[英]Passenger/mod_rails fails to initialize in Fedora 12 when starting Apache
I am in the process of setting up a server to run a Ruby on Rails application on Fedora 12, using Passenger. 我正在使用Passenger设置服务器以在Fedora 12上运行Ruby on Rails应用程序。
I am at the stage where I've installed Passenger, set it up as prescribed, but get the following errors when I restart Apache: 我正处于安装Passenger的阶段,按规定进行设置,但在重新启动Apache时出现以下错误:
[Wed Jan 13 15:41:38 2010] [notice] caught SIGTERM, shutting down
[Wed Jan 13 15:41:40 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jan 13 15:41:40 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [notice] Digest: generating secret for digest authentication ...
[Wed Jan 13 15:41:40 2010] [notice] Digest: done
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [error] python_init: Python version mismatch, expected '2.6', found '2.6.2'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python executable found '/usr/bin/python'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python path being used '/usr/lib/python26.zip:/usr/lib/python2.6/:/usr/lib/python2.6/plat-linux2:/usr/lib/python2.6/lib-tk:/usr/lib/python2.6/lib-old:/usr/lib/python2.6/lib-dynload'.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: using mutex_directory /tmp
[Wed Jan 13 15:41:40 2010] [notice] Apache/2.2.14 (Unix) DAV/2 Phusion_Passenger/2.2.9 PHP/5.3.0 mod_python/3.3.1 Python/2.6.2 mod_ssl/2.2.14 OpenSSL/1.0.0-fips-beta3 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
As you can see, there is a permissions problem when Passenger is trying to initialize: 如您所见,Passenger尝试初始化时存在权限问题:
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
When Apache is starts, it does create a file in /tmp: 当Apache启动时,它会在/ tmp中创建一个文件:
d-ws--x--x. 2 root root 4096 2010-01-13 16:04 passenger.26117
If instead I run the app by firing up mongrel directly with mongrel_rails start -e production
, I see the following: 如果我通过直接使用mongrel_rails start -e production
mongrel来运行应用程序,我会看到以下内容:
ActiveRecord::StatementInvalid (Mysql::Error: Can't create/write to file '/tmp/#sql_5d3_0.MYI' (Errcode: 13): SHOW FIELDS FROM `users`):
Again the error points to permission issues with the /tmp directory. 同样,错误指向/ tmp目录的权限问题。
I am at a loss as to what the solution is. 我不知道解决方案是什么。 I'm not sure if it is related to simply directory permissions or Fedora's SELinux security. 我不确定它是否与简单的目录权限或Fedora的SELinux安全性有关。
Any help would be appreciated. 任何帮助,将不胜感激。 Thanks. 谢谢。
I did the same as Fred, except that instead of doing it one error at a time: 我和Fred做了同样的事情,不过一次只做一次错误:
setenforce 0
通过运行setenforce 0
进入许可模式 grep httpd /var/log/audit/audit.log | audit2allow -M passenger
运行grep httpd /var/log/audit/audit.log | audit2allow -M passenger
grep httpd /var/log/audit/audit.log | audit2allow -M passenger
semodule -i passenger.pp
setenforce 1
通过运行setenforce 1
返回执行模式 Note that this is basically a specific example of the procedure on the Centos SELinux help - check it out. 请注意,这基本上是Centos SELinux帮助程序的一个具体示例 - 请查看它。
I'm having the same issue in CentOS 5.4, SELinux getting in the way of Passenger. 我在CentOS 5.4中遇到了同样的问题,SELinux妨碍了Passenger。
Setting PassengerTempDir to /var/run/passenger simply gives you the same permission errors in the new directory instead of /tmp : 将PassengerTempDir设置为/ var / run / passenger只会在新目录中提供相同的权限错误,而不是/ tmp:
[Mon Feb 22 11:42:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create directory '/var/run/passenger/passenger.3686'
I can then change the security context of /var/run/passenger to get past this error: 然后我可以更改/ var / run / passenger的安全上下文以通过此错误:
chcon -R -h -t httpd_sys_content_t /var/run/passenger/
...and that lets Passenger create the temp directory, but not files within that directory: ...那让Passenger创建临时目录,但不能创建该目录中的文件:
[Mon Feb 22 12:07:06 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /var/run/passenger/passenger.3686/.guard: Permission denied (13)
Oddly, re-running the recursive chcon again doesn't get past this error, it keeps dying at this point, and this is where my SELinux knowledge gets murky. 奇怪的是,再次运行递归chcon并没有超过这个错误,它在这一点上一直在死,这就是我的SELinux知识变得模糊的地方。
The Phusion Passenger guide sections 6.3.5 and 6.3.7 have some useful thoughts, but they don't seem to completely resolve the problem. Phusion Passenger指南第6.3.5和6.3.7节有一些有用的想法,但它们似乎并没有完全解决问题。
You need more than just the httpd_sys_content_t permission. 您需要的不仅仅是httpd_sys_content_t权限。 I use the following technique to get things started: 我使用以下技术来开始:
tail -f /var/log/audit/audit.log
在审计日志上开始尾巴: tail -f /var/log/audit/audit.log
apachectl restart
重装apache: apachectl restart
cd /tmp
转到/ tmp /目录: cd /tmp
tail -1 /var/log/audit/audit.log | audit2allow -M httpdfifo
如果只添加一行,请使用以下命令: tail -1 /var/log/audit/audit.log | audit2allow -M httpdfifo
tail -1 /var/log/audit/audit.log | audit2allow -M httpdfifo
semodule -i httpdfifo.pp
在必须发出命令后,允许apache从此处创建FIFO: semodule -i httpdfifo.pp
Running setenforce 0
before starting will let you test if it's SELinux. 在启动之前运行setenforce 0
将让您测试它是否是SELinux。 Don't forget to run setenforce 1
afterwards. 不要忘记之后运行setenforce 1
。
I tried what Dan Sketcher and Fred Appleman suggested, ie repeat the following: 我尝试了Dan Sketcher和Fred Appleman的建议,即重复以下内容:
yum install setroubleshoot
echo > /var/log/audit/audit.log # clear irrelevant errors
cd ~
service httpd restart # try booting passenger -- audit.log now shows the relevant permission errors
tail -f /var/log/httpd/error_log # check that passenger is still failing due to permission errors
sealert -a /var/log/audit/audit.log > selinux-diag.txt # translate the permission errors
# read and check that you are happy with selinux-diag.txt
# and either follow its specific advice, or if it just wants you to grep into audit2allow, then:
cat /var/log/audit/audit.log | audit2allow -M mypol # grant everything just denied
semodule -i mypol.p # commit new permissions
But after doing this 5 or 6 times, I kept coming up against new errors, and some of the same errors came up even after I had tried to permit them with "audit2allow". 但这样做的5〜6倍后,我一直来面对新的错误, 以及一些同样的错误围上来即使我曾试图使他们与“audit2allow”。
In the end I just turned off SELinux, with: 最后我关闭了SELinux,其中包括:
echo 0 >/selinux/enforce
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.