Я развернул Puppet Master и Puppet Agent на двух разных машинах CentOS.
Раньше они оба общались через ssl, но после перезапуска главного сервера все пропало.
Httpd conf.d содержит puppetmaster.conf, поэтому мне нужно запустить службу httpd.
Когда это сработало, https: // name: 8140 показал "Среда должна быть чисто буквенно-цифровой, а не" "", что означает, что она работает.
Я уверен, что сбежал
"$sudo chkconfig httpd on
Note: Forwarding request to 'systemctl enable httpd.service'."
чтобы запустить это при загрузке.
Раньше он выдавал ошибку из-за отсутствия доступных сокетов для прослушивания, но я решил это, убив марионеточный процесс, который занимал порт.
Вот что я безуспешно пробовал:
$sudo service httpd status
Redirecting to /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Mon 2015-03-30 12:39:07 PDT; 2min 13s ago
Process: 4144 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 4155 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─4155 /usr/sbin/httpd -DFOREGROUND
├─4180 PassengerAgent watchdog
├─4186 PassengerAgent server
├─4192 PassengerAgent logger
├─4203 /usr/sbin/httpd -DFOREGROUND
├─4204 /usr/sbin/httpd -DFOREGROUND
├─4205 /usr/sbin/httpd -DFOREGROUND
├─4206 /usr/sbin/httpd -DFOREGROUND
└─4207 /usr/sbin/httpd -DFOREGROUND
Mar 30 12:39:07 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:39:07 vaio python[4146]: SELinux is preventing /usr/local/share/gems/gems/passenger-5.0.5/buildout/support-binar...bility.
***** Plugin sys_resource (37.5 confidence) suggests **********************...
Mar 30 12:40:49 vaio systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.
$sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
(IPtable)
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
(SELinux Status)
sudo cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
(HTTPD status -l)
sudo service httpd status -l
Redirecting to /bin/systemctl status -l httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Mon 2015-03-30 12:39:07 PDT; 20min ago
Main PID: 4155 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─4155 /usr/sbin/httpd -DFOREGROUND
├─4180 PassengerAgent watchdog
├─4186 PassengerAgent server
├─4192 PassengerAgent logger
├─4203 /usr/sbin/httpd -DFOREGROUND
├─4204 /usr/sbin/httpd -DFOREGROUND
├─4205 /usr/sbin/httpd -DFOREGROUND
├─4206 /usr/sbin/httpd -DFOREGROUND
└─4207 /usr/sbin/httpd -DFOREGROUND
Mar 30 12:39:07 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:39:07 vaio python[4146]: SELinux is preventing /usr/local/share/gems/gems/passenger-5.0.5/buildout/support-binaries/PassengerAgent from using the sys_resource capability.
***** Plugin sys_resource (37.5 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
Do
fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall_boolean (30.1 confidence) suggests ******************
If you want to allow httpd to run stickshift
Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.
You can read 'None' man page for more details.
Do
setsebool -P httpd_run_stickshift 1
***** Plugin catchall_boolean (30.1 confidence) suggests ******************
If you want to allow httpd to setrlimit
Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
You can read 'None' man page for more details.
Do
setsebool -P httpd_setrlimit 1
***** Plugin catchall (4.20 confidence) suggests **************************
If you believe that PassengerAgent should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep PassengerAgent /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Mar 30 12:40:49 vaio systemd[1]: Started The Apache HTTP Server.
Mar 30 12:52:58 vaio systemd[1]: Started The Apache HTTP Server.
Методы проб и ошибок, показанные ниже, возвращают Хозяина Марионеток к жизни. Спасибо Шейну Мэддену за руководство.
$ sudo service iptables restart
Redirecting to /bin/systemctl restart iptables.service
$ sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
$ sudo chkconfig httpd on
Note: Forwarding request to 'systemctl enable httpd.service'.
$ sudo service httpd start
Redirecting to /bin/systemctl start httpd.service
$ sudo setenforce permissive
$ sudo sed -i 's\=enforcing\=permissive\g' /etc/sysconfig/selinux
$ sudo getenforce
Убедитесь, что в iptables указано «-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT».
Как только вы подключитесь, он скажет: «Среда должна быть чисто буквенно-цифровой, а не« »», что НЕ является ошибкой.