Process Does Not Start
Check validation errors, required secrets, database connectivity, Redis dependencies, and port conflicts.
Troubleshooting
Classify the Problem First
Section titled “Classify the Problem First”Do not start by reading every configuration field. Classify the failure, then jump to the matching page.
Service Starts but Access Fails
Check reverse proxy behavior, CORS, trusted proxies, Ingress, HTTP/gRPC protocol handling, and port mappings.
Login or Account Issues
Check SMTP, OAuth2 redirects, WebAuthn origins, MFA factors, and rate limits.
Media Playback Issues
Check provider headers, Range behavior, slice cache, HLS storage, and RTMP/FLV/STUN ports.
Fast Diagnosis Path
Section titled “Fast Diagnosis Path”-
Inspect the effective configuration:
Terminal window synctv --config /etc/synctv/synctv.yaml config show --output yaml -
Validate configuration:
Terminal window synctv --config /etc/synctv/synctv.yaml config validate -
Start in the foreground and inspect logs:
Terminal window synctv --config /etc/synctv/synctv.yaml serve -
Check the management endpoint:
Terminal window synctv system stats
-
Inspect the rendered Compose config:
Terminal window docker compose config -
Check container status and logs:
Terminal window docker compose psdocker compose logs -f synctv -
Run a management command inside the container:
Terminal window docker compose exec synctv synctv system stats -
If production Compose reports a missing required variable, fill the required values in the repository root
.env.postgresand.env.synctvand rundocker compose up -dagain.
-
Render the chart:
Terminal window helm lint ./helm/synctvhelm template synctv ./helm/synctv --values my-values.yaml -
Inspect Pods and events:
Terminal window kubectl get pods -n synctvkubectl describe pod -n synctv -l app.kubernetes.io/name=synctvkubectl logs -n synctv deploy/synctv -f -
Check ConfigMaps and Secret keys:
Terminal window kubectl get configmap -n synctvkubectl get secret -n synctv -
Test the HTTP Service, gRPC Service, and Ingress separately. gRPC Ingress must use a gRPC backend protocol.
Common Symptoms
Section titled “Common Symptoms”| Symptom | Check First | Entry |
|---|---|---|
| Startup reports JWT secret, OPAQUE secret, or credential key errors | Empty values, placeholders, wrong format, or regenerated stable secrets | Security and Secrets |
Startup fails after cluster.enabled=true | Redis configuration, server.cluster_secret, and node reachability | Cluster Configuration |
synctv system stats cannot connect | management.enabled, management.transport, Unix socket path, TCP token, SYNCTV_MANAGEMENT_ENDPOINT | Server Listener and Runtime Paths |
| Browser CORS requests fail | server.cors_allowed_origins must be origins without paths; proxy must handle OPTIONS/HEAD | Server Listener and Runtime Paths |
| gRPC fails through Ingress while HTTP works | Separate gRPC Service/Ingress and nginx.ingress.kubernetes.io/backend-protocol: "GRPC" | Helm Deployment |
| Swagger UI or OpenAPI JSON is missing | Binary built with openapi feature; proxy allows /swagger-ui/ and /api-docs/openapi.json | OpenAPI Access |
| WebAuthn/passkey registration or login fails | rp_id, exact rp_origin, HTTPS, allowed origins | WebAuthn and Passkeys |
| OAuth2 login has state or callback problems | runtime oauth2.providers.*.config.redirect_url, Redis in multi-replica mode, client callback URI | Email and OAuth2 |
| Email codes, password reset, or email MFA do not work | SMTP host, port, TLS, username, password, from address, email rate limits | Email and OAuth2 |
| Login, email, or admin APIs are rejected frequently | HTTP/gRPC rate limits, brute-force protection, client retry behavior | Rate Limits and Connection Limits |
| Provider direct mode works but proxy mode fails, or the reverse | Client-facing headers and proxy upstream headers, especially UA, Referer, and Range | Media Providers |
| Range playback, seeking, or HLS byterange fails | Provider Range headers, upstream Range support, slice cache state | Cache and Proxy Slice Cache |
| HLS multi-replica playback returns intermittent 404 or discontinuities | Publisher node reachability, Pod-to-Pod gRPC, hls_shared_storage matching the actual mount, or whether high traffic should move to file shared filesystem storage / oss | Livestream Configuration |
| RTMP push or HTTP-FLV pull fails | Exposed ports, LoadBalancer/NodePort, proxy timeouts, FLV write timeout | Livestream Configuration |
| STUN/WebRTC connectivity fails | webrtc.mode, stun_external_addr, UDP 3478 exposure, private candidate filtering | WebRTC Configuration |
Configuration Problems
Section titled “Configuration Problems”Use commands to inspect the effective configuration. Do not rely only on the YAML file because environment variables and CLI flags may override it.
synctv --config /etc/synctv/synctv.yaml config show --output yamlsynctv --config /etc/synctv/synctv.yaml config validateIf the effective config is not what you expect, check:
- Whether the intended config file is loaded.
- Whether
.envis loaded, or whether--no-dotenvis used. - Whether environment variables override YAML values.
- Whether
*_filesecret paths are relative to the config file directory, notdata_dir. - Whether
data_dironly affects runtime-owned output paths.
See How Configuration Works for the full model.
Deployment Problems
Section titled “Deployment Problems”Docker Compose
Section titled “Docker Compose”Production Compose intentionally requires populated .env.postgres and .env.synctv files in the repository root. Do not write weak secrets into the compose file just to make the service start.
./scripts/init-compose-env.sh# Fill SYNCTV_BOOTSTRAP_ROOT_PASSWORD in .env.synctv, then inspect the rendered config.docker compose configdocker compose up -dSee Docker Compose Deployment for details.
A successful Helm render only proves that Kubernetes manifests are syntactically valid. It does not prove that the SyncTV runtime configuration is safe. Check startup logs and validation behavior.
Important checks:
- HTTP and gRPC use separate Services.
- HTTP and gRPC use separate Ingresses.
- gRPC Ingress has its own annotations.
- ServiceMonitor or VMServiceScrape targets the intended Service.
- Multi-replica HLS uses shared storage.
existingSecretcontains all required chart keys.
See Helm Deployment for details.
Authentication and Account Problems
Section titled “Authentication and Account Problems”Local MFA only applies to local factors: password, WebAuthn/passkey, and verified email. OAuth2 does not participate in local MFA, but users with MFA enabled may still log in through OAuth2.
If MFA-enabled users cannot log in, check:
- The user still has at least two usable local verification methods.
- SMTP is available when email is used as a second factor.
- WebAuthn origin is correct when passkey is used as a second factor.
- Refresh tokens come from an authentication context accepted by the current MFA policy.
Related pages:
Information to Collect
Section titled “Information to Collect”For issue reports or internal debugging, collect:
- SyncTV version and deployment method.
- Output of
synctv config show --output yaml. Review it before sharing, even though secrets are redacted. - Full
synctv config validateerror. - Relevant Compose or Helm rendered Service, Ingress, ConfigMap, and Secret key names.
- The first service log error, not only the final cascading error.
- Request path, method, status code, and necessary headers. Do not share tokens, cookies, passwords, SMTP secrets, or provider credentials.