启动Apache时,Passenger / mod_rails无法在Fedora 12中初始化
[英]Passenger/mod_rails fails to initialize in Fedora 12 when starting Apache
问题描述
I am in the process of setting up a server to run a Ruby on Rails application on Fedora 12, using Passenger. 
我正在使用Passenger设置服务器以在Fedora 12上运行Ruby on Rails应用程序。
I am at the stage where I've installed Passenger, set it up as prescribed, but get the following errors when I restart Apache: 我正处于安装Passenger的阶段,按规定进行设置,但在重新启动Apache时出现以下错误:
[Wed Jan 13 15:41:38 2010] [notice] caught SIGTERM, shutting down
[Wed Jan 13 15:41:40 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jan 13 15:41:40 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [notice] Digest: generating secret for digest authentication ...
[Wed Jan 13 15:41:40 2010] [notice] Digest: done
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [error] python_init: Python version mismatch, expected '2.6', found '2.6.2'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python executable found '/usr/bin/python'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python path being used '/usr/lib/python26.zip:/usr/lib/python2.6/:/usr/lib/python2.6/plat-linux2:/usr/lib/python2.6/lib-tk:/usr/lib/python2.6/lib-old:/usr/lib/python2.6/lib-dynload'.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: using mutex_directory /tmp
[Wed Jan 13 15:41:40 2010] [notice] Apache/2.2.14 (Unix) DAV/2 Phusion_Passenger/2.2.9 PHP/5.3.0 mod_python/3.3.1 Python/2.6.2 mod_ssl/2.2.14 OpenSSL/1.0.0-fips-beta3 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
As you can see, there is a permissions problem when Passenger is trying to initialize: 如您所见,Passenger尝试初始化时存在权限问题:
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
When Apache is starts, it does create a file in /tmp: 当Apache启动时,它会在/ tmp中创建一个文件:
d-ws--x--x. 2 root root 4096 2010-01-13 16:04 passenger.26117
If instead I run the app by firing up mongrel directly with mongrel_rails start -e production , I see the following: 如果我通过直接使用mongrel_rails start -e production mongrel来运行应用程序,我会看到以下内容:
ActiveRecord::StatementInvalid (Mysql::Error: Can't create/write to file '/tmp/#sql_5d3_0.MYI' (Errcode: 13): SHOW FIELDS FROM `users`):
Again the error points to permission issues with the /tmp directory. 同样,错误指向/ tmp目录的权限问题。
I am at a loss as to what the solution is. 我不知道解决方案是什么。 I'm not sure if it is related to simply directory permissions or Fedora's SELinux security. 我不确定它是否与简单的目录权限或Fedora的SELinux安全性有关。
Any help would be appreciated. 任何帮助,将不胜感激。 Thanks. 谢谢。
5 个解决方案
解决方案1
13 已采纳 2010-03-12 00:05:25
I did the same as Fred, except that instead of doing it one error at a time: 我和Fred做了同样的事情,不过一次只做一次错误:
- Go into permissive mode by running
setenforce 0通过运行setenforce 0进入许可模式 - Restart apache, and hit your site and use it for a while as normal 重启apache,点击你的网站并正常使用它一段时间
- Run
grep httpd /var/log/audit/audit.log | audit2allow -M passenger运行grep httpd /var/log/audit/audit.log | audit2allow -M passengergrep httpd /var/log/audit/audit.log | audit2allow -M passenger -
semodule -i passenger.pp - Go back to enforcing mode by running
setenforce 1通过运行setenforce 1返回执行模式 - Restart apache and test your site - hopefully it should all be working as before! 重启apache并测试你的网站 - 希望它一切都像以前一样工作!
Note that this is basically a specific example of the procedure on the Centos SELinux help - check it out. 请注意,这基本上是Centos SELinux帮助程序的一个具体示例 - 请查看它。
解决方案2
3 2010-02-22 17:20:20
I'm having the same issue in CentOS 5.4, SELinux getting in the way of Passenger. 我在CentOS 5.4中遇到了同样的问题,SELinux妨碍了Passenger。
Setting PassengerTempDir to /var/run/passenger simply gives you the same permission errors in the new directory instead of /tmp : 将PassengerTempDir设置为/ var / run / passenger只会在新目录中提供相同的权限错误,而不是/ tmp:
[Mon Feb 22 11:42:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create directory '/var/run/passenger/passenger.3686'
I can then change the security context of /var/run/passenger to get past this error: 然后我可以更改/ var / run / passenger的安全上下文以通过此错误:
chcon -R -h -t httpd_sys_content_t /var/run/passenger/
...and that lets Passenger create the temp directory, but not files within that directory: ...那让Passenger创建临时目录,但不能创建该目录中的文件:
[Mon Feb 22 12:07:06 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /var/run/passenger/passenger.3686/.guard: Permission denied (13)
Oddly, re-running the recursive chcon again doesn't get past this error, it keeps dying at this point, and this is where my SELinux knowledge gets murky. 奇怪的是,再次运行递归chcon并没有超过这个错误,它在这一点上一直在死,这就是我的SELinux知识变得模糊的地方。
The Phusion Passenger guide sections 6.3.5 and 6.3.7 have some useful thoughts, but they don't seem to completely resolve the problem. Phusion Passenger指南第6.3.5和6.3.7节有一些有用的想法,但它们似乎并没有完全解决问题。
解决方案3
3 2010-03-10 14:33:19
You need more than just the httpd_sys_content_t permission. 您需要的不仅仅是httpd_sys_content_t权限。 I use the following technique to get things started: 我使用以下技术来开始:
- start a tail on the audit log:
tail -f /var/log/audit/audit.log在审计日志上开始尾巴: tail -f /var/log/audit/audit.log - reload apache:
apachectl restart重装apache: apachectl restart - Go to the /tmp/directory:
cd /tmp转到/ tmp /目录: cd /tmp - If just 1 line is added use the command:
tail -1 /var/log/audit/audit.log | audit2allow -M httpdfifo如果只添加一行,请使用以下命令: tail -1 /var/log/audit/audit.log | audit2allow -M httpdfifotail -1 /var/log/audit/audit.log | audit2allow -M httpdfifo - Note that the name 'httpdfifo' is just a name chosen to reflect the kind of error that has been observed. 请注意,名称“httpdfifo”只是一个名称,用于反映已观察到的错误类型。
- This will create a file named 'httpdfifo.pp'. 这将创建一个名为“httpdfifo.pp”的文件。 To allow apache to create a FIFO from here on after you have to issue the command:
semodule -i httpdfifo.pp在必须发出命令后,允许apache从此处创建FIFO: semodule -i httpdfifo.pp - Continue to do this until all audit errors have been resolved (It took 4 different kind of permissions on my system running Centos 5.4) 继续执行此操作直到所有审核错误都得到解决(我的系统运行Centos 5.4需要4种不同的权限)
解决方案4
2 2010-01-13 05:20:16
Running setenforce 0 before starting will let you test if it's SELinux. 在启动之前运行setenforce 0将让您测试它是否是SELinux。 Don't forget to run setenforce 1 afterwards. 不要忘记之后运行setenforce 1 。
解决方案5
0 2012-09-20 17:40:36
I tried what Dan Sketcher and Fred Appleman suggested, ie repeat the following: 我尝试了Dan Sketcher和Fred Appleman的建议,即重复以下内容:
yum install setroubleshoot
echo > /var/log/audit/audit.log # clear irrelevant errors
cd ~
service httpd restart # try booting passenger -- audit.log now shows the relevant permission errors
tail -f /var/log/httpd/error_log # check that passenger is still failing due to permission errors
sealert -a /var/log/audit/audit.log > selinux-diag.txt # translate the permission errors
# read and check that you are happy with selinux-diag.txt
# and either follow its specific advice, or if it just wants you to grep into audit2allow, then:
cat /var/log/audit/audit.log | audit2allow -M mypol # grant everything just denied
semodule -i mypol.p # commit new permissions
But after doing this 5 or 6 times, I kept coming up against new errors, and some of the same errors came up even after I had tried to permit them with "audit2allow". 但这样做的5〜6倍后,我一直来面对新的错误, 以及一些同样的错误围上来即使我曾试图使他们与“audit2allow”。
In the end I just turned off SELinux, with: 最后我关闭了SELinux,其中包括:
echo 0 >/selinux/enforce
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.