主页 / unix / 问题 / 432425
Accepted
Drew
Asked: 2018-03-21 13:25:03 +0800 CST

Centos7 http 无法正常启动。httpd 有效, systemctl start httpd 无效

  • 772

我可以直接通过启动apache httpd,但我不能通过启动它systemctl start httpd。我更喜欢 daemon 方法,这样我就可以让它自动启动。

有人遇到这个问题吗?这是在新的 CentOS7 虚拟机上。

systemctl 启动 http

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

systemctl 状态 httpd.service

    ● httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Tue 2018-03-20 17:20:54 EDT; 37s ago
         Docs: man:httpd(8)
               man:apachectl(8)
      Process: 7025 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
      Process: 7024 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
     Main PID: 7024 (code=exited, status=1/FAILURE)

    Mar 20 17:20:54 test.local.com systemd[1]: Starting The Apache HTTP Server...
    Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
    Mar 20 17:20:54 test.local.com kill[7025]: kill: cannot find process ""
    Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: control process exited, code=exited status=1
    Mar 20 17:20:54 test.local.com systemd[1]: Failed to start The Apache HTTP Server.
    Mar 20 17:20:54 test.local.com systemd[1]: Unit httpd.service entered failed state.
    Mar 20 17:20:54 test.local.com systemd[1]: httpd.service failed.

journalctl -xe

巴斯宾

/etc/httpd/logs/error_log

巴斯宾

对默认配置的唯一更改:

/etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf

/etc/httpd/sites-enabled/local.com.conf
<VirtualHost *:80>
    ServerName test.local.com
    ServerAlias local.com
    Redirect / https://local.com
</VirtualHost>

<VirtualHost _default_:443>
    ServerName test.local.com
    ServerAlias local.com
    ServerAdmin [email protected]

    DocumentRoot /var/www/local.com/public_html

    ErrorLog /var/www/local.com/error.log
    CustomLog /var/www/local.com/access.log common

    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/www/local.com.crt
    SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
</VirtualHost>

仅打开端口:

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-dmc --reload

这是我从全新的 CentOS7 安装中所做的整个确切过程:

Fresh CentOS 7 installation (VM)

yum upgrade -y

yum search http
yum install -y httpd httpd-devel mod_ssl openssl

systemctl start httpd

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

    Browse to 192.168.1.241
        Apache is live!

yum search mariadb
yum install -y mariadb-server

systemctl start mariadb
mysql_secure_installation

    mysql -uroot -p
        Login to mysql server works!

yum search php

yum install -y php php-cli php-dba php-devel php-fpm php-mysql php-process php-pspell php-xml

systemctl restart httpd

    Browse to 192.168.1.241/info.php
        PHP is live!

mkdir /etc/httpd/sites-enabled
echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf

/etc/httpd/sites-enabled/local.com.conf
    <VirtualHost *:80>
        ServerName test.local.com
        ServerAlias local.com
        Redirect permenent / https://local.com
    </VirtualHost>

    <VirtualHost _default_:443>
        ServerName test.local.com
        ServerAlias local.com
        ServerAdmin [email protected]

        DocumentRoot /var/www/local.com/public_html

        ErrorLog /var/www/local.com/error.log
        CustomLog /var/www/local.com/access.log combined

        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/www/local.com.crt
        SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
    </VirtualHost>

mkdir -p /var/www/local.com/public_html

chown -R apache:apache /var/www/local.com/public_html
chmod -R 755 /var/www

cd /etc/ssl/certs/www
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout local.com.key -out local.com.crt

    Browse to 192.168.1.241
        Unsecure service (self signed ssl) accept
        Site is live!
        I was redirected to https://local.com

NOTE: I added the following to my desktop's (separate PC) /etc/hosts
    192.168.1.241 test.local.com local.com

    This acts as a DNS record for my site

yum install -y epel-release
yum install -y phpmyadmin

edit /etc/httpd/conf.d/phpMyAdmin.conf
    Add under any line with Require ip 127.0.0.1 with
    Require ip 192.168.1.5

    Add under any line with Allow from 127.0.0.1 with
    Allow from 192.168.1.5

systemctl restart httpd # FAILS
kill pid for httpd
httpd # start httpd directly
    Access https://local.com/phpMyAdmin
    Now have access to phpMyAdmin

    Login with root, 12345
    And have mariadb access!

yum install -y awstats

edit /etc/httpd/conf.d/awstats.conf
     Change Require ip and Allow ip same as phpMyAdmin

cp /etc/awstats/awstats.localhost.localdomain.conf /etc/awstats/awstats.local.com.conf

edit /etc/awstats/awstats.local.com.conf
     LogFile="/var/log/httpd/access.log"
     SiteDomain="www.local.com"
     HostAliases="local.com 127.0.0.1"

echo "*/30 * * * * root /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=www.local.com -update" >> /etc/crontab

kill httpd pid
httpd

    Browse to https://local.com/awstats/awstats.pl?config=local.com
        Awstats is live!
centos systemd

1 个回答

  1. Best Answer

    您在使用 SELinux 时遇到了麻烦。

    /var/www出于安全原因,CentOS 7 提供了阻止 httpd 写入 下的文件的规则。

    您正在将 VirtualHost 的日志文件配置到该目录下的某个位置:

        ErrorLog /var/www/local.com/error.log
    CustomLog /var/www/local.com/access.log combined

    因此,当 httpd(由 systemd 启动)尝试写入这些日志文件时,SELinux 将阻止该操作,最终导致 httpd 退出并出现错误退出代码。

    您可以使用以下命令确认这一点,该ausearch命令会检查审核日志(存储在 下/var/log/audit/audit.log)中的条目:

    $ sudo ausearch -m avc
type=AVC msg=audit(1234567890.123:234): avc:  denied  { write } for  pid=12345 comm="httpd" name="local.com" dev="sda1" ino=12345678 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

    在此消息中,您将看到写入的目标被标记为httpd_sys_content_t。如果您ls -Z在日志文件上使用,您会看到它们是这样标记的:

    $ ls -Z /var/www/local.com/
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_content_t:s0 access.log                                                                                         
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_content_t:s0 error.log                                                                                          
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html

    这只影响由 systemd 启动的 httpd 而不会影响直接运行 httpd 的原因是,您的 SSH 会话在“无限制”域中运行,因此在那里运行 httpd 不会触发任何 SELinux 转换......当通过 systemd 启动时,它会在启动守护进程时应用正确的 SELinux 权限。

    chcon您可以通过使用以下命令更改这些文件的 SELinux“类型”来临时解决此问题:

    $ sudo chcon -t httpd_log_t /var/www/local.com/*.log
$ ls -Z /var/www/local.com/
-rw-r--r--. root   root   unconfined_u:object_r:httpd_log_t:s0 access.log
-rw-r--r--. root   root   unconfined_u:object_r:httpd_log_t:s0 error.log
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html

    那时,通过 systemctl 启动 httpd 就可以正常工作了...

    但这不是一个很好的解决方案,因为如果重新创建这些文件(例如,在日志轮换期间)或者如果您的文件系统被重新标记,SELinux 类型将会丢失......

    有一些方法可以使该类型更持久(例如,semanage fcontext命令),但是这个 SELinux 策略在这里试图实现的是防止将 Web 内容与日志混合,以防止意外提供日志文件或覆盖 Web 内容.

    /var/log/httpd正确的答案是在该目录或该目录的子目录下创建日志文件。如果这样做,SELinux 类型从一开始就正确,在任何操作(包括 SELinux 重新标记)中都将保持正确,并且一切都应该按预期工作。

    所以,如果你可以把你的日志放在下面/var/log/httpd,那应该可以解决这个问题!

    • 6

相关问题