'sudo nginx' 对比 'sudo service nginx start'
'sudo nginx' vs 'sudo service nginx start'
我有以下设置:
NGINX 1.6.2, Rails 4, Unicorn, Capistrano 3.1
我在 /var/log/nginx/error.log
中收到以下错误
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public//index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html/index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/500.html", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/favicon.ico/index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/favicon.ico" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/favicon.ico", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html/index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/favicon.ico", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/favicon.ico", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/500.html", host: "185.48.117.98"
我尝试以 root、mjp 和 nginx 作为用户运行 nginx,但我遇到了同样的错误。
即使 nginx 也不会从 sites-enabled/symlink-to-deploy-root-shared-config-nginx.conf 创建服务器,尽管它确实将其包含在 nginx -t 测试中。
我做错了什么?
我成功了。实际上这不是目录的权限错误。
我停止了 nginx 服务,然后以 sudo nginx 启动它,通过它我能够 运行 应用程序一切正常。但是当我尝试 运行 它作为 sudo service nginx start 的服务时,它给出了上述错误,因为根目录和套接字的权限被拒绝。
我在服务器故障上发布了同样的问题,很幸运能得到答案。
这里是answer:
This is an selinux problem.
When you run sudo nginx it starts nginx as unconfined_t, when you run
sudo service nginx start it starts nginx as httpd_t.
By initially starting with just sudo it creates a bunch of files and
initializes its state as unconfined_t. For example the pid file will
be the wrong context. Thus when using service nginx stop to terminate
it there is insufficient privileges for httpd_t to read files written
by the unconfined_t.
You should really always start using service which will avoid this
problem. To correct it you will need to relabel stateful files that
exist in the filesystem, for example running restorecon
/var/run/nginx.pid will correct the incorrect label set on that pid
file.
I am not sure if there are any more files that get written out when
the service is created which will also need correcting. You can get a
list of which files that these might be doing ausearch -ts recent -m
avc.
我有以下设置:
NGINX 1.6.2, Rails 4, Unicorn, Capistrano 3.1
我在 /var/log/nginx/error.log
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public//index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html/index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/", host: "185.48.117.98"
2015/01/03 22:27:13 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/500.html", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/favicon.ico/index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/favicon.ico" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/favicon.ico", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html/index.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/favicon.ico", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 stat() "/home/mjp/apps/mjp-portal_staging/current/public/500.html" failed (13: Permission denied), client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock/favicon.ico", host: "185.48.117.98"
2015/01/03 22:27:14 [crit] 49826#0: *77 connect() to unix:/tmp/unicorn.mjp-portal_staging.sock failed (13: Permission denied) while connecting to upstream, client: 182.178.190.121, server: 185.48.117.98, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/tmp/unicorn.mjp-portal_staging.sock:/500.html", host: "185.48.117.98"
我尝试以 root、mjp 和 nginx 作为用户运行 nginx,但我遇到了同样的错误。
即使 nginx 也不会从 sites-enabled/symlink-to-deploy-root-shared-config-nginx.conf 创建服务器,尽管它确实将其包含在 nginx -t 测试中。
我做错了什么?
我成功了。实际上这不是目录的权限错误。
我停止了 nginx 服务,然后以 sudo nginx 启动它,通过它我能够 运行 应用程序一切正常。但是当我尝试 运行 它作为 sudo service nginx start 的服务时,它给出了上述错误,因为根目录和套接字的权限被拒绝。
我在服务器故障上发布了同样的问题,很幸运能得到答案。
这里是answer:
This is an selinux problem.
When you run sudo nginx it starts nginx as
unconfined_t, when you runsudo service nginx startit startsnginxashttpd_t.By initially starting with just sudo it creates a bunch of files and initializes its state as unconfined_t. For example the pid file will be the wrong context. Thus when using service nginx stop to terminate it there is insufficient privileges for httpd_t to read files written by the
unconfined_t.You should really always start using service which will avoid this problem. To correct it you will need to relabel stateful files that exist in the filesystem, for example running
restorecon /var/run/nginx.pidwill correct the incorrect label set on that pid file.I am not sure if there are any more files that get written out when the service is created which will also need correcting. You can get a list of which files that these might be doing
ausearch -ts recent -m avc.