Category Archives: UNIX & Linux How Tos and Tutorials

SELinux: Allowing httpd to Listen on Non-Standard Ports

If you attempt to have httpd listen on a non-standard port (we’ll get to what’s “standard” and what isn’t in a moment) on an SELinux enabled host, SELinux will deny the request. Let’s try it out (on a CentOS 6.4 box):

# cd /etc/httpd/conf.d
# echo "Listen 8585" > listen.conf
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:
(13)Permission denied: make_sock: could not bind to address [::]:8585
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8585
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

# cd /etc/httpd/conf.d

# echo "Listen 8585" > listen.conf

# service httpd restart

Stopping httpd: [ OK ]

Starting httpd:

(13)Permission denied: make_sock: could not bind to address [::]:8585

(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8585

no listening sockets available, shutting down

Unable to open logs

[FAILED]

Kaboom! As you can see, the error message is quite clear “(13)Permission denied: make_sock: could not bind to address”. Let’s take a look at the audit logs and see what’s going on:

type=AVC msg=audit(1371477046.382:20195): avc:  denied  { name_bind } for  pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1371477046.382:20195): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fd0fa0ede00 a2=1c a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1371477046.382:20196): avc:  denied  { name_bind } for  pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1371477046.382:20196): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fd0fa0edd40 a2=10 a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1371477046.382:20195): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1371477046.382:20195): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fd0fa0ede00 a2=1c a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1371477046.382:20196): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1371477046.382:20196): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fd0fa0edd40 a2=10 a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

There are two sets of messages there, one for the IPv4 bind, the other for the IPv6 bind. The AVC message actually makes it clear what’s going on:

type=AVC msg=audit(1371477046.382:20195): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

You can see that the violation is from source context (scontext) unconfined_u:system_r:httpd_t which is the httpd process, and the target context (tcontext) is system_u:object_r:port_t with target class (tclass) tcp_socket. The denied port (8585 in this case) is also logged in the src field.

SELinux will only allow httpd to bind to ports of type http_port_t. Here, we can see that httpd is attempting to bind to a port of type port_t - which is going to be denied by the policy. We need to define port 8585 as a port of type http_port_t. semanage is the tool for that - and you’ll need the policycoreutils-python package installed:

# yum install policycoreutils-python
# rpm -qf `which semanage`
policycoreutils-python-2.0.83-19.30.el6.x86_64

# yum install policycoreutils-python

# rpm -qf `which semanage`

policycoreutils-python-2.0.83-19.30.el6.x86_64

First, let’s look at which ports are currently defined as type http_port_t:

# semanage port -l | grep '^http_port_t'
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

1 2	# semanage port -l \| grep '^http_port_t' http_port_t tcp 80, 443, 488, 8008, 8009, 8443

And add our desired listen port, 8585/tcp to the list:

# semanage port -a -t http_port_t -p tcp 8585
# semanage port -l | grep '^http_port_t'
http_port_t                    tcp      8585, 80, 443, 488, 8008, 8009, 8443

# semanage port -a -t http_port_t -p tcp 8585

# semanage port -l | grep '^http_port_t'

http_port_t tcp 8585, 80, 443, 488, 8008, 8009, 8443

Looks good. Fire up httpd:

# service httpd start
Starting httpd:                                            [  OK  ]

1 2	# service httpd start Starting httpd: [ OK ]

And test with nc or similar:

# echo "GET /" | nc localhost 8585
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>

# echo "GET /" | nc localhost 8585

...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>

<head>

rsyslog - “Could not open dynamic file - discarding message” errors on CentOS 6

Whilst configuring a central syslog server using rsyslog on CentOS 6, I was experiencing issues with dynamic log filenames being created. I had created a new filesystem, mounted at /var/syslog, for my logs, and configured rsyslog.conf with the following:

...
$template FILENAME,"/var/syslog/%HOSTNAME%/syslog.log"
*.* ?FILENAME
...

...

$template FILENAME,"/var/syslog/%HOSTNAME%/syslog.log"

*.* ?FILENAME

...

However, the dynamic logs were not being created, and instead the following error message was observed in the local /var/log/messages file (mars being the hostname):

Jun 13 23:30:01 mars rsyslogd-3000: Could not open dynamic file '/var/syslog/mars/syslog.log' [state -3000] - discarding message [try http://www.rsyslog.com/e/3000 ]

1	Jun 13 23:30:01 mars rsyslogd-3000: Could not open dynamic file '/var/syslog/mars/syslog.log' [state -3000] - discarding message [try http://www.rsyslog.com/e/3000 ]

A quick check of the SELinux context found the issue:

# ls -Zd /var/syslog
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /var/syslog
# ls -Zd /var/log
drwxr-xr-x. root root system_u:object_r:var_log_t:s0   /var/log

# ls -Zd /var/syslog

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /var/syslog

# ls -Zd /var/log

drwxr-xr-x. root root system_u:object_r:var_log_t:s0 /var/log

chcon to the rescue, referencing /var/log:

# chcon --reference /var/log /var/syslog

1	# chcon --reference /var/log /var/syslog

A restart of rsyslog later, and we were in business:

# ls -l /var/syslog/mars
total 4
-rw-------. 1 root root 445 Jun 13 23:33 syslog.log

# ls -l /var/syslog/mars

total 4

-rw-------. 1 root root 445 Jun 13 23:33 syslog.log

Note: it’s worth noting here that I updated my dynamically created file rule to be as follows (including the date too) as one huge file per host is not very useful:

$template FILENAME,"/var/syslog/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

1	$template FILENAME,"/var/syslog/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

Running Puppet Master under Apache and Passenger - CentOS 6.4

I have been running my puppetmaster using the embedded WEBrick server for a while. I decided it was time to migrate to something a little more robust - namely Apache and Passenger. I loosely followed the documentation available on the Puppet site, although that covers Passenger 3.0.x and I’m using 4.0.x, and the supplied Apache configuration does not work. There were also a few other changes I had to make along the way to suit my configuration requirements. My puppetmaster is running CentOS 6.4.

Continue reading →

MongoDB: First Steps: Installation, Configuration and Authentication

MongoDB is one of the more popular NoSQL databases available. NoSQL databases do not use typical relational database structure, nor do they typically rely on SQL for queries. MongoDB stores data in JSON-style documents (which themselves can be stored within collections) and allows for dynamic storage of data. For example, we do not need to create a schema, configure relations between tables, and so on. We just create our database and populate it with data on the fly. The data can be as complex or as simple (just key/value pairs) as our requirements dictate. MongoDB is also highly-scalable via the use of shard-based clustering.

I am a strict wearer of an RDBMS hat, and this is my first foray into the world of NoSQL. This first article on MongoDB will cover initial installation, configuration and testing. I’ll also dabble with authentication. Further articles will cover the configuration of replica sets and other administrative features. I’m a sysadmin, not a developer, so I’ll be looking more at how to administer MongoDB rather than how to actually use it.

Let’s get on with the installation.

Continue reading →

Adding Puppet DB to a CentOS 6.4-based puppetmaster

After configuring my puppetmaster to run on Passenger on Apache, the next step was to add Puppet DB so that I could take advantage of exported resources, as well as have a central store of facts/catalogs that I could query. I am configuring Puppet DB to run on the same host as my puppetmaster, on CentOS 6.4.

Whilst you can use the embedded HSQLDB database, I opted for the scale-out offered by a backend PostgreSQL database (which is recommended by Puppet Labs for deployments of more than 100 nodes). MySQL is not supported, as it doesn’t support recursive queries.

I installed PostgreSQL using my postgresql::server class. The class is shown below (you can see it includes postgres, which does nothing more than install the PostgreSQL client package). Essentially, it covers the installation of the postgresql-server package on the host, initialisation tasks, ensuring an appropriate pg_hba.conf is installed (for example, replacing localhost ident authentication methods with password), registering the service, and starting PostgreSQL:

# postgresql/server.pp
#
# Class to install a simple PostgreSQL server
class postgresql::server {
  case $::operatingsystem {
    'CentOS' : {
      # implictly add the client package too
      include postgresql
      package { "postgresql-server": 
              ensure  => latest }
      exec { "/sbin/service postgresql initdb":
              creates => "/var/lib/pgsql/data",
              before  => Service["postgresql"],
              require => Package["postgresql-server"] }
      file { "/var/lib/pgsql/data/pg_hba.conf":
              owner   => "postgres",
              group   => "postgres",
              mode    => "0640",
              source  => "puppet:///modules/postgresql/pg_hba.conf",
              notify  => Service["postgresql"],
              require => Exec["/sbin/service postgresql initdb"] }
      service { "postgresql":
            ensure  => running,
            enable  => true,
            require => Exec["/sbin/service postgresql initdb"] }
    }
    default : {
      fail("Operating system is unsupported by the postgresql::server class")
    }
  }
}

# postgresql/server.pp

# Class to install a simple PostgreSQL server

class postgresql::server {

case $::operatingsystem {

'CentOS' : {

# implictly add the client package too

include postgresql

package { "postgresql-server":

ensure => latest }

exec { "/sbin/service postgresql initdb":

creates => "/var/lib/pgsql/data",

before => Service["postgresql"],

require => Package["postgresql-server"] }

file { "/var/lib/pgsql/data/pg_hba.conf":

owner => "postgres",

group => "postgres",

mode => "0640",

source => "puppet:///modules/postgresql/pg_hba.conf",

notify => Service["postgresql"],

require => Exec["/sbin/service postgresql initdb"] }

service { "postgresql":

ensure => running,

enable => true,

require => Exec["/sbin/service postgresql initdb"] }

}

default : {

fail("Operating system is unsupported by the postgresql::server class")

}

To install, it was as simple as:

# puppet agent --test

1	# puppet agent --test

Next, I created a PostgreSQL user and database:

# su - postgres
$ createuser -DRSP puppetdb
$ createdb -O puppetdb puppetdb

# su - postgres

$ createuser -DRSP puppetdb

$ createdb -O puppetdb puppetdb

The user is created so that it cannot create databases (-D), or roles (-R) and doesn’t have superuser privileges (-S) - it’ll prompt for a password (-P). Let’s assume a password of “s3cr3tp@ss” has been used. The database is created and owned (-O) by the puppetdb user.

Access to the database can then be tested:

# psql -h 127.0.0.1 -p 5432 -U puppetdb -W puppetdb
Password for user puppetdb: 
psql (8.4.13)
Type "help" for help.
puppetdb=> \q

# psql -h 127.0.0.1 -p 5432 -U puppetdb -W puppetdb

Password for user puppetdb:

psql (8.4.13)

Type "help" for help.

puppetdb=> \q

Next, install the puppetdb and puppetdb-terminus packages. I installed from the Puppet Labs yum repository:

# yum install puppetdb puppetdb-terminus

1	# yum install puppetdb puppetdb-terminus

Configure /etc/puppetdb/conf.d/database.ini as appropriate (it ships configured for HSQLDB):

# grep '^[^#]' /etc/puppetdb/conf.d/database.ini 
[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //127.0.0.1:5432/puppetdb
username = puppetdb
password = s3cr3tp@ss
log-slow-statements = 10

# grep '^[^#]' /etc/puppetdb/conf.d/database.ini

[database]

classname = org.postgresql.Driver

subprotocol = postgresql

subname = //127.0.0.1:5432/puppetdb

username = puppetdb

password = s3cr3tp@ss

log-slow-statements = 10

Create /etc/puppet/puppetdb.conf, as appropriate for the Jetty configuration on the host. You can check the Jetty configuration under /etc/puppetdb/conf.d/jetty.ini. Here’s puppetdb.conf (my puppetmaster runs on sun.local):

[main]
server = sun.local
port = 8081

[main]

server = sun.local

port = 8081

Create /etc/puppet/routes.yaml:

---
master:
  facts:
    terminus: puppetdb
    cache: yaml

---

master:

facts:

terminus: puppetdb

cache: yaml

Finally, update /etc/puppet/puppet.conf:

...
[master]
	storeconfigs = true
	storeconfigs_backend = puppetdb

...

[master]

storeconfigs = true

storeconfigs_backend = puppetdb

Once all steps are complete, restart your puppetmaster. As I’m running under Passenger:

# service httpd restart

1	# service httpd restart

Run a puppet agent --test from once of your nodes (or wait for your scheduled runs):

venus.local# puppet agent --test

1	venus.local# puppet agent --test

As you can see, I ran from venus.local. Let’s check that the data is being stored in puppetdb - by the time I got there three more nodes had already had an agent run:

puppetdb=> select distinct certname from certname_facts;
   certname    
---------------
 venus.local
 mercury.local
 sun.local
 mars.local
(4 rows)

puppetdb=> select distinct certname from certname_facts;

certname

---------------

venus.local

mercury.local

sun.local

mars.local

(4 rows)

Awesome! Let’s get something meaningful. Suppose we want to know what OS is running on all of our nodes:

puppetdb=> select * from certname_facts where name = 'operatingsystem' or name = 'operatingsystemrelease';
   certname    |          name          | value  
---------------+------------------------+--------
 venus.local   | operatingsystem        | CentOS
 venus.local   | operatingsystemrelease | 6.4
 mercury.local | operatingsystem        | CentOS
 mercury.local | operatingsystemrelease | 6.4
 mars.local    | operatingsystem        | CentOS
 mars.local    | operatingsystemrelease | 6.4
 sun.local     | operatingsystem        | CentOS
 sun.local     | operatingsystemrelease | 6.4
(8 rows)

puppetdb=> select * from certname_facts where name = 'operatingsystem' or name = 'operatingsystemrelease';

certname | name | value

---------------+------------------------+--------

venus.local | operatingsystem | CentOS

venus.local | operatingsystemrelease | 6.4

mercury.local | operatingsystem | CentOS

mercury.local | operatingsystemrelease | 6.4

mars.local | operatingsystem | CentOS

mars.local | operatingsystemrelease | 6.4

sun.local | operatingsystem | CentOS

sun.local | operatingsystemrelease | 6.4

(8 rows)

An important note: ensure that all of your puppet nodes can connect to the puppetdb server on the appropriate SSL-enabled Jetty port (by default, 8081) so they can report in.

With Puppet DB now configured, I can start writing some reports, and using exported resources.

WordPress: Avoiding Infinite Recursion with mod_rewrite and mod_fastcgi

Whilst converting tokiwinter.com away from mod_php to mod_fastcgi/PHP-FPM, I experienced the following error:

[Thu Jul 11 14:29:31 2013] [error] [client 192.168.122.1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

1	[Thu Jul 11 14:29:31 2013] [error] [client 192.168.122.1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

Enabling LogLevel debug for the VirtualHost showed the following extra detail:

[Thu Jul 11 14:29:31 2013] [debug] core.c(3072): [client 192.168.122.1] r->uri = /index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php
...

[Thu Jul 11 14:29:31 2013] [debug] core.c(3072): [client 192.168.122.1] r->uri = /index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php

...

We can see that the rewrites required for WordPress in .htaccess are interfering with the correct operation of mod_fastcgi. The net result - HTTP 500 Internal Server Error for all our clients.

The fix is easy enough - add the following additional rewrite to .htaccess for the WordPress installation:

RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)
RewriteRule . - [L]

1 2	RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*) RewriteRule . - [L]

i.e. if the request URI is a mod_fastcgi request, do not apply any rewrites. My complete .htaccess file in my WordPress VirtualHost is now:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)
RewriteRule . - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)

RewriteRule . - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

This works for me with the following VirtualHost configuration:

NameVirtualHost *:80
<VirtualHost *:80>
	ServerAdmin toki@tokiwinter.com
	ServerName tokiwinter.com
	ServerAlias www.tokiwinter.com	
	DocumentRoot /var/www/virtualhosts/tokiwinter.com/htdocs
	ScriptAlias "/cgi-bin/" "/var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/"
	FastCGIExternalServer /var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000
	ErrorLog logs/tokiwinter.com-error_log
	CustomLog logs/tokiwinter.com-access_log common
	<Directory />
		AllowOverride all
		Order allow,deny
		Allow from all
		AddType application/x-httpd-fastphp5 .php
		Action application/x-httpd-fastphp5 /cgi-bin/php5.fcgi
	</Directory>
	DirectoryIndex index.php
</VirtualHost>

NameVirtualHost *:80

ServerAdmin toki@tokiwinter.com

ServerName tokiwinter.com

ServerAlias www.tokiwinter.com

DocumentRoot /var/www/virtualhosts/tokiwinter.com/htdocs

ScriptAlias "/cgi-bin/" "/var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/"

FastCGIExternalServer /var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

ErrorLog logs/tokiwinter.com-error_log

CustomLog logs/tokiwinter.com-access_log common

AllowOverride all

Order allow,deny

Allow from all

AddType application/x-httpd-fastphp5 .php

Action application/x-httpd-fastphp5 /cgi-bin/php5.fcgi

</Directory>

DirectoryIndex index.php

</VirtualHost>

Your mileage may well vary.

How to Load Balance Tomcat with Apache HTTPD and mod_jk

In the following article, I’ll demonstrate how we can use Apache HTTPD to load balance across two Apache Tomcat instances. Whilst in this example the Apache HTTPD load balancer is a single point of failure, we could implement (although outside the scope of this article) a failover HTTPD instance clustered using one of the many available clustering stacks (RHCS, or something more lightweight like keepalived). Then, we’d have a highly-available load balancer.

There are a few ways we can use HTTPD to load balance, via the use of loadable modules. mod_proxy_http is the simplest, and can be used to load balance any service that “speaks” plain HTTP. mod_proxy_ajp is a simple AJP balancer module, with a slight performance increase of mod_proxy_http. However, mod_proxy_ajp is purported to be rather buggy when compared with other similar modules. Hence, we’ll use mod_jk. This is a very active module developed alongside Tomcat, and in many years of working with it I’ve never experienced a major bug or a configuration requirement it couldn’t handle.

Continue reading →

SELinux: Allowing HTTPD to Connect to PHP-FPM

When running PHP-FPM (PHP FastCGI Process Manager), it can be configured to listen on a UNIX socket, or a TCP port. When using the latter on an SELinux enabled system, you will receive HTTP 500 Internal Server Errors if SELinux is not configured correctly.

For example, on my system, I’m using the following directive (in my example.com VirtualHost):

FastCGIExternalServer /var/www/www.example.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

1	FastCGIExternalServer /var/www/www.example.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

However, the default value of the httpd_can_network_connect SELinux boolean is false, or off. Therefore, httpd is unable to connect to the PHP-FPM pool listening on 127.0.0.1:9000.

You will see AVC denial messages in /var/log/audit/audit.log such as:

type=AVC msg=audit(1373344647.677:17670): avc:  denied  { name_connect } for  pid=24124 comm="httpd" dest=9000
 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

1 2	type=AVC msg=audit(1373344647.677:17670): avc: denied { name_connect } for pid=24124 comm="httpd" dest=9000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

To fix this issue, set the httpd_can_network_connect SELinux boolean to true, or on, remembering the -P option so that this change persists across system reboots.

# setsebool -P httpd_can_network_connect on

1	# setsebool -P httpd_can_network_connect on

MySQL Cluster: Adding New Data Nodes Online

MySQL Cluster has a pretty cool feature that allows you to add new data nodes whilst the cluster is online, thus avoiding any downtime. This is incredibly useful for scaling out the data nodes and adding additional node groups. In this article, I’ll show how to add two new data nodes to an existing cluster that has two data nodes defined. I’ll also explain what needs to happen after the configuration change to ensure that any existing data is correctly partitioned across the new nodes.

Continue reading →

Solaris Cluster 4.1 Part Four: Highly Available Containers

Introduction

The previous article covered the configuration of two resource groups, each containing a failover zpool for use as the zonepath to a highly-available zone, and a failover IP address to be assigned to each zone. The two zones were also configured and installed, and we verified that they could be booted on either node of the cluster, provided that the storage had been failed over appropriately and was available on the node where the zone was being booted.

This final part in the series will cover the incorporation of the zone boot/shutdown/failover into the cluster framework, as well as the configuration of two iPlanet resources to illustrate how Solaris Cluster can manage SMF services deployed within a highly-available Solaris zone.

Highly-Available Zones

First, install the ha-zones data service, if you haven’t done so already. I installed the full cluster package suite, so already have all data services at my disposal:

# pkg install ha-cluster/data-service/ha-zones

1	# pkg install ha-cluster/data-service/ha-zones

# clresourcetype register SUNW.gds

1	# clresourcetype register SUNW.gds

This is the Generic Data Service that is utilised by SUNWsczone (HA for Solaris Containers) for deploying highly-available zones. SUNWsczone supplies three highly-available mechanisms for zone deployment - sczbt (zone boot - used to start/stop/failover zones), sczsh (zone script resource - used for deploying highly-available services within zones, with start/stop scripts to control them) and sczsmf (zone SMF resource, used for deploying highly-available services within zones, with SMF services to control them). We’ll be using both sczbt and sczsmf.

Continue reading →

Toki Winter

Advanced UNIX for the experienced system administrator

Category Archives: UNIX & Linux How Tos and Tutorials

SELinux: Allowing httpd to Listen on Non-Standard Ports

rsyslog - “Could not open dynamic file - discarding message” errors on CentOS 6

Running Puppet Master under Apache and Passenger - CentOS 6.4

MongoDB: First Steps: Installation, Configuration and Authentication

Adding Puppet DB to a CentOS 6.4-based puppetmaster

WordPress: Avoiding Infinite Recursion with mod_rewrite and mod_fastcgi

How to Load Balance Tomcat with Apache HTTPD and mod_jk

SELinux: Allowing HTTPD to Connect to PHP-FPM

MySQL Cluster: Adding New Data Nodes Online

Solaris Cluster 4.1 Part Four: Highly Available Containers

Introduction

Highly-Available Zones