启动rocketmq服务报错:
[root@rocketmq1-nameserver-test bin]# systemctl start rocketmq-nameserver
[root@rocketmq1-nameserver-test bin]# systemctl status rocketmq-nameserver
● rocketmq-nameserver.service - nameserver
Loaded: loaded (/usr/lib/systemd/system/rocketmq-nameserver.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2021-12-10 18:47:05 CST; 3s ago
Process: 2414 ExecStart=/home/rocketmq/bin/mqnamesrv (code=exited, status=203/EXEC)
Main PID: 2414 (code=exited, status=203/EXEC)
12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: Started nameserver.
12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Main process exited, code=exited, status=203/EXEC
12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Failed with result 'exit-code'.
首先使用:journalctl -xe 查看详细报错情况:
[root@rocketmq1-nameserver-test bin]# journalctl -xe
12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: Started nameserver.
-- Subject: rocketmq-nameserver.service 单元已结束启动
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- rocketmq-nameserver.service 单元已结束启动。
--
-- 启动结果为“done”。
12月 10 18:47:05 rocketmq1-nameserver-test systemd[2414]: rocketmq-nameserver.service: Failed to execute command: Permission denied
12月 10 18:47:05 rocketmq1-nameserver-test systemd[2414]: rocketmq-nameserver.service: Failed at step EXEC spawning /home/rocketmq/bin/mqnamesrv: Permission denied
-- Subject: 进程 /home/rocketmq/bin/mqnamesrv 无法执行
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- 进程 /home/rocketmq/bin/mqnamesrv 无法被执行并已失败。
--
-- 该进程返回的错误代码为 13。
12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Main process exited, code=exited, status=203/EXEC
12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit rocketmq-nameserver.service has entered the 'failed' state with result 'exit-code'.
12月 10 18:47:05 rocketmq1-nameserver-test dbus-daemon[970]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.4' (uid=0 pid=948 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
12月 10 18:47:05 rocketmq1-nameserver-test dbus-daemon[2417]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[970]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
12月 10 18:47:07 rocketmq1-nameserver-test setroubleshoot[2417]: AnalyzeThread.run(): Cancel pending alarm
12月 10 18:47:07 rocketmq1-nameserver-test setroubleshoot[2417]: failed to retrieve rpm info for /home/rocketmq/bin/mqnamesrv
12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[970]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.94' (uid=995 pid=2417 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper)
12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[2431]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
12月 10 18:47:09 rocketmq1-nameserver-test dbus-daemon[970]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
12月 10 18:47:10 rocketmq1-nameserver-test setroubleshoot[2417]: SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the file /home/rocketmq/bin/mqnamesrv. For complete SELinux messages run: sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286
12月 10 18:47:10 rocketmq1-nameserver-test setroubleshoot[2417]: SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the file /home/rocketmq/bin/mqnamesrv.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/home/rocketmq/bin/mqnamesrv default label should be home_bin_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /home/rocketmq/bin/mqnamesrv
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that systemd should be allowed read open access on the mqnamesrv file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(qnamesrv)' --raw | audit2allow -M my-qnamesrv
# semodule -X 300 -i my-qnamesrv.pp
其中有一段话:
12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[2431]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
12月 10 18:47:09 rocketmq1-nameserver-test dbus-daemon[970]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
12月 10 18:47:10 rocketmq1-nameserver-test setroubleshoot[2417]: SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the file /home/rocketmq/bin/mqnamesrv. For complete SELinux messages run: sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286
按照上面说的我们运行:sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286
[root@rocketmq1-nameserver-test bin]# sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286
SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the 文件 /home/rocketmq/bin/mqnamesrv.
***** 插件 restorecon (99.5 置信度) 建议 ******************************************
如果要修复标签。/home/rocketmq/bin/mqnamesrv默认标签应该是 home_bin_t。
Then 你可以运行restorecon。由于访问父目录的权限不足,可能已停止访问尝试,在这种情况下尝试相应地更改以下命令。
Do
# /sbin/restorecon -v /home/rocketmq/bin/mqnamesrv
***** 插件 catchall (1.49 置信度) 建议 ********************************************
如果你相信 (qnamesrv)应该允许_BASE_PATH read open 访问 mqnamesrv file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:#ausearch -c'(qnamesrv)'--raw | audit2allow -M my-qnamesrv#semodule -X 300 -i my-qnamesrv.pp
省略后面的
上面说的最后一句话是让我们运行命令:#ausearch -c’(qnamesrv)’–raw | audit2allow -M my-qnamesrv#semodule -X 300 -i my-qnamesrv.pp
但是经过运行得出,运行后仍然报错
经查证资料得知,是SELinux的问题:
SELinux 认为二进制文件只能从某些位置执行,并且我的自定义目录没有明确标记为允许。它var_t从/srv/.*(我认为)继承了类型。
要获取所有目录的当前规则的广泛列表,您可以运行semanage fcontext --list.
我使用以下 Ansible 任务添加了一个异常:
- name: set SELinux permissions on ts3server binaries
sefcontext:
target: “/srv/teamspeak/versions/[^/]+/ts3server”
setype: bin_t - name: reload SELinux policy to ensure that ts3server is executable
command: restorecon -irv /srv/teamspeak/
when: tarball.changed
可以通过使用semanage fcontext后跟的命令来实现相同的目的restorecon -irv /srv/teamspeak/。
所以我么们需要添加一个rocketmq的启动标记:
restorecon -irv /home/rocketmq/bin/
重新运行启动服务成功:
[root@rocketmq1-nameserver-test bin]# semodule -i my-qnamesrv.pp
[root@rocketmq1-nameserver-test bin]# systemctl start rocketmq-nameserver
[root@rocketmq1-nameserver-test bin]# systemctl status rocketmq-nameserver
● rocketmq-nameserver.service - nameserver
Loaded: loaded (/usr/lib/systemd/system/rocketmq-nameserver.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-12-10 18:47:48 CST; 1min 15s ago
Main PID: 2459 (mqnamesrv)
Tasks: 36 (limit: 10931)
Memory: 172.9M
CGroup: /system.slice/rocketmq-nameserver.service
├─2459 /bin/sh /home/rocketmq/bin/mqnamesrv
├─2463 sh /home/rocketmq/bin/runserver.sh org.apache.rocketmq.namesrv.NamesrvStartup
└─2480 /usr/local/jdk1.8.0_151/bin/java -server -Xms256m -Xmx256m -Xmn128m -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=320m -XX:+UseConcMarkSweepGC -XX:+UseCMSCompactAtFullCollection -XX:CMSInitiatingOccupancyFraction=70 -XX:+CMSP