I installed redmine 2.6.6.stable in a centos 7 vm (kernel 3.10.0-229.7.2.el7.x86_64). So far it's fine, but I'm currently unable to upload files.
Googling around I found out that the Passenger writes these files (https://www.redmine.org/issues/8817), and it's probably without the correct write permissions.
But I tried to fix it for the last 2 hours, with no success.
Apache's error_log when I try to upload something:
App 3419 stderr: Errno::EACCES (Permission denied - /var/www/html/vhosts/redmine/files/2015/08/150811151550_icon.png):
App 3419 stderr: app/models/attachment.rb:108:in `initialize'
App 3419 stderr: app/models/attachment.rb:108:in `open'
App 3419 stderr: app/models/attachment.rb:108:in `files_to_final_location'
App 3419 stderr: app/controllers/attachments_controller.rb:88:in `upload'
These are the current permissions for my redmine directory:
[root#server ~]# ls -l /var/www/html/vhosts/redmine/
total 44
drwxr-xr-x. 7 apache apache 78 Jul 7 16:47 app
drwxr-xr-x. 5 apache apache 4096 Jul 24 08:42 config
-rwxr-xr-x. 1 apache apache 160 Jul 7 16:47 config.ru
-rwxr-xr-x. 1 apache apache 240 Jul 7 16:47 CONTRIBUTING.md
drwxr-xr-x. 3 apache apache 36 Jul 24 08:37 db
drwxr-xr-x. 2 apache apache 107 Jul 7 16:47 doc
drwxr-xr-x. 5 apache apache 55 Jul 7 16:47 extra
drwxrwxr-x. 3 apache nobody 33 Aug 11 15:05 files
-rwxr-xr-x. 1 apache apache 3714 Jul 7 16:47 Gemfile
-rwxr-xr-x. 1 apache apache 3668 Jul 24 08:24 Gemfile.lock
drwxr-xr-x. 8 apache apache 4096 Jul 7 16:47 lib
drwxr-xr-x. 2 apache apache 43 Jul 24 08:36 log
drwxr-xr-x. 2 apache apache 19 Jul 7 16:47 plugins
drwxr-xr-x. 8 apache apache 4096 Jul 24 08:38 public
-rwxr-xr-x. 1 apache apache 275 Jul 7 16:47 Rakefile
-rwxr-xr-x. 1 apache apache 205 Jul 7 16:47 README.rdoc
drwxr-xr-x. 2 apache apache 30 Jul 7 16:47 script
drwxr-xr-x. 9 apache apache 4096 Jul 7 16:46 test
drwxr-xr-x. 8 apache apache 85 Jul 7 16:47 tmp
drwxr-xr-x. 2 apache apache 6 Jul 7 16:47 vendor
I tried to change the user that passenger runs, but had no success. Apparently it has some trouble in centos 7, and this server also runs a gitlab instance, so I quit trying to change it and tryed chmoding and chowning my files directory.
My passenger conf:
[root#server ~]# cat /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/local/share/gems/gems/passenger-5.0.14/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/local/share/gems/gems/passenger-5.0.14
PassengerDefaultRuby /usr/bin/ruby
PassengerUser apache
</IfModule>
No matter how I try to change the PassengerUser (also tried PassengerDefaultUser a few times) parameter, I get the "nobody" user to run it:
[root#server ~]# ps aux | grep Passenger
root 2785 0.0 0.2 430108 4604 ? Ssl 15:09 0:00 Passenger watchdog
root 2789 0.0 0.3 645040 6348 ? Sl 15:09 0:00 Passenger core
nobody 2798 0.0 0.2 298768 4676 ? Sl 15:09 0:00 Passenger ust-router
apache 3448 0.0 5.6 414536 106948 ? Sl 15:15 0:00 Passenger RubyApp: /var/www/html/vhosts/redmine
root 4556 0.0 0.0 112640 972 pts/0 R+ 15:26 0:00 grep --color=auto Passenger
You have new mail in /var/spool/mail/root
Did somebody get the same issue? How can I troubleshoot it?
I found out that SELinux was preventing my apache from writing the directory. The solution to keep selinux enforcing was to add the following rule: semanage fcontext -a -t httpd_sys_rw_content_t “/var/www/html/vhosts/redmine/files(/.*)?”, and then apply the settings with restorecon -Rv /var/www/html/vhosts/redmine.
Source: http://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/
Related
I'm running one single tomcat webserver behind an apache2 proxy. But
localhost:443/status shows:
Slot PID Stopping Connections Threads Async connections
total accepting busy idle writing keep-al closing
0 1578 no 0 yes 0 25 0 0 0
1 1577 no 1 yes 1 24 0 1 0
Sum 2 0 1 1 49 0 1 0
I wonder why I might have 2 PIDs running? Especially what I don't like is that apache has 50 workers, but reserves 25 worker threads for each of the PID. Ideally I'd want to to have all 50 workers reserved for the tomcat server.
Could this be due to my setup of 2 virtual hosts in /etc/apache2/sites-enabled/mypage.conf:
<VirtualHost *:443>
..
</VirtualHost>
<VirtualHost *:80>
Redirect / https:myserver.com/
</VirtualHost>
I'm just having this to redirect any non-https requests. Could this trigger those 2 PIDs? If yes: most likely only a few requests will come on port 80, so I would want to assign most of the workers to the https host. Is that possible?
What I also noticed: ps aux | grep apache2 gives 5 processes:
www-data 1577 0.0 0.1 2090340 14644 ? Sl 06:25 0:04 /usr/sbin/apache2 -k start
www-data 1578 0.0 0.1 2024812 12948 ? Sl 06:25 0:05 /usr/sbin/apache2 -k start
root 1679 0.0 0.1 92580 8196 ? Ss Jan08 0:44 /usr/sbin/apache2 -k start
www-data 1757 0.0 0.0 19904 172 ? Ss Jan08 0:29 /usr/bin/htcacheclean -d 120 -p /var/cache/apache2/mod_cache_disk -l 300M -n
mysshusr 19322 0.0 0.0 14856 1100 pts/0 S+ 10:53 0:00 grep --color=auto apache2
Are those the worker threads?
I'm locking down some permissions, and now nginx has trouble seeing my site
Background:
I deploy & run CLI using the mysite user.
I want both mysite and www-data to have access to the site's folder
mysite and www-data users
both belong to the www-data groups:
root#dev:~# groups mysite
mysite : mysite www-data
root#dev:~#
root#dev:~# groups www-data
www-data : www-data
The folder (has group permissions)
drwxrwx--- 3 mysite www-data 4096 Jun 26 14:12 sites/
www-data trying to get to it:
root#dev:~# sudo -u www-data stat /home/mysite/sites/
stat: cannot stat ‘/home/mysite/sites/’: Permission denied
www-data can see the parent folders fine:
root#dev:~# sudo -u www-data stat /home/
File: ‘/home/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1179649 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-10-19 10:59:05.845267219 -0400
Modify: 2016-06-26 14:12:24.890310000 -0400
Change: 2016-06-26 14:12:24.890310000 -0400
Birth: -
root#dev:~# sudo -u www-data stat /home/mysite/
File: ‘/home/mysite/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1180062 Links: 10
Access: (0770/drwxrwx---) Uid: ( 1000/ mysite) Gid: ( 1000/ mysite)
Access: 2016-10-19 10:59:10.081267219 -0400
Modify: 2016-10-19 10:35:01.221267219 -0400
Change: 2016-10-19 10:35:01.221267219 -0400
Birth: -
I've also checked to see if SELinux was messing with it
root#dev:~# setenforce 0
setenforce: SELinux is disabled
I've also tried:
chown www-data:www-data /home/mysite/sites/
Update 10/19/2016:
Setting the acl on the folder that 'sites' belongs to got this working the way I have it setup:
setfacl --modify=g:www-data:x /home/mysite
Any web server requires executable permissions (but not read) to all parent directories that contain the site. Setting an ACL on the home directory like that works.
You also could have changed the group of /home/mysite to www-data and locked down permissions of that directory to 710.
Another solution would have been to move the sites directory someplace less restricted than a home directory, like /var/www, but keep the existing locked down permissions on the sites directory.
I likely would have gone with your solution, or moving the site to /var/www
Setting the acl on the folder that 'sites' belongs to got this working the way I have it setup:
setfacl --modify=g:www-data:x /home/mysite
The Avi docs say to add an ssh public key to the known_hosts file on the SE hosts so the controller can login and install and start the service engine host.
I'm pretty sure this isn't working properly. How can I test the ssh connection between the controller and the service engine host(s)? Where is the controller's private key stored?
We will automatically test the SSH connection and display status as appropriate. For security reasons, the private key configured is stored in plain key format anywhere on the file system.
Did you "create" a ssh key or "import" a ssh key - if you imported, you could use plain ssh -i <path-to-imported-private-key user#host from your workstation where the private key resides.
Refer to #Aziz comment for details on host status display. Also note the correction about authorized_keys (not authorized_hosts)
I am guessing this is in reference to creating a "LinuxServer" Cloud in Avi. On Avi, you have to do the following:
1) configure a SSHUser (Administration > Settings > SSH Key Settings). alternatively, this can also be created from UI during LinuxServer cloud creation.
2) Create the LinuxServer cloud (Infrastructure > Clouds) with appropriate hosts and select the SSHUser from the dropdown.
The SSH keys configured are stored encrypted in Avi controller DB and not exposed via API/REST or on file system. The Avi Controller modules use the decrypted key to connect to each host and provision the SE.
I suppose the docs are not clear - you dont add the Avi Controller's public key to each host, instead you add "your" custom SSH key pair into Avi Controller (via step 1 above) and add the correspinding public key on each host.
With regards to "testing" the SSH connection, since these are your owned keys, you can plain "ssh -i username#host" to test the SSH. Alternatively, the Cloud status will also provide information if SSH using the configured key failed for any reason.
Please refer: http://kb.avinetworks.com/installing-avi-vantage-for-a-linux-server-cloud/ for complete install guide.
Let me know if your question was related to a different Cloud/Topic.
Adding to what #Siva explained, the status of the connection is displayed in the controller cloud page (From menu Infrastructure->Clouds, click on the cloud where host are added). Also if you hover the mouse over the State column of the host then you can see the detailed reason of the failure.
This Host Status in linux server cloud, in this case "Default-Cloud" is a linux server cloud with 3 host, out of which on one of the host ssh fails. In this example the host 10.10.99.199 is a fake entry i.e. there is no host with that IP hence SSH fails, where as 10.10.22.71 and 10.10.22.35 are the host for which SSH credentials passed, then the Service Engine was deployed on them and are ready for Virtual Services(load balancer or SSL termination etc..) to be placed on them.
#Davidn Coleman, In the comment you mentioned that you added the public key to authorized_hosts (you need to add the key to authorized_keys), and also the user for whom you added the ssh authorization is not root(i.e. /home/user/.ssh/authorized_keys) then make the user is sudoer (add the entry in /etc/sudoers for this user) and also make sure the permission for .ssh dir and authorized_keys are set correctly (for security reasons and good practise).
The following is the snippet for the host 10.10.22.35.
[root#localhost ~]# ls -lrtha
total 318M
-rw-r--r--. 1 root root 129 Dec 28 2013 .tcshrc
-rw-r--r--. 1 root root 100 Dec 28 2013 .cshrc
-rw-r--r--. 1 root root 176 Dec 28 2013 .bashrc
-rw-r--r--. 1 root root 176 Dec 28 2013 .bash_profile
-rw-r--r--. 1 root root 18 Dec 28 2013 .bash_logout
-rw-------. 1 root root 1.2K May 27 13:56 anaconda-ks.cfg
drwxr-xr-x. 3 root root 17 May 27 14:07 .cache
drwxr-xr-x. 3 root root 17 May 27 14:07 .config
dr-xr-xr-x. 17 root root 4.0K May 31 08:15 ..
drwxr-----. 3 root root 18 May 31 08:25 .pki
-rw-------. 1 root root 1.9K May 31 08:46 .viminfo
drwx------. 2 root root 28 May 31 09:09 .ssh
-rw-r--r--. 1 root root 317M May 31 09:13 se_docker.tgz
-rw-r--r--. 1 root root 1.2M May 31 09:13 dpdk_klms.tar.gz
dr-xr-x---. 6 root root 4.0K May 31 09:14 .
-rw-r--r--. 1 root root 1.1K May 31 09:14 avise.service
-rw-------. 1 root root 3.4K Jun 1 09:14 .bash_history
[root#localhost ~]# ls -lrtha .ssh/
total 8.0K
-rw-r--r--. 1 root root 399 May 31 09:09 authorized_keys
drwx------. 2 root root 28 May 31 09:09 .
dr-xr-x---. 6 root root 4.0K May 31 09:14 ..
[root#localhost ~]# pwd
/root
I am having issue when I select a kick start profile to start installation after PXE boot. On the network installation server (same DHCP server) side I can see the following error in /var/log/messages when I hit this issue.
Nov 13 17:42:30 desktop10 dhcpd: DHCPDISCOVER from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:30 desktop10 dhcpd: DHCPOFFER on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: Dynamic and static leases present for 192.168.174.2.
Nov 13 17:42:32 desktop10 dhcpd: Remove host declaration desktopy or remove 192.168.174.2
Nov 13 17:42:32 desktop10 dhcpd: from the dynamic address pool for 192.168.174/24
Nov 13 17:42:32 desktop10 dhcpd: DHCPREQUEST for 192.168.174.2 (192.168.174.10) from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: DHCPACK on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 in.tftpd[20546]: tftp: client does not accept options
Nov 13 17:42:36 desktop10 setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (httpd_sys_content_t). For complete SELinux messages. run sealert -l 97c61847-7ea2-435f-bede-c95302b034f5**
On server the the selinux security contents
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
Note: desktop10 is RHEL5.6, if I change selinux to permissive then I can proceed with installation.
Can someone help me to sort out this issue? Please let me know if anyone need more info.
Tried as suggested in the comment but no luck
[root#desktop10 ~]# restorecon -Rv /tftpboot/
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
Your files are labeled by 'httpd_sys_content_t' that is not acceptable label for kickstart. It looks you copied the file from an apache directory or you create the file from a web appliaction running on apache.
Relabel directory by default labels:
[root#localhost /]# restorecon -Rv /tftpboot
I think it may work if you try to relabel the directory with tftpd context tftpd_rw_t:
# semanage fcontext -a -t tftpd_rw_t '/tftpboot(/.*)?'
# restorecon -R -v /tftpboot
I have the same symptoms as Error number 13 - Remote access svn with dav_svn failing. However, the solution to that problem does not work for me.
The error message:
<D:error xmlns:D="DAV:" xmlns:m="http://apache.org/dav/xmlns" xmlns:C="svn:">
<C:error/>
<m:human-readable errcode="13">Could not open the requested SVN filesystem</m:human-readable>
</D:error>
The relevant apache log entry:
(20014)Internal error: Can't open file '/svn/testrepo/format': Permission denied
The subversion conf file:
<Location /svn>
DAV svn
SVNPath /svn/testrepo
</Location>
However, I've further confirmed that user apache can, indeed, open the file /svn/testrepo/format, and can not only open it, but move it, duplicate it, delete it, and overwrite it. (su apache -> do all that stuff.) What can I do next?
=========== FURTHER INFORMATION ===========
In response to crazyjul, here are the results of ps aux | grep apache
apache 14019 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14020 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14021 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14022 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14023 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14024 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14025 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
apache 14026 0.0 0.2 11248 2112 ? S 16:40 0:00 /usr/sbin/httpd
root 14032 0.0 0.0 5412 772 pts/4 R+ 16:41 0:00 grep apache
The results of ps aux | grep www
root 14034 0.0 0.0 5412 772 pts/4 S+ 16:42 0:00 grep www
The results of ls -as on my repo folder:
drwxrwxrwx 7 apache apache 4096 2011-10-07 16:13 .
drwxr-xr-x 7 apache apache 4096 2011-10-07 14:04 ..
-rw-r--r-- 1 apache apache 229 2011-10-07 13:50 README.txt
drwxr-xr-x 2 apache apache 4096 2011-10-07 15:50 conf
drwxr-xr-x 2 apache apache 4096 2011-10-07 13:50 dav
drwxr-sr-x 5 apache apache 4096 2011-10-07 14:25 db
-rwxrwxrwx 1 apache apache 2 2011-10-07 13:50 format
drwxr-xr-x 2 apache apache 4096 2011-10-07 13:50 hooks
drwxr-xr-x 2 apache apache 4096 2011-10-07 13:50 locks
I was researching and I find this.
Problably you have SELinux anabled, is a security system that I don't understad very well how does it work exactly but that's the problem. If you want to know if is on type
[root#localhost ~]# getenforce
If says enforcing, is on
In order to deactivate it type
[root#localhost ~]# chcon -R -t httpd_sys_content_t /var/www/svn/your/path
[root#localhost ~]# chcon -R -t httpd_sys_rw_content_t /var/www/svn/your/path
Do you have selinux enabled? I typically disable it for mod_dav_svn but you can get it working with some configuration.
vince#fedora12 /etc/httpd/conf.d > cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
Apache generally have another user to access data. Generally it is called www-data. You can check by calling ps auxand search for apache processes
It is an old thread but I hit the same error message. In my case I was using another hard drive mounted as a repository so that I have to give ownership to www-data entire disk. I found this thread and applied than it worked at https://ubuntuforums.org/archive/index.php/t-1233618.html
sudo chown www-data:www-data /media/yourdisk -R