Starting Jenkins failed - Process /usr/bin/jenkins could not be executed

TheDragonNL · September 26, 2022, 1:38pm

When trying a clean install for jenkins (jenkins-2.370-1.1.noarch.rpm), but we ran into an issue
As far as we can tell all permissions should be ok
What are we missing, we been trying for days now ?

-- Unit jenkins.service has begun starting up.
<redacted> systemd[2644]: jenkins.service: Changing to the requested working directory failed: Permission denied
<redacted>  systemd[2644]: jenkins.service: Failed at step CHDIR spawning /usr/bin/jenkins: Permission denied
-- Subject: Process /usr/bin/jenkins could not be executed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The process /usr/bin/jenkins could not be executed and failed.
--
-- The error number returned by this process is 13.

Here is the systemctl -l status jenkins log

<redacted> [/tmp/install]: sudo systemctl -l status jenkins
● jenkins.service - Jenkins Continuous Integration Server
   Loaded: loaded (/usr/lib/systemd/system/jenkins.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/jenkins.service.d
           └─override.conf
   Active: failed (Result: exit-code) since Mon 2022-09-26 15:25:14 CEST; 10min ago
  Process: 2644 ExecStart=/usr/bin/jenkins (code=exited, status=200/CHDIR)
 Main PID: 2644 (code=exited, status=200/CHDIR)

<redacted> systemd[1]: jenkins.service: Main process exited, code=exited, status=200/CHDIR
<redacted> systemd[1]: jenkins.service: Failed with result 'exit-code'.
<redacted> systemd[1]: Failed to start Jenkins Continuous Integration Server.
<redacted> systemd[1]: jenkins.service: Service RestartSec=100ms expired, scheduling restart.
<redacted> systemd[1]: jenkins.service: Scheduled restart job, restart counter is at 5.
<redacted> systemd[1]: Stopped Jenkins Continuous Integration Server.
<redacted> systemd[1]: jenkins.service: Start request repeated too quickly.
<redacted> systemd[1]: jenkins.service: Failed with result 'exit-code'.
<redacted> systemd[1]: Failed to start Jenkins Continuous Integration Server.

MarkEWaite · September 26, 2022, 1:49pm

TheDragonNL:

<redacted> systemd[2644]: jenkins.service: Changing to the requested working directory failed: Permission denied
<redacted>  systemd[2644]: jenkins.service: Failed at step CHDIR spawning /usr/bin/jenkins: Permission denied

Check the permissions of the /var/lib/jenkins directory. You state that the permissions should be ok, but that seems the most likely source of the problem. Permissions of one of the parent directories might also be an issue.

If you have enabled one of the Red Hat security profiles, you may need to reconsider that choice.

TheDragonNL · September 26, 2022, 2:18pm

The permissions
Note the jenkins user permissions where put in manually to see if it helped (it didnt)

# file: var/lib/jenkins
# owner: jenkins
# group: jenkins
user::rwx
group::r-x
other::r-x

# file: var/lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: var
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: usr/bin/jenkins
# owner: jenkins
# group: jenkins
user::rwx
group::r-x
other::r-x

# file: usr/bin
# owner: root
# group: root
user::rwx
user:jenkins:rwx
group::r-x
mask::rwx
other::r-x

# file: usr
# owner: root
# group: root
user::rwx
user:jenkins:rwx
group::r-x
mask::rwx
other::r-x

MarkEWaite · September 26, 2022, 3:10pm

Any chance you set ProtectHome=true?

Or possibly, that you’re using a network file system and encountering a systemd bug as described in

github.com/systemd/systemd

exec: chdir to WorkingDirectory fails on NFS with root squash

opened 05:52PM - 29 Oct 18 UTC

closed 11:07AM - 31 Oct 18 UTC

behrmann

**systemd version the issue has been seen with** > 239 **Used distribu…tion** > Debian Unstable **Expected behaviour you didn't see** > A template service that has `User=%i` and `WorkingDirectory=/home/%i` with the working directory being on an NFS share with root squash enabled and Permissions `700` starts properly **Unexpected behaviour you saw** > A template service that has `User=%i` and `WorkingDirectory=/home/%i` with the working directory being on an NFS share with root squash enabled doesn't start unless the permissions on the home directory are `701` **Steps to reproduce the problem** This service reproduces the problem ``` # /etc/systemd/system/chdirdebug@.service [Unit] Description=Test service to debug chdir [Service] Type=oneshot User=%i ExecStart=/bin/bash -c "echo $(pwd)" WorkingDirectory=/home/%i ``` For a user with permissions 755 it runs perfectly and for a user with home permissions 700 ``` -- Logs begin at Sat 2018-03-24 09:34:45 CET, end at Mon 2018-10-29 18:36:42 CET. -- Oct 29 18:36:42 host systemd[1]: Starting Test service to debug chdir... Oct 29 18:36:42 host systemd[96667]: chdirdebug@user.service: Changing to the requested working directory failed: Permission denied Oct 29 18:36:42 host systemd[96667]: chdirdebug@user.service: Failed at step CHDIR spawning /bin/bash: Permission denied Oct 29 18:36:42 host systemd[1]: chdirdebug@user.service: Main process exited, code=exited, status=200/CHDIR Oct 29 18:36:42 host systemd[1]: chdirdebug@user.service: Failed with result 'exit-code'. Oct 29 18:36:42 host systemd[1]: Failed to start Test service to debug chdir. ``` After helpful discussion with @grawity in #systemd the assumption is, that the move of `apply_working_directory` in 50b3dfb9d64872025450aa63765206720be471d6 to the earliest possible position is too early, since in the context of network filesystems root might not be allowed to change the directory. If I were to hazard a guess moving `apply_working_directory` from its current [position](https://github.com/systemd/systemd/blob/master/src/core/execute.c#L3200) to somewhere after [this block](https://github.com/systemd/systemd/blob/master/src/core/execute.c#L3348) that calls `ensure_user`, might be a solution. And yes, the user does have permission to read their own home. ;) Thanks a lot in advance!

TheDragonNL · September 26, 2022, 3:29pm

systemctl show jenkins says ProtectHome=no

systemd version systemctl --version says
systemd 239 (239-58.el8_6.7)

Additional info

  Operating System: Red Hat Enterprise Linux 8.6 (Ootpa)
       CPE OS Name: cpe:/o:redhat:enterprise_linux:8::baseos
            Kernel: Linux 4.18.0-372.26.1.el8_6.x86_64
      Architecture: x86-64

MarkEWaite · September 26, 2022, 4:20pm

Interesting, since that is the exact operating system where I have been running a Jenkins 2.361.1 controller. I don’t have other suggestions to offer. We test variants of that operating system with test automation (Rocky 9, Alma 9, Oracle Linux 9) and I use Red Hat Enterprise Linux 8.6 interactively.

TheDragonNL · September 26, 2022, 4:34pm

I willl see if i somehow can update systemd, just to be able to rule it out

MarkEWaite · September 26, 2022, 4:42pm

The version of systemd that you are running matches exactly with the systemd on my RHEL 8.6 system. No harm trying to update it, but I suspect something else in the system configuration, not the systemd version.

halkeye · September 26, 2022, 5:36pm

what does your override have?

What filesystem is /var/lib/jenkins (nfs?)

TheDragonNL · September 26, 2022, 5:39pm

We found the cause
sudo cat /var/log/audit/audit.log | grep jenkins | grep denied gave result

type=AVC msg=audit(1664206374.094:405): avc:  denied  { read } for  pid=2849 comm="(jenkins)" name="jenkins" dev="dm-6" ino=                                                                                  2098029 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0

Somewhere in the installation script we used, there was a move from /var/lib/jenkins to /srv/jenkins
This was done by creating a symlink to /srv/jenkins
Why this was ever in the scripts we are still looking into that
But it seems that SELinux does not permit the use of symlink in this instance (if i understand correctly)

So be removing this ‘move’, we now have a working Jenkins instance

halkeye · September 26, 2022, 5:42pm

I havn’t tried it, but you can probably set the JENKINS_HOME env variable in overrides to point to a different location, no need for symlink.

TheDragonNL · September 26, 2022, 5:48pm

We will do that, once we know why there was a move/symlink in the first place

Thanks for all the help

Topic		Replies	Views
Jenkins failed to start Ask a question	4	2264	May 18, 2023
About the Using Jenkins category Using Jenkins	1	1241	July 17, 2022
Startup failed - status=217/USER Ask a question	2	588	June 23, 2023
After upgrading jenkins to version: 2.346.1 the service crashes but Jenkins is accessible Ask a question question	7	3982	September 9, 2022
Jenkins stop working after sudo upgrade Using Jenkins question	1	535	April 12, 2023

Starting Jenkins failed - Process /usr/bin/jenkins could not be executed

Related Topics