ziti-edge-tunnel permission denied on Debian 12

[dmuensterer]

On a freshly installed Debian 12 ziti-edge-tunnel can't adjust the DNS settings if the service is executed by the default user ziti in the SystemD Service.

Nov 10 11:22:50 host systemd[1]: Started ziti-edge-tunnel.service - Ziti Edge Tunnel.
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:61 load_config_from_file() The config file No such file or directory cannot be opened due to /var/lib/ziti/config.json. This is >
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:61 load_config_from_file() The config file No such file or directory cannot be opened due to /var/lib/ziti/config.json.backup. T>
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.000]    WARN ziti-edge-tunnel:instance-config.c:98 load_tunnel_status_from_file() Config files /var/lib/ziti/config.json and the backup file cannot be read or they do not exist>
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.000]    WARN ziti-edge-tunnel:instance.c:40 find_tunnel_identity() Identity ztx[/opt/openziti/etc/identities/host.mydomain.ziti.json] is not loaded yet or already removed.
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.055]   ERROR ziti-edge-tunnel:instance-config.c:136 save_tunnel_status_to_file() Could not copy config file [/var/lib/ziti/config.json] to backup config file, the config might >
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.055]    WARN ziti-edge-tunnel:resolvers.c:352 try_libsystemd_resolver() libsystemd resolver unsuccessful. Falling back to legacy resolvers
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.089]    WARN ziti-edge-tunnel:tun.c:277 find_dns_updater() Adding ziti resolver to /etc/resolv.conf. Ziti DNS functionality may be impaired
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.089]    WARN ziti-edge-tunnel:resolvers.c:433 make_copy() could not create copy[/etc/resolv.conf.bkp]: permission denied
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.089]   ERROR ziti-edge-tunnel:resolvers.c:478 dns_update_etc_resolv() cannot open /etc/resolv.conf: Permission denied
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.089]    WARN ziti-edge-tunnel:resolvers.c:479 dns_update_etc_resolv() run as 'root' or manually update your resolver configuration. Ziti DNS must be the first resolver: 100.64.>
Nov 10 11:22:50 host ziti-edge-tunnel[2868]: (2868)[        0.134]   ERROR ziti-sdk:ziti.c:1532 ziti_set_api_session() ztx[0] local clock is 18 seconds behind UTC (as reported by controller)

[scareything]

I think this may be a matter of cryptic or unhelpful log messages (assuming you want to use systemd-resolved for dns configuration and not fall back to touching resolv.conf).

Can you check if systemd-resolved.service is installed and active? It wasn't there by default on my debian 12 install.

$ systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
     Active: active (running) since Tue 2023-11-14 21:16:31 EST; 4min 5s ago
       Docs: man:systemd-resolved.service(8)
...

If it isn't there, please try installing it and rebooting.

$ sudo apt update
$ sudo apt install -y systemd-resolved
$ /sbin/reboot

There may be a better way to activate it after installing, but simply "starting" it didn't work for me and rebooting did.