Here's a brief tip for those of you about to set up Ruby on Rails, mongrel and Apache web server on CentOS 5.1: don't forget that you may have SELinux enforcement policies in place by default that prevent proxy balancers to connect correctly.
Now, you probably have proxy directives like the following in your httpd.conf file:
<Proxy balancer://mongrel_cluster>
BalancerMember http://localhost:3000
BalancerMember http://localhost:3001
BalancerMember http://localhost:3002
</Proxy>
Firing up your mongrels and kicking up httpd will result in errors like this in your Apache errors logs:
[Thu Apr 24 23:24:20 2008] [error] (13)Permission denied: proxy: HTTP: attempt to connect to localhost:3000 (myserver) failed
[Thu Apr 24 23:24:20 2008] [error] ap_proxy_connect_backend disabling worker for (myserver)
[Thu Apr 24 23:24:21 2008] [error] proxy: BALANCER: (balancer://mongrel_cluster). All workers are in error state
[Thu Apr 24 23:24:21 2008] [error] proxy: BALANCER: (balancer://mongrel_cluster). All workers are in error state
[Thu Apr 24 23:24:21 2008] [error] proxy: BALANCER: (balancer://mongrel_cluster). All workers are in error state
Hm... alright, but what does /var/log/messages have to say?
Apr 24 23:24:19 myserver setroubleshoot: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files / (unlabeled_t). For complete SELinux messages. run sealert -l 7e096a76-b66f-48f9-a30e-d736dbb6007d
Actually running that sealert command won't tell you any more beside the fact that SELinux is denying httpd access to potentially mislabeled files. Whatever that means. But perusing section 44.2.6. Enabling or Disabling Enforcement of the CentOS 5.1 deployment guide, there is enough there to resolve this obstruction.
Executing the sestatus command lets us see what SELinux is doing to protect our server.
[root@myserver]# sestatus -b | grep httpd
...
httpd_can_network_connect off
...
Aha! This boolean property looks like it could be one that is denying the proxy connection from httpd to mongrel. So, let's enable this, shall we? The command to do this is setsebool. Reading the friendly man pages before running this command, we learn that setsebool will only set the current, running state of the boolean in question, and that if we desire to have this setting survive reboot, then we need to use the -P flag. Let us do exactly that:
[root@myserver]# setsebool -P httpd_can_network_connect=1
Now when you restart your mongrels and httpd, you will see that the proxy connections are good to go. And our configurations will live on, even after reboot. Sweet!
No comments:
Post a Comment