CentOS 7 上的 Puppet Master - 重启后消失

CentOS 7 上的 Puppet Master - 重启后消失

我在两台不同的 CentOS 机器上部署了 Puppet Master 和 Puppet Agent。

它们都曾经通过 ssl 进行通信,但是主服务器重新启动后,一切就都消失了。

Httpd 的 conf.d 包含 puppetmaster.conf,因此我需要运行 httpd 服务。

当它起作用时,https://名称:8140显示“环境必须是纯字母数字,而不是''”,表示它正在正常工作。

我确信我跑了

"$sudo chkconfig httpd on
Note: Forwarding request to 'systemctl enable httpd.service'."

使其在启动时启动。

它曾经因为没有可用的套接字来监听而出错,但我通过终止占用端口的 puppet 进程解决了这个问题。

以下是我尝试过但没有成功的方法:

$sudo service httpd status
Redirecting to /bin/systemctl status  httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Mon 2015-03-30 12:39:07 PDT; 2min 13s ago
  Process: 4144 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 4155 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─4155 /usr/sbin/httpd -DFOREGROUND
           ├─4180 PassengerAgent watchdog
           ├─4186 PassengerAgent server
           ├─4192 PassengerAgent logger
           ├─4203 /usr/sbin/httpd -DFOREGROUND
           ├─4204 /usr/sbin/httpd -DFOREGROUND
           ├─4205 /usr/sbin/httpd -DFOREGROUND
           ├─4206 /usr/sbin/httpd -DFOREGROUND
           └─4207 /usr/sbin/httpd -DFOREGROUND

Mar 30 12:39:07 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:39:07 vaio python[4146]: SELinux is preventing /usr/local/share/gems/gems/passenger-5.0.5/buildout/support-binar...bility.

                                   *****  Plugin sys_resource (37.5 confidence) suggests   **********************...
Mar 30 12:40:49 vaio systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.


$sudo service httpd start
Redirecting to /bin/systemctl start  httpd.service


(IPtable)
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


(SELinux Status)
 sudo cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

(HTTPD status -l)

sudo service httpd status -l
Redirecting to /bin/systemctl status  -l httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Mon 2015-03-30 12:39:07 PDT; 20min ago
 Main PID: 4155 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─4155 /usr/sbin/httpd -DFOREGROUND
           ├─4180 PassengerAgent watchdog                                                 
           ├─4186 PassengerAgent server                                                 
           ├─4192 PassengerAgent logger                                                 
           ├─4203 /usr/sbin/httpd -DFOREGROUND
           ├─4204 /usr/sbin/httpd -DFOREGROUND
           ├─4205 /usr/sbin/httpd -DFOREGROUND
           ├─4206 /usr/sbin/httpd -DFOREGROUND
           └─4207 /usr/sbin/httpd -DFOREGROUND

Mar 30 12:39:07 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:39:07 vaio python[4146]: SELinux is preventing /usr/local/share/gems/gems/passenger-5.0.5/buildout/support-binaries/PassengerAgent from using the sys_resource capability.

                               *****  Plugin sys_resource (37.5 confidence) suggests   **********************

                               If you do not want processes to require capabilities to use up all the system resources on your system;
                               Then you need to diagnose why your system is running out of system resources and fix the problem.  

                               According to /usr/include/linux/capability.h, sys_resource is required to:

                               /* Override resource limits. Set resource limits. */
                               /* Override quota limits. */
                               /* Override reserved space on ext2 filesystem */
                               /* Modify data journaling mode on ext3 filesystem (uses journaling
                                  resources) */
                               /* NOTE: ext2 honors fsuid when checking for resource overrides, so
                                  you can override using fsuid too */
                               /* Override size restrictions on IPC message queues */
                               /* Allow more than 64hz interrupts from the real-time clock */
                               /* Override max number of consoles on console allocation */
                               /* Override max number of keymaps */
                               /* Override resource limits. Set resource limits. */
                               /* Override quota limits. */
                               /* Override reserved space on ext2 filesystem */
                               /* Modify data journaling mode on ext3 filesystem (uses journaling
                                  resources) */
                               /* NOTE: ext2 honors fsuid when checking for resource overrides, so
                                  you can override using fsuid too */
                               /* Override size restrictions on IPC message queues */
                               /* Allow more than 64hz interrupts from the real-time clock */
                               /* Override max number of consoles on console allocation */
                               /* Override max number of keymaps */
                               /* Override resource limits. Set resource limits. */
                               /* Override quota limits. */
                               /* Override reserved space on ext2 filesystem */
                               /* Modify data journaling mode on ext3 filesystem (uses journaling
                                  resources) */
                               /* NOTE: ext2 honors fsuid when checking for resource overrides, so
                                  you can override using fsuid too */
                               /* Override size restrictions on IPC message queues */
                               /* Allow more than 64hz interrupts from the real-time clock */
                               /* Override max number of consoles on console allocation */
                               /* Override max number of keymaps */

                               Do
                               fix the cause of the SYS_RESOURCE on your system.

                               *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************

                               If you want to allow httpd to run stickshift
                               Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.
                               You can read 'None' man page for more details.
                               Do
                               setsebool -P httpd_run_stickshift 1

                               *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************

                               If you want to allow httpd to setrlimit
                               Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
                               You can read 'None' man page for more details.
                               Do
                               setsebool -P httpd_setrlimit 1

                               *****  Plugin catchall (4.20 confidence) suggests   **************************

                               If you believe that PassengerAgent should have the sys_resource capability by default.
                               Then you should report this as a bug.
                               You can generate a local policy module to allow this access.
                               Do
                               allow this access for now by executing:
                               # grep PassengerAgent /var/log/audit/audit.log | audit2allow -M mypol
                               # semodule -i mypol.pp

Mar 30 12:40:49 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:52:58 vaio systemd[1]: Started The Apache HTTP Server.

答案1

确保 iptables 中具有“-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT”。

一旦连接,它会说“环境必须是纯字母数字,而不是''”,这不是错误。

答案2

以下步骤经过反复尝试,让 Puppet Master 重获新生。感谢 Shane Madden 的指导。

$ sudo service iptables restart
Redirecting to /bin/systemctl restart  iptables.service
$ sudo service httpd start
Redirecting to /bin/systemctl start  httpd.service
$ sudo chkconfig httpd on
Note: Forwarding request to 'systemctl enable httpd.service'.
$ sudo service httpd start
Redirecting to /bin/systemctl start  httpd.service
$ sudo setenforce permissive 
$ sudo sed -i 's\=enforcing\=permissive\g' /etc/sysconfig/selinux
$ sudo getenforce

相关内容