tracker issue : CF-4203248

select a category, or use search below
(searches all categories and all time range)
Title:

Lockdown Installer Failed to Restart Apache on RHEL 7.5 on SELinux

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Peter Freitag / ()

Created: 08/07/2018

Components: Installation/Config, Connector, Installation/Config, Lockdown Installer

Versions: 2016,11.0,2018

Failure Type: Crash

Found In Build/Fixed In Build: 2018.0.0.310739 / CF2018U4

Priority/Frequency: Minor / Most users will encounter

Locale/System: ALL / Linux

Vote Count: 0

Problem Description: Lockdown Installer Fails when attempting to restart Apache when installing the web server connector.  
**Actual issue -  mod_jk.log is not getting created/having appropriate permissions when the connector is configured because of which web server doesn’t restart **
 
Lockdown Logs:

2018-08-07 16:14:21 INFO  - Configuring the connector for: Apache for the website: /etc/httpd/conf
2018-08-07 16:14:23 INFO  - CONNECTOR ERROR FOUND
2018-08-07 16:14:23 INFO  - INPUT log starts here *******************
2018-08-07 16:14:23 INFO  - 
2018-08-07 16:14:23 INFO  - INPUT log ends here *******************
2018-08-07 16:14:23 INFO  - Error log STARTS here *******************
2018-08-07 16:14:23 INFO  - Using Apache binary /usr/sbin/httpd
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Using Apache control script /usr/sbin/apachectl
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journError running "/usr/sbin/apachectl restart": exit code was 1
Error restarting Apache server.  The web server must be restarted to complete this operation.
alctl -xe" for details.
2018-08-07 16:14:23 INFO  - Error log ENDS here *******************
2018-08-07 16:14:23 INFO  - Failed to configure the connector!
2018-08-07 16:14:23 INFO  - Failed to add connector!
2018-08-07 16:14:23 INFO  - Rolling back any changes made during lockdown!

journalctl -xe 

Aug 07 16:10:48 ip-10-0-0-133.ec2.internal systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Aug 07 16:10:49 ip-10-0-0-133.ec2.internal systemd[1]: Started The Apache HTTP Server.
-- Subject: Unit httpd.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has finished starting up.
-- 
-- The start-up result is done.
Aug 07 16:12:19 ip-10-0-0-133.ec2.internal sudo[2025]: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=./cf2018-lockdown-linux.bin
Aug 07 16:12:51 ip-10-0-0-133.ec2.internal runuser[2452]: pam_unix(runuser:session): session opened for user cfuser by (uid=0)
Aug 07 16:12:52 ip-10-0-0-133.ec2.internal runuser[2452]: pam_unix(runuser:session): session closed for user cfuser
Aug 07 16:13:55 ip-10-0-0-133.ec2.internal usermod[2485]: add 'cfuser' to group 'webusers'
Aug 07 16:13:55 ip-10-0-0-133.ec2.internal usermod[2485]: add 'cfuser' to shadow group 'webusers'
Aug 07 16:13:55 ip-10-0-0-133.ec2.internal usermod[2492]: add 'apache' to group 'apache'
Aug 07 16:13:55 ip-10-0-0-133.ec2.internal usermod[2492]: add 'apache' to shadow group 'apache'
Aug 07 16:13:57 ip-10-0-0-133.ec2.internal runuser[2563]: pam_unix(runuser:session): session opened for user cfuser by (uid=0)
Aug 07 16:13:58 ip-10-0-0-133.ec2.internal runuser[2563]: pam_unix(runuser:session): session closed for user cfuser
Aug 07 16:14:08 ip-10-0-0-133.ec2.internal runuser[2609]: pam_unix(runuser:session): session opened for user cfuser by (uid=0)
Aug 07 16:14:08 ip-10-0-0-133.ec2.internal runuser[2609]: pam_unix(runuser:session): session closed for user cfuser
Aug 07 16:14:15 ip-10-0-0-133.ec2.internal usermod[2635]: add 'apache' to group 'webusers'
Aug 07 16:14:15 ip-10-0-0-133.ec2.internal usermod[2635]: add 'apache' to shadow group 'webusers'
Aug 07 16:14:15 ip-10-0-0-133.ec2.internal kill[2642]: kill: cannot find process ""
Aug 07 16:14:15 ip-10-0-0-133.ec2.internal systemd[1]: httpd.service: control process exited, code=exited status=1
Aug 07 16:14:15 ip-10-0-0-133.ec2.internal systemd[1]: Unit httpd.service entered failed state.
Aug 07 16:14:15 ip-10-0-0-133.ec2.internal systemd[1]: httpd.service failed.


Steps to Reproduce:

Created a group webusers and a user cfuser as a system account (no password).

Using the RHEL 7.5 AMI on AWS. Installed ColdFusion 2018 final, Secure+Production Profile, all settings default. 

Started CF and Logged in to CF Administrator.

Installed apache: sudo yum install httpd
Start apache with: sudo service httpd start

Created a wwwroot dir /www and put some sites in there.

Ran lockdown installer with sudo

Specified users: cfuser (no password), root (no password), apache (no password). 
Apache Settings: Conf dir /etc/httpd/conf bin path: /usr/sbin/httpd wwwroot: /www (

Actual Result: Lockdown Errors, and rolls back

Expected Result: Works

Any Workarounds: None

Attachments:

Comments:

This seams to happen when SELinux is enabled, the only way I have been able to get the installer to run without error is if I disable SELinux.
Comment by Peter F.
29439 | August 07, 2018 05:11:14 PM GMT
Hi Pete,   Can you tell me the output after running the below commands with SE linux enabled? {code:java} systemctl status httpd.service journalctl -xe{code}   From what I understand, it might be because {{SELinux}} is not allowing apache to connect on port. This fails when trying to configure the connector. Even without lockdown, if you try to configure a connector, this issue might be seen. You may need to add this port to {{http_port_t}} type definition {code:java} semanage port -a -t http_port_t -p tcp [Apache Port] semanage port -m -t http_port_t -p tcp [Apache Port]{code}   [https://unix.stackexchange.com/questions/377903/can-not-restart-the-httpd-service] This link specifies a similar issue. Also, we tried the same steps in SE linux in our testing and it worked. If the above steps don't give a clear picture, can you share your AMI setup with us for debugging purpose?    {{Thanks,}} {{Kailash}}  
Comment by Kailash B.
29440 | August 07, 2018 05:26:46 PM GMT
I worked with Kailash to find the problem, here is what he found: "The issue is with mod_jk.log not getting created and having appropriate permissions when the connector is configured because of which webserver doesn’t restart (Apache is not able to write to this file and errors out). So before lockdown, I created the connector, then created the mod_jk.log file and gave it the appropriate permissions (chmod 560, and chcon -t httpd_log_t -u system_u mod_jk.log) and ran lockdown installer. The installer ran successfully post that"
Comment by Peter F.
29488 | August 13, 2018 03:43:09 PM GMT