I am in the process of setting up a server to run a Ruby on Rails application on Fedora 12, using Passenger.
I am at the stage where I've installed Passenger, set it up as prescribed, but get the following errors when I restart Apache:
[Wed Jan 13 15:41:38 2010] [notice] caught SIGTERM, shutting down
[Wed Jan 13 15:41:40 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jan 13 15:41:40 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [notice] Digest: generating secret for digest authentication ...
[Wed Jan 13 15:41:40 2010] [notice] Digest: done
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [error] python_init: Python version mismatch, expected '2.6', found '2.6.2'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python executable found '/usr/bin/python'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python path being used '/usr/lib/python26.zip:/usr/lib/python2.6/:/usr/lib/python2.6/plat-linux2:/usr/lib/python2.6/lib-tk:/usr/lib/python2.6/lib-old:/usr/lib/python2.6/lib-dynload'.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: using mutex_directory /tmp
[Wed Jan 13 15:41:40 2010] [notice] Apache/2.2.14 (Unix) DAV/2 Phusion_Passenger/2.2.9 PHP/5.3.0 mod_python/3.3.1 Python/2.6.2 mod_ssl/2.2.14 OpenSSL/1.0.0-fips-beta3 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
As you can see, there is a permissions problem when Passenger is trying to initialize:
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
When Apache is starts, it does create a file in /tmp:
d-ws--x--x. 2 root root 4096 2010-01-13 16:04 passenger.26117
If instead I run the app by firing up mongrel directly with mongrel_rails start -e production, I see the following:
ActiveRecord::StatementInvalid (Mysql::Error: Can't create/write to file '/tmp/#sql_5d3_0.MYI' (Errcode: 13): SHOW FIELDS FROM `users`):
Again the error points to permission issues with the /tmp directory.
I am at a loss as to what the solution is. I'm not sure if it is related to simply directory permissions or Fedora's SELinux security.
Any help would be appreciated. Thanks.
I did the same as Fred, except that instead of doing it one error at a time:
Go into permissive mode by running setenforce 0
Restart apache, and hit your site and use it for a while as normal
Run grep httpd /var/log/audit/audit.log | audit2allow -M passenger
semodule -i passenger.pp
Go back to enforcing mode by running setenforce 1
Restart apache and test your site - hopefully it should all be working as before!
Note that this is basically a specific example of the procedure on the Centos SELinux help - check it out.
I'm having the same issue in CentOS 5.4, SELinux getting in the way of Passenger.
Setting PassengerTempDir to /var/run/passenger simply gives you the same permission errors in the new directory instead of /tmp :
[Mon Feb 22 11:42:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create directory '/var/run/passenger/passenger.3686'
I can then change the security context of /var/run/passenger to get past this error:
chcon -R -h -t httpd_sys_content_t /var/run/passenger/
...and that lets Passenger create the temp directory, but not files within that directory:
[Mon Feb 22 12:07:06 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /var/run/passenger/passenger.3686/.guard: Permission denied (13)
Oddly, re-running the recursive chcon again doesn't get past this error, it keeps dying at this point, and this is where my SELinux knowledge gets murky.
The Phusion Passenger guide sections 6.3.5 and 6.3.7 have some useful thoughts, but they don't seem to completely resolve the problem.
You need more than just the httpd_sys_content_t permission. I use the following technique to get things started:
start a tail on the audit log: tail -f /var/log/audit/audit.log
reload apache: apachectl restart
Go to the /tmp/directory: cd /tmp
If just 1 line is added use the command: tail -1 /var/log/audit/audit.log | audit2allow -M httpdfifo
Note that the name 'httpdfifo' is just a name chosen to reflect the kind of error that has been observed.
This will create a file named 'httpdfifo.pp'. To allow apache to create a FIFO from here on after you have to issue the command: semodule -i httpdfifo.pp
Continue to do this until all audit errors have been resolved (It took 4 different kind of permissions on my system running Centos 5.4)
Running setenforce 0 before starting will let you test if it's SELinux. Don't forget to run setenforce 1 afterwards.
I tried what Dan Sketcher and Fred Appleman suggested, i.e. repeat the following:
yum install setroubleshoot
echo > /var/log/audit/audit.log # clear irrelevant errors
cd ~
service httpd restart # try booting passenger -- audit.log now shows the relevant permission errors
tail -f /var/log/httpd/error_log # check that passenger is still failing due to permission errors
sealert -a /var/log/audit/audit.log > selinux-diag.txt # translate the permission errors
# read and check that you are happy with selinux-diag.txt
# and either follow its specific advice, or if it just wants you to grep into audit2allow, then:
cat /var/log/audit/audit.log | audit2allow -M mypol # grant everything just denied
semodule -i mypol.p # commit new permissions
But after doing this 5 or 6 times, I kept coming up against new errors, and some of the same errors came up even after I had tried to permit them with "audit2allow".
In the end I just turned off SELinux, with:
echo 0 >/selinux/enforce
Related
Tried to install Flexget. On the Options website it shows that there is config defined here
How does it work? it says the type is types.lines. Tried to write some random text, but the config file is not created and the daemon fails to start.
Edit:
So here is my configs inside configuration.nix:
services.flexget = {
enable = true;
config = "asdas\n asdas";
};
and when I run sudo nixos-rebuild switch this is what happens:
building Nix...
building the system configuration...
NOT restarting the following changed units: systemd-fsck#dev-disk-by\x2dlabel-FuHua.service, systemd-fsck#dev-disk-by\x2duuid-25A4\x2d32EA.service
activating the configuration...
setting up /etc...
reloading user units for shalva...
setting up tmpfiles
reloading the following units: dbus.service
the following new units were started: flexget-runner.timer, flexget.service
warning: the following units failed: flexget-runner.service
× flexget-runner.service - FlexGet Runner
Loaded: loaded (/etc/systemd/system/flexget-runner.service; linked; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2022-04-28 10:34:20 UTC; 129ms ago
TriggeredBy: ● flexget-runner.timer
Process: 92136 ExecStart=/nix/store/1pdq67nfjw2mad5s679dfgm5h98bm4xm-flexget-3.1.153/bin/flexget -c /var/lib/deluge/flexget.yml execute (code=exited, status=217/USER)
Main PID: 92136 (code=exited, status=217/USER)
IP: 0B in, 0B out
CPU: 799us
Apr 28 10:34:20 Lenovo-7200 systemd[1]: Started FlexGet Runner.
Apr 28 10:34:20 Lenovo-7200 systemd[92136]: flexget-runner.service: Failed to determine user credentials: No such process
Apr 28 10:34:20 Lenovo-7200 systemd[92136]: flexget-runner.service: Failed at step USER spawning /nix/store/1pdq67nfjw2mad5s679dfgm5h98bm4xm-flexget-3.1.153/bin/flexget: No such process
Apr 28 10:34:20 Lenovo-7200 systemd[1]: flexget-runner.service: Main process exited, code=exited, status=217/USER
Apr 28 10:34:20 Lenovo-7200 systemd[1]: flexget-runner.service: Failed with result 'exit-code'.
warning: error(s) occurred while switching to the new configuration
I htink the problem is in /nix/store/1pdq67nfjw2mad5s679dfgm5h98bm4xm-flexget-3.1.153/bin/flexget -c /var/lib/deluge/flexget.yml. Because the config file is not created. here is the output of it:
shalva in Lenovo-7200 in ~ took 16s
❯ /nix/store/1pdq67nfjw2mad5s679dfgm5h98bm4xm-flexget-3.1.153/bin/flexget -c /var/lib/deluge/flexget.yml
Could not instantiate manager: Config `/var/lib/deluge/flexget.yml` does not appear to be a file.
my expectation is that config = "asdas\n asdas"; should at least create config file at /var/lib/deluge/flexget.yml, right? I know it will still fail because it wont be valid config, but at least it should be created...
Flexget is a software which is meant to be run together with deluge, therefore it expects the user deluge and its home directory to be available. The service will not create the user deluge by itself.
Enable deluge and flexget will start up correctly:
services.deluge.enable = true;
services.deluge.package = pkgs.deluge-2_x;
If you want to only run flexget without deluge you need to have the directory created and either change the flexget user and create the user deluge by hand.
I have everything installed as per this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-setup-a-rails-4-app-with-apache-and-passenger-on-centos-6
But when I go to the website, I get an error, and in the error log it shows this:
[ 2015-02-26 16:17:47.3041 28207/7f7326058780 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
[Thu Feb 26 16:17:47.305819 2015] [mpm_prefork:notice] [pid 28184] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 Phusion_Passenger/4.0.59 mod_perl/2.0.9-dev Perl/v5.16.3 configured -- resuming normal operations
[Thu Feb 26 16:17:47.305844 2015] [core:notice] [pid 28184] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[ 2015-02-26 16:22:04.7157 28225/7f2c65840840 apache2/Hooks.cpp:151 ]: A filesystem exception occured.
Message: Cannot stat '/var/www/vhosts/blah.blah/httpdocs/config.ru
Backtrace:
in 'void Passenger::DirectoryMapper::autoDetect()' (DirectoryMapper.h:144)
in 'bool Hooks::prepareRequest(request_rec*, Passenger::DirConfig*, const char*, bool)' (Hooks.cpp:374)
Can anyone help?
The config.ru file was auto generated by rails, and it has these lines:
# This file is used by Rack-based servers to start the application.
require ::File.expand_path('../config/environment', __FILE__)
run BlahBlah::Application
Your problem can be related to the following things:
config.ru file is not exists by the specified path
Try to execute command for check this:
ls -la /var/www/vhosts/blah.blah/httpdocs/config.ru
Passenger doesn't have permissions to read this file
Try to execute command for check this:
namei -lm /var/www/vhosts/blah.blah/httpdocs/config.ru
P.S.
I noticed you are using shared hosting. Don't use them if you want to avoid a lot of different problems. Use VPS servers instead. Like Digital Ocean or Linode for Rails applications.
I've been trying to set up webistrano on one of our servers. Everything went well, until I tried deploying my set up. Webistrano is currenlty set up to live on the test server, so I want it to deploy to 127.0.0.1
The configuration contains valid user, webistrano, that should have access to
/home/webistrano/.subversion/servers
the password for that user is correct. Could someone shed some light as to what might be going wrong with it?
*** SSH options: setting ssh_port to: 22
*** LOCAL SCM ERROR: svn: warning: Can't open file '/home/webistrano/.subversion/servers': Permission denied
* executing `deploy'
* executing `deploy:update'
** transaction: start
* executing `deploy:update_code'
* executing "svn checkout -q --username webistrano --password XXXXXXXX --no-auth-cache -r27687 http://server.com/repos/server/clients/site/trunk /var/www/vhosts/server.com/releases/20121001183038 && (echo 27687 > /var/www/vhosts/server.com/releases/20121001183038/REVISION)"
servers: ["127.0.0.1"]
*** [deploy:update_code] rolling back
* executing "rm -rf /var/www/vhosts/server.com/releases/20121001183038; true"
servers: ["127.0.0.1"]
** [deploy:update_code] exception while rolling back: Capistrano::ConnectionError, connection failed for: 127.0.0.1 (Errno::EACCES: Permission denied - connect(2))
*** connection failed for: 127.0.0.1 (Errno::EACCES: Permission denied - connect(2))
debugging with
puts system('id') in deployer.rb returns
uid=500(webistrano) gid=500(webistrano) groups=500(webistrano) context=unconfined_u:system_r:httpd_t:s0
and ls -all /home/webistrano returns:
drwxrwxr-x. 3 webistrano webistrano 4096 Sep 27 16:59 .subversion
ls -all /home/webistrano/.subversion returns:
drwxrwxr-x. 3 webistrano webistrano 4096 Oct 1 20:02 .
drwx------. 4 webistrano webistrano 4096 Oct 1 22:14 ..
drwx------. 6 webistrano webistrano 4096 Sep 27 16:59 auth
-rw-rw-r--. 1 webistrano webistrano 6866 Sep 27 16:59 config
-rw-rw-r--. 1 webistrano webistrano 4276 Sep 27 16:59 README.txt
-rw-rw-r--. 1 webistrano webistrano 7674 Oct 1 20:02 servers
Which shows that servers should be fully readable by everyone?
What's going on?
It turns out this was an issue with Passenger.
Phusion Passenger is supposed to run as the user who owns conf/environment.conf (which in my case was webistrano). Displaying the user id also showed webistrano, but if I changed it to run as nobody, the svn error stopped appearing. I was unable to svn export the code though, probably because nobody does not have a home directory.
I ended up running webistrano through mongrel, and starting it by doing:
$ su - webistrano
to make sure that the correct home environment is loaded and all the permissions are correct.
It works perfect now . Hope this helps somebody
Ok I thought I was close to getting passenger and Apache working. I notice that some gem files were not installed after navigating to the url to see if my rails app was working. Passanger error page let me know what gems were missing so I got them installed.
Now going to the URL I get a 500 Apache internal error page with no helpful info so I checked out the log file on the server and here is what I see.
Rails Error: Unable to access log file. Please ensure that /home/mydirectory/dev/vb/log/production.log exists and is chmod 0666. $
Rack: /home/mydirectory/dev/vb: symbol lookup error: /usr/local/rvm/gems/ruby-1.9.2-p0#prodset/gems/sqlite3-ruby-1.2.4/lib/sqlite$
[Tue Dec 07 20:12:17 2010] [error] [client 64.58.208.22] Premature end of script headers:
[ pid=20653 thr=140618873321280 file=ext/apache2/Hooks.cpp:816 time=2010-12-07 20:12:17.617 ]: The backend application (proce$
Rack: /home/mydirectory/dev/vb: symbol lookup error: /usr/local/rvm/gems/ruby-1.9.2-p0#prodset/gems/sqlite3-ruby-1.2.4/lib/sqlite$
[Tue Dec 07 20:12:43 2010] [error] [client 64.58.208.22] Premature end of script headers:
Rack: /home/mydirectory/dev/vb: symbol lookup error: /usr/local/rvm/gems/ruby-1.9.2-p0#prodset/gems/sqlite3-ruby-1.2.4/lib/sqlite$
[Tue Dec 07 20:13:25 2010] [error] [client 64.58.208.22] Premature end of script headers:
[ pid=21932 thr=140618873321280 file=ext/apache2/Hooks.cpp:816 time=2010-12-07 20:13:25.168 ]: The backend application (proce$
Rack: /home/mydirectory/dev/vb: symbol lookup error: /usr/local/rvm/gems/ruby-1.9.2-p0#prodset/gems/sqlite3-ruby-1.2.4/lib/sqlite$
[Tue Dec 07 20:13:31 2010] [error] [client 64.58.208.22] Premature end of script headers:
[ pid=20623 thr=140618873321280 file=ext/apache2/Hooks.cpp:816 time=2010-12-07 20:13:31.266 ]: The backend application (proce$
Rails Error: Unable to access log file. Please ensure that /home/mydirectory/dev/vb/log/production.log exists and is chmod 0666. $
Rack: /home/mydirectory/dev/vb: symbol lookup error: /usr/local/rvm/gems/ruby-1.9.2-p0#prodset/gems/sqlite3-ruby-1.2.4/lib/sqlite$
[Tue Dec 07 20:24:56 2010] [error] [client 64.58.208.22] Premature end of script headers:
[ pid=20622 thr=140618873321280 file=ext/apache2/Hooks.cpp:816 time=2010-12-07 20:24:56.442 ]: The backend application (proce$
Rack: /home/mydirectory/dev/vb: symbol lookup error: /usr/local/rvm/gems/ruby-1.9.2-p0#prodset/gems/sqlite3-ruby-1.2.4/lib/sqlite$
anyone have any suggestions on what I should look at next. I have tried running bundler and also using rvm to install sqlite3 and I still have the same issue.
thanks again for any help
Did you checked the suggestion on the first line of the error log?
Rails Error: Unable to access log file. Please ensure that /home/mydirectory/dev/vb/log/production.log exists and is chmod 0666.
I have a mongrel server running behind Apache. It works fine; however, every now and then the Apache server shuts downs seemingly by itself. I'm not sure if there is configuration issue or if it's an attack. Here is Apache error log:
[Thu Apr 30 02:15:07 2009] [notice] SIGHUP received. Attempting to restart
[Thu Apr 30 02:15:07 2009] [warn] NameVirtualHost *:0 has no VirtualHosts
[Thu Apr 30 02:15:07 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 configured -- resuming normal operations
[Thu Apr 30 02:17:13 2009] [error] [client 61.139.105.163] File does not exist: /var/www/fastenv
[Thu Apr 30 02:24:06 2009] [error] [client 61.139.105.163] File does not exist: /var/www/fastenv
[Thu Apr 30 10:49:18 2009] [warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Thu Apr 30 10:49:18 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 configured -- resuming normal operations
[Thu Apr 30 12:53:08 2009] [notice] SIGHUP received. Attempting to restart
[Thu Apr 30 12:53:08 2009] [warn] NameVirtualHost *:0 has no VirtualHosts
[Thu Apr 30 12:53:08 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 configured -- resuming normal operations
[Thu Apr 30 12:59:15 2009] [notice] SIGHUP received. Attempting to restart
[Thu Apr 30 12:59:15 2009] [warn] NameVirtualHost *:0 has no VirtualHosts
[Thu Apr 30 12:59:15 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 configured -- resuming normal operations
[Thu Apr 30 13:58:49 2009] [notice] SIGHUP received. Attempting to restart
[Thu Apr 30 13:58:49 2009] [warn] NameVirtualHost *:0 has no VirtualHosts
[Thu Apr 30 13:58:49 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 configured -- resuming normal operations
[Fri May 01 10:59:07 2009] [warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Fri May 01 10:59:07 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 configured -- resuming normal operations
[Fri May 01 17:51:15 2009] [warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Fri May 01 17:51:15 2009] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 configured -- resuming normal operations
Not quite sure what is /var/www/fastenv but I don't think there is anything in my application that calls that. Also, website is still in Beta mode with few users and I don't think any have 61.139.105.163 IP address but it's possible that they might have it.
Any ideas? It would be good if you can give me hints where to look or how to go about anaysing this problem
I have the exact same log from the same IP. Looking it up shows it to belong to the Chinese government. It appears to be a scan using server side includes to find out as much as they can about your server. I banned the IP.
Not sure this is entirely programming-related, but anyway... none of those look like serious errors to me. The accesses to /var/www/fastenv just mean that the computer at IP address 61.139.105.163 sent a request for http://www.example.com/fastenv or something like that (it depends on exactly how you've configured your virtual hosts); I'd look at the access log for more information, to see what other requests have been coming from that IP address. It's probably not anything to worry about.
The line about NameVirtualHost *:0 means that somewhere in your configuration file you have an incorrect NameVirtualHost directive, maybe with no arguments. You should probably look for that and remove it, but if the server is running fine anyway, it's not a big deal.
The reason your server is terminating (restarting, actually) appears to be a SIGHUP - that is, something on the system is sending Apache a signal telling it to restart. It's basically the same thing that happens if you run apache2 restart, I think. Without knowing what's sending that signal, there's not more I can say.
61.139.105.163 is known for doing all kinds of hacking type things, just google the IP address. You should definitly ban this IP address.
Click on Apache Config --> Apache(httpd.conf)
Search for #Listen 12.34.56.78:80 and replace it with #Listen 12.34.56.78:8081.
Search for Listen 80 and replace it with Listen 8081.
Now you can start Apache now, and can run it with this URL: localhost:8081/xampp/