我在两台不同的 CentOS 机器上部署了 Puppet Master 和 Puppet Agent。
它们都曾经通过 ssl 进行通信,但是主服务器重新启动后,一切就都消失了。
Httpd 的 conf.d 包含 puppetmaster.conf,因此我需要运行 httpd 服务。
当它起作用时,https://名称:8140显示“环境必须是纯字母数字,而不是''”,表示它正在正常工作。
我确信我跑了
"$sudo chkconfig httpd on
Note: Forwarding request to 'systemctl enable httpd.service'."
使其在启动时启动。
它曾经因为没有可用的套接字来监听而出错,但我通过终止占用端口的 puppet 进程解决了这个问题。
以下是我尝试过但没有成功的方法:
$sudo service httpd status
Redirecting to /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Mon 2015-03-30 12:39:07 PDT; 2min 13s ago
Process: 4144 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 4155 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─4155 /usr/sbin/httpd -DFOREGROUND
├─4180 PassengerAgent watchdog
├─4186 PassengerAgent server
├─4192 PassengerAgent logger
├─4203 /usr/sbin/httpd -DFOREGROUND
├─4204 /usr/sbin/httpd -DFOREGROUND
├─4205 /usr/sbin/httpd -DFOREGROUND
├─4206 /usr/sbin/httpd -DFOREGROUND
└─4207 /usr/sbin/httpd -DFOREGROUND
Mar 30 12:39:07 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:39:07 vaio python[4146]: SELinux is preventing /usr/local/share/gems/gems/passenger-5.0.5/buildout/support-binar...bility.
***** Plugin sys_resource (37.5 confidence) suggests **********************...
Mar 30 12:40:49 vaio systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.
$sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
(IPtable)
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
(SELinux Status)
sudo cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
(HTTPD status -l)
sudo service httpd status -l
Redirecting to /bin/systemctl status -l httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Mon 2015-03-30 12:39:07 PDT; 20min ago
Main PID: 4155 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─4155 /usr/sbin/httpd -DFOREGROUND
├─4180 PassengerAgent watchdog
├─4186 PassengerAgent server
├─4192 PassengerAgent logger
├─4203 /usr/sbin/httpd -DFOREGROUND
├─4204 /usr/sbin/httpd -DFOREGROUND
├─4205 /usr/sbin/httpd -DFOREGROUND
├─4206 /usr/sbin/httpd -DFOREGROUND
└─4207 /usr/sbin/httpd -DFOREGROUND
Mar 30 12:39:07 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:39:07 vaio python[4146]: SELinux is preventing /usr/local/share/gems/gems/passenger-5.0.5/buildout/support-binaries/PassengerAgent from using the sys_resource capability.
***** Plugin sys_resource (37.5 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
Do
fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall_boolean (30.1 confidence) suggests ******************
If you want to allow httpd to run stickshift
Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.
You can read 'None' man page for more details.
Do
setsebool -P httpd_run_stickshift 1
***** Plugin catchall_boolean (30.1 confidence) suggests ******************
If you want to allow httpd to setrlimit
Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
You can read 'None' man page for more details.
Do
setsebool -P httpd_setrlimit 1
***** Plugin catchall (4.20 confidence) suggests **************************
If you believe that PassengerAgent should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep PassengerAgent /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Mar 30 12:40:49 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:52:58 vaio systemd[1]: Started The Apache HTTP Server.
答案1
确保 iptables 中具有“-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT”。
一旦连接,它会说“环境必须是纯字母数字,而不是''”,这不是错误。
答案2
以下步骤经过反复尝试,让 Puppet Master 重获新生。感谢 Shane Madden 的指导。
$ sudo service iptables restart
Redirecting to /bin/systemctl restart iptables.service
$ sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
$ sudo chkconfig httpd on
Note: Forwarding request to 'systemctl enable httpd.service'.
$ sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
$ sudo setenforce permissive
$ sudo sed -i 's\=enforcing\=permissive\g' /etc/sysconfig/selinux
$ sudo getenforce