目次
はじめに
PowerDNS Admin のアップデートをしたところ powerdns-admin サービスが起動できなくなった。
Oct 01 15:30:13 test_srv systemd[1]: powerdns-admin.service: Service RestartSec=10s expired, scheduling restart.
Oct 01 15:30:13 test_srv systemd[1]: powerdns-admin.service: Scheduled restart job, restart counter is at 3.
Oct 01 15:30:13 test_srv systemd[1]: Stopped PowerDNS web administration service.
Oct 01 15:30:13 test_srv systemd[1]: Started PowerDNS web administration service.
Oct 01 15:30:13 test_srv systemd[68393]: powerdns-admin.service: Failed to execute command: Permission denied
Oct 01 15:30:13 test_srv systemd[68393]: powerdns-admin.service: Failed at step EXEC spawning /opt/PowerDNS-Admin/env/bin/gunicorn: Permission denied
Oct 01 15:30:13 test_srv systemd[1]: powerdns-admin.service: Main process exited, code=exited, status=203/EXEC
Oct 01 15:30:13 test_srv systemd[1]: powerdns-admin.service: Failed with result 'exit-code'.
Oct 01 15:30:13 test_srv setroubleshoot[68312]: failed to retrieve rpm info for /opt/PowerDNS-Admin-0.3.0/env/bin/gunicorn
Oct 01 15:30:33 test_srv systemd[68429]: powerdns-admin.service: Changing to the requested working directory failed: No such file or directory
Oct 01 15:30:33 test_srv systemd[68429]: powerdns-admin.service: Failed at step CHDIR spawning /opt/PowerDNS-Admin/env/bin/gunicorn: No such file or directoryNo such file or directory が出ているのにファイルはあるし謎でしたが、結論として原因は SELinux でした。
普段は SELinux を無効化していることが多いので、忘れていました。
SELinux が有効になっている場合に、上記のようなエラーがでた場合の対処について記載します。
対処
切り分けとしてSELinux を一時的に無効化していると問題無くアクセスできた。
#一時的に無効化
setenforce 0今回 0.3.0 へアップデートしたが、確認すると 0.3.0 だけコンテンツタイプが異なっている。
# ls -Z
unconfined_u:object_r:usr_t:s0 PowerDNS-Admin unconfined_u:object_r:usr_t:s0 Symantec
unconfined_u:object_r:usr_t:s0 PowerDNS-Admin-0.2.3 system_u:object_r:usr_t:s0 eset
unconfined_u:object_r:usr_t:s0 PowerDNS-Admin-0.2.4 unconfined_u:object_r:usr_t:s0 pip_install.zip
unconfined_u:object_r:admin_home_t:s0 PowerDNS-Admin-0.3.0
#
# ls -Z PowerDNS-Admin-0.2.4
unconfined_u:object_r:usr_t:s0 LICENSE unconfined_u:object_r:usr_t:s0 package.json
unconfined_u:object_r:usr_t:s0 README.md unconfined_u:object_r:usr_t:s0 powerdnsadmin
unconfined_u:object_r:usr_t:s0 configs unconfined_u:object_r:usr_t:s0 requirements.txt
unconfined_u:object_r:usr_t:s0 docker unconfined_u:object_r:usr_t:s0 run.py
unconfined_u:object_r:usr_t:s0 docker-compose-test.yml unconfined_u:object_r:usr_t:s0 swagger-specv2.yaml
unconfined_u:object_r:usr_t:s0 docker-compose.yml unconfined_u:object_r:usr_t:s0 tests
unconfined_u:object_r:usr_t:s0 docker-test unconfined_u:object_r:usr_t:s0 update_accounts.py
unconfined_u:object_r:usr_t:s0 docs unconfined_u:object_r:usr_t:s0 update_zones.py
unconfined_u:object_r:usr_t:s0 env unconfined_u:object_r:usr_t:s0 yarn.lock
unconfined_u:object_r:usr_t:s0 migrations
#
# ls -Z PowerDNS-Admin-0.3.0
unconfined_u:object_r:admin_home_t:s0 LICENSE unconfined_u:object_r:admin_home_t:s0 migrations
unconfined_u:object_r:admin_home_t:s0 README.md unconfined_u:object_r:admin_home_t:s0 package.json
unconfined_u:object_r:admin_home_t:s0 configs unconfined_u:object_r:admin_home_t:s0 powerdnsadmin
unconfined_u:object_r:admin_home_t:s0 docker unconfined_u:object_r:admin_home_t:s0 requirements.txt
unconfined_u:object_r:admin_home_t:s0 docker-compose-test.yml unconfined_u:object_r:admin_home_t:s0 run.py
unconfined_u:object_r:admin_home_t:s0 docker-compose.yml unconfined_u:object_r:admin_home_t:s0 tests
unconfined_u:object_r:admin_home_t:s0 docker-test unconfined_u:object_r:admin_home_t:s0 update_accounts.py
unconfined_u:object_r:admin_home_t:s0 docs unconfined_u:object_r:admin_home_t:s0 update_zones.py
unconfined_u:object_r:admin_home_t:s0 env unconfined_u:object_r:admin_home_t:s0 yarn.lockchcon で PowerDNS-Admin-0.3.0 ディレクトリは以下のコンテンツタイプを変更。
# chcon -R unconfined_u:object_r:usr_t:s0 PowerDNS-Admin-0.3.0
#
# ls -Z PowerDNS-Admin-0.3.0
unconfined_u:object_r:usr_t:s0 LICENSE unconfined_u:object_r:usr_t:s0 docker-test unconfined_u:object_r:usr_t:s0 requirements.txt
unconfined_u:object_r:usr_t:s0 README.md unconfined_u:object_r:usr_t:s0 docs unconfined_u:object_r:usr_t:s0 run.py
unconfined_u:object_r:usr_t:s0 configs unconfined_u:object_r:usr_t:s0 env unconfined_u:object_r:usr_t:s0 tests
unconfined_u:object_r:usr_t:s0 docker unconfined_u:object_r:usr_t:s0 migrations unconfined_u:object_r:usr_t:s0 update_accounts.py
unconfined_u:object_r:usr_t:s0 docker-compose-test.yml unconfined_u:object_r:usr_t:s0 package.json unconfined_u:object_r:usr_t:s0 update_zones.py
unconfined_u:object_r:usr_t:s0 docker-compose.yml unconfined_u:object_r:usr_t:s0 powerdnsadmin unconfined_u:object_r:usr_t:s0 yarn.lock再び SELinux を有効化した状態でも、問題無く PowerDNS Admin が起動できた。
# setenforce 1
#
# systemctl daemon-reload
#
# systemctl restart powerdns-admin.socket
# systemctl status powerdns-admin.socket
#
# systemctl restart powerdns-admin.service
# systemctl status powerdns-admin.serviceまとめ
SELinux を普段無効化していると、思わぬ落とし穴にハマることが多い。
パーミッションと同じくらい当たり前のように意識しておきたい。
コメント