我尝试在 CentOS 6 上使用 mariadb、nginx 1.4、php 5.4.x 设置 Cacti
我无法更新图表
我的 cacti 文件全部归用户 nginx 所有,所以我的 crontab 文件 /etc/cron.d/cacti 有
*/5 * * * * nginx /usr/bin/php -q /usr/share/nginx/html/cacti/poller.php > /var/local/log/poller.log 2>&1
但是,我看到它在 cron 日志中运行,但它没有在 poller.log 中产生任何输出,也没有更新 cacti.log。
Oct 13 12:20:01 srv CROND[14644]: (nginx) CMD ( /usr/bin/php -q usr/share/nginx/html/cacti/poller.php > /var/local/log/poller.log 2>&1)
我可以运行sudo -u nginx /usr/bin/php -q /usr/share/nginx/html/cacti/poller.php并查看输出,它似乎更新了.rrd文件。此外,我运行过一次sudo -u nginx php -q cli/rebuild_poller_cache.php,不知怎么地我在图表上得到了一个数据点,但我甚至无法再手动更新图表了。
cacti.log 中似乎没有任何有用的信息(仅在手动运行时才会更新)。我也没有在/var/log/secure有关 SELinux 的文件中看到任何信息,但我可能错过了(不确定要查找什么)。
我应该在哪里修复这个问题?为什么 cronjob 正在运行却不起作用?我怎样才能让图表再次更新?
更新:我觉得我明白问题所在了。我没有查看实际 rra 文件夹的权限,只查看了它的符号链接。我会尝试修复它。
相关rra文件的权限:
$ lll /usr/share/nginx/html/cacti/rra
lrwxrwxrwx. 1 nginx nginx 18 Oct 12 23:21 /usr/share/nginx/html/cacti/rra -> /var/lib/cacti/rra
$ lll /usr/share/nginx/html/cacti/rra/
total 340
drwxr-xr-x. 2 cacti root 4096 Oct 13 00:32 .
drwxr-xr-x. 5 root root 4096 Oct 12 23:21 ..
-rw-r--r--. 1 nginx nginx 141640 Oct 13 12:12 localhost_load_1min_5.rrd
-rw-r--r--. 1 nginx nginx 47992 Oct 13 12:12 localhost_mem_buffers_3.rrd
-rw-r--r--. 1 nginx nginx 47992 Oct 13 12:12 localhost_mem_swap_4.rrd
-rw-r--r--. 1 nginx nginx 47992 Oct 13 12:12 localhost_proc_7.rrd
-rw-r--r--. 1 nginx nginx 47992 Oct 13 12:12 localhost_users_6.rrd
$ lll /var/lib/cacti/
total 20
drwxr-xr-x. 5 root root 4096 Oct 12 23:21 .
drwxr-xr-x. 38 root root 4096 Oct 12 23:21 ..
drwxr-xr-x. 2 root root 4096 Oct 12 23:21 cli
lrwxrwxrwx. 1 root root 24 Oct 12 23:21 include -> /usr/share/cacti/include
lrwxrwxrwx. 1 root root 20 Oct 12 23:21 lib -> /usr/share/cacti/lib
drwxr-xr-x. 2 cacti root 4096 Oct 13 00:32 rra
drwxr-xr-x. 2 root root 4096 Oct 12 23:21 scripts
这是我的部分audit.log(非常重复)
[matt@srv ~]$ sudo cat /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1381785901.286:31729): avc: denied { getattr } for pid=22067 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381786201.333:31742): avc: denied { getattr } for pid=22087 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381786501.374:31749): avc: denied { getattr } for pid=22114 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381786801.418:31762): avc: denied { getattr } for pid=22134 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381787101.450:31769): avc: denied { getattr } for pid=22151 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381787401.493:31782): avc: denied { getattr } for pid=22171 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381787701.543:31789): avc: denied { getattr } for pid=22188 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381788001.595:31800): avc: denied { getattr } for pid=22208 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=2224026 scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
答案1
我必须修复符号链接目录的父级权限
/var/lib/cacti/rra
/var/log/cacti
注意:
$ ll /usr/share/cacti/
total 868
...
lrwxrwxrwx. 1 nginx nginx 18 Oct 12 23:21 cli -> /var/lib/cacti/cli
...
lrwxrwxrwx. 1 nginx nginx 15 Oct 12 23:21 log -> /var/log/cacti/
...
lrwxrwxrwx. 1 nginx nginx 18 Oct 12 23:21 rra -> /var/lib/cacti/rra
...
lrwxrwxrwx. 1 nginx nginx 22 Oct 12 23:21 scripts -> /var/lib/cacti/scripts
固定的:
chown -R nginx:nginx /var/log/cacti/
chown -R nginx:nginx /var/lib/cacti/rra