-wrapper.log
     ExecReload=/bin/kill -USR1 $MAINPID
     Restart=on-abort
     LimitNOFILE=51200
     LimitCORE=infinity
     LimitNPROC=51200

     [Install]
     WantedBy=multi-user.target

[root@li1260-37 system]# systemctl start dnscrypt-wrapper
[root@li1260-37 system]# systemctl status dnscrypt-wrapper
● dnscrypt-wrapper.service - dnscrypt-wrapper Service
   Loaded: loaded (/etc/systemd/system/dnscrypt-wrapper.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2017-09-11 02:29:33 UTC; 7s ago
  Process: 29951 ExecStart=/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.domain.com --crypt-secretkey-file=/root/.dnskey/1.key --provider-cert-file=/root/.dnskey/1.cert -d -VVV -l /var/log/dnscrypt-wrapper.log (code=exited, status=1/FAILURE)
 Main PID: 29951 (code=exited, status=1/FAILURE)

Sep 11 02:29:33 li1260-37.members.linode.com systemd[1]: Started dnscrypt-wrapper Service.
Sep 11 02:29:33 li1260-37.members.linode.com systemd[1]: Starting dnscrypt-wrapper Service...
Sep 11 02:29:33 li1260-37.members.linode.com systemd[1]: dnscrypt-wrapper.service: main process exited, code=exited, status=1/FAILURE
Sep 11 02:29:33 li1260-37.members.linode.com systemd[1]: Unit dnscrypt-wrapper.service entered failed state.
Sep 11 02:29:33 li1260-37.members.linode.com systemd[1]: dnscrypt-wrapper.service failed.

[zw963]

@cofyc , this systemctl config file is create by myself. in fact, I am not know about a lot about how to
write this correctly, just as a working template, it worked well for some others package, e.g. shadowsocks,
So, maybe my config is maybe not correct?

And, it current worked when invoked from a wrappered bash scripts which wrap same command.

[root@vil963 ~]# ps aux |grep dnscrypt
root      6219  0.0  0.1  16444   652 ?        Ss   22:37   0:00 /usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.zw963.com --crypt-secretkey-file=/root/.dnskey/1.key --provider-cert-file=/root/.dnskey/1.cert -d -VVV -l /var/log/dnscrypt-wrapper.log

[cofyc]

hi,

[Service]
Type=simple
User=dnscrypt-wrapper

You configured the systemd dnscrypt-wrapper.service to run as dnscrypt-wrapper, but in your ExecStart command, you let it to read some files (e.g. /root/.dnskey/1.key) in your root directory, this will cause permission errors (because only root can access files under /root).

You need to put these files in your a non-root directory (e.g. /etc/dnscrypt-wrapper), and setup permission like this:

chown -R root:root /etc/dnscrypt-wrapper
chmod 0755 /etc/dnscrypt-wrapper
chmod 0664 /etc/dnscrypt-wrapper/*

[zw963]

@cofyc , not work.

root@localhost:/etc/dnscrypt-wrapper# cat /etc/systemd/system/dnscrypt-wrapper.service 
     [Unit]
     Description=dnscrypt-wrapper Service
     After=network.target

     [Service]
     Type=simple
     User=dnscrypt-wrapper
     ExecStart=/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.zw963.com --crypt-secretkey-file=/etc/dnscrypt-wrapper/1.key --provider-cert-file=/etc/dnscrypt-wrapper/1.cert -d -VVV -l /var/log/dnscrypt-wrapper.log
     ExecReload=/bin/kill -USR1 $MAINPID
     Restart=on-abort
     LimitNOFILE=51200
     LimitCORE=infinity
     LimitNPROC=51200

     [Install]
     WantedBy=multi-user.target

root@localhost:/etc/dnscrypt-wrapper# ls -l
total 20
-r--r--r-- 1 root root 124 Sep 11 03:45 1.cert
-r-------- 1 root root  32 Sep 11 03:45 1.key
-rw-r--r-- 1 root root 101 Sep 11 03:45 fingerprint
-r--r--r-- 1 root root  32 Sep 11 03:45 public.key
-r-------- 1 root root  64 Sep 11 03:45 secret.key

root@localhost:/etc/dnscrypt-wrapper# systemctl start dnscrypt-wrapper
root@localhost:/etc/dnscrypt-wrapper# systemctl status dnscrypt-wrapper
● dnscrypt-wrapper.service - dnscrypt-wrapper Service
   Loaded: loaded (/etc/systemd/system/dnscrypt-wrapper.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2017-09-11 03:50:06 UTC; 9s ago
  Process: 27283 ExecStart=/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.zw963.com --crypt-secretkey-file=/etc/dnscrypt-wrapper/1.key --provider-c
 Main PID: 27283 (code=exited, status=1/FAILURE)

Sep 11 03:50:06 localhost systemd[1]: Started dnscrypt-wrapper Service.
Sep 11 03:50:06 localhost systemd[1]: dnscrypt-wrapper.service: Main process exited, code=exited, status=1/FAILURE
Sep 11 03:50:06 localhost systemd[1]: dnscrypt-wrapper.service: Unit entered failed state.
Sep 11 03:50:06 localhost systemd[1]: dnscrypt-wrapper.service: Failed with result 'exit-code'.

[cofyc]

Have you created dnscrypt-wrapper user？
Try to run this command manually to debug: su dnscrypt-wrapper -s /bin/bash -c '/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.zw963.com --crypt-secretkey-file=/etc/dnscrypt-wrapper/1.key --provider-cert-file=/etc/dnscrypt-wrapper/1.cert -d -VVV -l /var/log/dnscrypt-wrapper.log'

[zw963]

Have you created dnscrypt-wrapper user？

@cofyc , yes, I create this user with useradd dnscrypt-wrapper -s /sbin/nologin.

Try to run this command manually to debug:

It failed, $$ return 1.

Thanks

[zw963]

@cofyc , I need change User=dnscrypt-wrapper to User=root, right?

[zw963]

The problem is: why use user dnscrypt-wrapper run failed?

[cofyc]

What's the output of command su dnscrypt-wrapper -s /bin/bash -c '/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.zw963.com --crypt-secretkey-file=/etc/dnscrypt-wrapper/1.key --provider-cert-file=/etc/dnscrypt-wrapper/1.cert -d -VVV -l /var/log/dnscrypt-wrapper.log'?

[zw963]

@cofyc , No any failed message. (remove -d )

[zw963]

[root@vil963 ~]# su dnscrypt-wrapper -s /bin/bash -c '/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.domain.com --crypt-secretkey-file=/etc/dnscrypt-wrapper/1.key --provider-cert-file=/etc/dnscrypt-wrapper/1.cert -VVV -l /var/log/dnscrypt-wrapper.log'
[root@vil963 ~]# echo $?
1

[zw963]

/etc/dnscrypt-wrapper/1.key /etc/dnscrypt-wrapper/1.cert seem like correct permission.

[root@vil963 etc]# ls -lh /etc/dnscrypt-wrapper/*
-rw-rw-r-- 1 root root 124 Sep  9 08:46 /etc/dnscrypt-wrapper/1.cert
-rw-rw-r-- 1 root root  32 Sep  9 08:46 /etc/dnscrypt-wrapper/1.key
-rw-rw-r-- 1 root root 101 Sep  9 08:46 /etc/dnscrypt-wrapper/fingerprint
-rw-rw-r-- 1 root root  32 Sep  9 08:46 /etc/dnscrypt-wrapper/public.key
-rw-rw-r-- 1 root root  64 Sep  9 08:46 /etc/dnscrypt-wrapper/secret.key

[cofyc]

su dnscrypt-wrapper -s /bin/bash -c '/usr/sbin/dnscrypt-wrapper -a 0.0.0.0:22335 -r 8.8.4.4:53 --provider-name=2.dnscrypt-cert.zw963.com --crypt-secretkey-file=/etc/dnscrypt-wrapper/1.key --provider-cert-file=/etc/dnscrypt-wrapper/1.cert -d -VVV'

Remove -l /var/log/dnscrypt-wrapper.log and run again.

[zw963]

@cofyc , sorry

I am wrong.

1. i use -l to redirect log，i forget it.
2. another /etc/init.d/ scripts auto start server again, so, error is: [10545] 11 Sep 23:34:16.487 [err] [udp_request.c:516] Unable to bind (UDP) [Address already in use]

[zw963]

@cofyc , change config to /etc/dnsmasq-wrapper is worked.

Thanks