Clodoaldo's questions

我用来rdiff-backup从本地文件系统备份到安装了远程存储盒的远程 Hetzner 服务器。存储盒作为文件系统安装在远程服务器上cifs。备份以 root 身份在本地运行，并且ssh与远程服务器的连接也在 root 帐户上进行。我遇到的问题是原始文件所有者/组没有保留。一切都归 root 所有。

储物盒的安装方式如下/etc/fstab：

//user.your-storagebox.de/backup /storagebox cifs iocharset=utf8,rw,credentials=/etc/backup-credentials.txt,seal,uid=0,gid=0,file_mode=0660,dir_mode=0770 0 0

以及本地备份命令：

rdiff-backup -v4 --api-version 201 backup --print-statistics \
    --include /home/cpn/Documents \
    --include /home/cpn/ProgramasRFB \
    --include /home/cpn/Pictures \
    --include /home/cpn/Videos \
    --include /hd2t/Fotos \
    --include /hd2t/Videos \
    --include /etc \
    --exclude '**' \
    / [email protected]::/storagebox/Backup/ & disown;

文件/目录不是由原始用户拥有，而是由存储箱中的 root 拥有：

# ll
total 0
drwxrwx---. 2 root root 0 May 14 16:58 Documents
drwxrwx---. 2 root root 0 May  1 09:23 Pictures

我缺少什么？我的猜测是这个问题与cifs

这些是 Hetzner 为该云设备提供的唯一访问权限：https://docs.hetzner.com/robot/storage-box/access/access-overview

我也尝试过 SFTP，但结果更糟

RockyLinux 9. 重新启动时 Apache 无法启动并显示以下消息

Jul 21 10:53:13 cl httpd[877]: (99)Cannot assign requested address: AH00072: make_sock: could not bind to address 1.2.3.4:80
Jul 21 10:53:13 cl httpd[877]: no listening sockets available, shutting down
Jul 21 10:53:13 cl httpd[877]: AH00015: Unable to open logs
Jul 21 10:53:13 cl systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 21 10:53:13 cl systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 21 10:53:13 cl systemd[1]: Failed to start The Apache HTTP Server.

主配置文件将其设置为侦听该地址和 80 端口。但是该地址在80和443端口上都有虚拟主机

如果我手动启动它，它会开始使用该地址，但使用 443 端口

# systemctl start httpd
Jul 21 10:55:44 cl systemd[1]: Starting The Apache HTTP Server...
Jul 21 10:55:44 cl httpd[2135]: [Fri Jul 21 10:55:44.803045 2023] [so:warn] [pid 2135:tid 2135] AH01574: module wsgi_module is already loaded, skipping
Jul 21 10:55:44 cl httpd[2135]: Server configured, listening on: 1.2.3.4 port 443, ...
Jul 21 10:55:44 cl systemd[1]: Started The Apache HTTP Server.

有任何想法吗？

# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      879/sshd: /usr/sbin 
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      1551/postmaster     
tcp        0      0 1.2.3.4:80              0.0.0.0:*               LISTEN      2574/httpd          
tcp        0      0 1.2.3.4:443             0.0.0.0:*               LISTEN      2574/httpd          
tcp6       0      0 :::22                   :::*                    LISTEN      879/sshd: /usr/sbin 
udp        0      0 127.0.0.1:323           0.0.0.0:*                           810/chronyd         
udp6       0      0 ::1:323                 :::*                                810/chronyd         

# cat /etc/NetworkManager/system-connections/System\ enp0s71fa.nmconnection 
[connection]
id=System enp0s71fa
uuid=b5f5eeee-5bd2-c5a6-acb6-f03d5581aca5
type=ethernet
interface-name=enp0s71fa
timestamp=1689890116

[ethernet]

[ipv4]
address1=1.2.3.4/32,1.2.3.6
address2=1.2.3.5/27
dns=5.6.7.1;
method=manual

[ipv6]
address1=2a01:4f8:bbb:aaaa::2/64,fe80::1
dns=2a01:ccc:dddd::add:2;
method=manual

我已经安装named了chroot，它已经工作了几天。现在它没有找到某个域的IP：

# dig arstechnica.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> arstechnica.com
;; global options: +cmd
;; connection timed out; no servers could be reached

通常会发现其他域：

# dig serverfault.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> serverfault.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27016
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;serverfault.com.       IN  A

;; ANSWER SECTION:
serverfault.com.    98  IN  A   198.252.206.140

;; AUTHORITY SECTION:
serverfault.com.    172598  IN  NS  cf-dns02.serverfault.com.
serverfault.com.    172598  IN  NS  cf-dns01.serverfault.com.

;; ADDITIONAL SECTION:
cf-dns02.serverfault.com. 172598 IN A   173.245.59.4
cf-dns01.serverfault.com. 172598 IN A   173.245.58.53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 22 11:06:10 2014
;; MSG SIZE  rcvd: 127

named.conf：

# cat /var/named/chroot/var/named/chroot/etc/named.conf 

options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

该目录中的所有文件：

# ll /var/named/chroot/var/named/chroot/etc/
total 16
-rw-r--r--. 1 root root   118 Jul 21  2011 localtime
drwxr-x---. 2 root named 4096 Dec 12 02:25 named
-rw-r-----. 1 root named 1008 Dec 17 20:02 named.conf
-rw-r--r--. 1 root root     0 Dec 22 10:35 named.iscdlv.key
-rw-r--r--. 1 root root     0 Dec 22 10:35 named.rfc1912.zones
-rw-r--r--. 1 root root     0 Dec 22 10:35 named.root.key
drwxr-x---. 3 root named 4096 Dec 17 19:15 pki
-rw-r--r--. 1 root root     0 Dec 22 10:35 rndc.key

我错过了什么？

+trace添加：

# dig arstechnica.com +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> arstechnica.com +trace
;; global options: +cmd
.           516879  IN  NS  m.root-servers.net.
.           516879  IN  NS  h.root-servers.net.
.           516879  IN  NS  g.root-servers.net.
.           516879  IN  NS  j.root-servers.net.
.           516879  IN  NS  a.root-servers.net.
.           516879  IN  NS  l.root-servers.net.
.           516879  IN  NS  e.root-servers.net.
.           516879  IN  NS  f.root-servers.net.
.           516879  IN  NS  k.root-servers.net.
.           516879  IN  NS  b.root-servers.net.
.           516879  IN  NS  d.root-servers.net.
.           516879  IN  NS  i.root-servers.net.
.           516879  IN  NS  c.root-servers.net.
;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 577 ms

com.            172800  IN  NS  m.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  a.gtld-servers.net.
;; Received 493 bytes from 192.58.128.30#53(192.58.128.30) in 2270 ms

arstechnica.com.    172800  IN  NS  ns1.servercentral.net.
arstechnica.com.    172800  IN  NS  ns2.servercentral.net.
;; Received 118 bytes from 192.12.94.30#53(192.12.94.30) in 579 ms

;; connection timed out; no servers could be reached

挖到github：

# dig github.com +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> github.com +trace
;; global options: +cmd
.           516495  IN  NS  k.root-servers.net.
.           516495  IN  NS  e.root-servers.net.
.           516495  IN  NS  f.root-servers.net.
.           516495  IN  NS  b.root-servers.net.
.           516495  IN  NS  g.root-servers.net.
.           516495  IN  NS  d.root-servers.net.
.           516495  IN  NS  m.root-servers.net.
.           516495  IN  NS  c.root-servers.net.
.           516495  IN  NS  j.root-servers.net.
.           516495  IN  NS  h.root-servers.net.
.           516495  IN  NS  a.root-servers.net.
.           516495  IN  NS  i.root-servers.net.
.           516495  IN  NS  l.root-servers.net.
;; Received 508 bytes from 127.0.0.1#53(127.0.0.1) in 5 ms

com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
;; Received 488 bytes from 193.0.14.129#53(193.0.14.129) in 74 ms

github.com.     172800  IN  NS  ns1.p16.dynect.net.
github.com.     172800  IN  NS  ns3.p16.dynect.net.
github.com.     172800  IN  NS  ns2.p16.dynect.net.
github.com.     172800  IN  NS  ns4.p16.dynect.net.
;; Received 178 bytes from 192.31.80.30#53(192.31.80.30) in 323 ms

github.com.     30  IN  A   192.30.252.131
github.com.     86400   IN  NS  ns4.p16.dynect.net.
github.com.     86400   IN  NS  ns2.p16.dynect.net.
github.com.     86400   IN  NS  ns1.p16.dynect.net.
github.com.     86400   IN  NS  ns3.p16.dynect.net.
;; Received 130 bytes from 204.13.251.16#53(204.13.251.16) in 10 ms

SELinux 阻止apache用户写入它拥有的日志文件。当我这样做时setenforce 0，它会起作用。否则显示此错误

IOError: [Errno 13] Permission denied: '/var/www/webapp/k/site/k.log'

文件的安全上下文：

$ ll -Z k.log 
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 k.log

该文件是在 SELinux 模式设置为许可时创建的。

如何设置安全上下文以便apache用户可以在该目录中写入？我确实使用设置了该目录安全上下文，chcon但找不到合适的文件类型。

来自audit.log：

type=AVC msg=audit(1409945481.163:1561): avc:  denied  { append } for  pid=16862 comm="httpd" name="k.log" dev="dm-1" ino=201614333 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1409945481.163:1561): arch=c000003e syscall=2 success=no exit=-13 a0=7fa8080847a0 a1=441 a2=1b6 a3=3 items=0 ppid=15256 pid=16862 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)