启动rocketmq服务报错:
[root@rocketmq1-nameserver-test bin]# systemctl start rocketmq-nameserver [root@rocketmq1-nameserver-test bin]# systemctl status rocketmq-nameserver ● rocketmq-nameserver.service - nameserver Loaded: loaded (/usr/lib/systemd/system/rocketmq-nameserver.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2021-12-10 18:47:05 CST; 3s ago Process: 2414 ExecStart=/home/rocketmq/bin/mqnamesrv (code=exited, status=203/EXEC) Main PID: 2414 (code=exited, status=203/EXEC) 12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: Started nameserver. 12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Main process exited, code=exited, status=203/EXEC 12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Failed with result 'exit-code'.
首先使用:journalctl -xe 查看详细报错情况:
[root@rocketmq1-nameserver-test bin]# journalctl -xe 12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: Started nameserver. -- Subject: rocketmq-nameserver.service 单元已结束启动 -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- rocketmq-nameserver.service 单元已结束启动。 -- -- 启动结果为“done”。 12月 10 18:47:05 rocketmq1-nameserver-test systemd[2414]: rocketmq-nameserver.service: Failed to execute command: Permission denied 12月 10 18:47:05 rocketmq1-nameserver-test systemd[2414]: rocketmq-nameserver.service: Failed at step EXEC spawning /home/rocketmq/bin/mqnamesrv: Permission denied -- Subject: 进程 /home/rocketmq/bin/mqnamesrv 无法执行 -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- 进程 /home/rocketmq/bin/mqnamesrv 无法被执行并已失败。 -- -- 该进程返回的错误代码为 13。 12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Main process exited, code=exited, status=203/EXEC 12月 10 18:47:05 rocketmq1-nameserver-test systemd[1]: rocketmq-nameserver.service: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- The unit rocketmq-nameserver.service has entered the 'failed' state with result 'exit-code'. 12月 10 18:47:05 rocketmq1-nameserver-test dbus-daemon[970]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.4' (uid=0 pid=948 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper) 12月 10 18:47:05 rocketmq1-nameserver-test dbus-daemon[2417]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted 12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[970]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' 12月 10 18:47:07 rocketmq1-nameserver-test setroubleshoot[2417]: AnalyzeThread.run(): Cancel pending alarm 12月 10 18:47:07 rocketmq1-nameserver-test setroubleshoot[2417]: failed to retrieve rpm info for /home/rocketmq/bin/mqnamesrv 12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[970]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.94' (uid=995 pid=2417 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper) 12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[2431]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted 12月 10 18:47:09 rocketmq1-nameserver-test dbus-daemon[970]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged' 12月 10 18:47:10 rocketmq1-nameserver-test setroubleshoot[2417]: SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the file /home/rocketmq/bin/mqnamesrv. For complete SELinux messages run: sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286 12月 10 18:47:10 rocketmq1-nameserver-test setroubleshoot[2417]: SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the file /home/rocketmq/bin/mqnamesrv. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /home/rocketmq/bin/mqnamesrv default label should be home_bin_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /home/rocketmq/bin/mqnamesrv ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd should be allowed read open access on the mqnamesrv file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(qnamesrv)' --raw | audit2allow -M my-qnamesrv # semodule -X 300 -i my-qnamesrv.pp
其中有一段话:
12月 10 18:47:07 rocketmq1-nameserver-test dbus-daemon[2431]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted 12月 10 18:47:09 rocketmq1-nameserver-test dbus-daemon[970]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged' 12月 10 18:47:10 rocketmq1-nameserver-test setroubleshoot[2417]: SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the file /home/rocketmq/bin/mqnamesrv. For complete SELinux messages run: sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286
按照上面说的我们运行:sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286
[root@rocketmq1-nameserver-test bin]# sealert -l e1b1100f-c8cb-44d7-b3de-1559f1d87286 SELinux is preventing /usr/lib/systemd/systemd from 'read, open' accesses on the 文件 /home/rocketmq/bin/mqnamesrv. ***** 插件 restorecon (99.5 置信度) 建议 ****************************************** 如果要修复标签。/home/rocketmq/bin/mqnamesrv默认标签应该是 home_bin_t。 Then 你可以运行restorecon。由于访问父目录的权限不足,可能已停止访问尝试,在这种情况下尝试相应地更改以下命令。 Do # /sbin/restorecon -v /home/rocketmq/bin/mqnamesrv ***** 插件 catchall (1.49 置信度) 建议 ******************************************** 如果你相信 (qnamesrv)应该允许_base_PATH read open 访问 mqnamesrv file默认情况下。 Then 应该将这个情况作为 bug 报告。 可以生成本地策略模块以允许此访问。 Do 暂时允许此访问权限执行:#ausearch -c'(qnamesrv)'--raw | audit2allow -M my-qnamesrv#semodule -X 300 -i my-qnamesrv.pp 省略后面的
上面说的最后一句话是让我们运行命令:#ausearch -c’(qnamesrv)’–raw | audit2allow -M my-qnamesrv#semodule -X 300 -i my-qnamesrv.pp
但是经过运行得出,运行后仍然报错
经查证资料得知,是SELinux的问题:
SELinux 认为二进制文件只能从某些位置执行,并且我的自定义目录没有明确标记为允许。它var_t从/srv/.*(我认为)继承了类型。
要获取所有目录的当前规则的广泛列表,您可以运行semanage fcontext --list.
我使用以下 Ansible 任务添加了一个异常:
- name: set SELinux permissions on ts3server binaries
sefcontext:
target: “/srv/teamspeak/versions/[^/]+/ts3server”
setype: bin_t - name: reload SELinux policy to ensure that ts3server is executable
command: restorecon -irv /srv/teamspeak/
when: tarball.changed
可以通过使用semanage fcontext后跟的命令来实现相同的目的restorecon -irv /srv/teamspeak/。
所以我么们需要添加一个rocketmq的启动标记:
restorecon -irv /home/rocketmq/bin/
重新运行启动服务成功:
[root@rocketmq1-nameserver-test bin]# semodule -i my-qnamesrv.pp [root@rocketmq1-nameserver-test bin]# systemctl start rocketmq-nameserver [root@rocketmq1-nameserver-test bin]# systemctl status rocketmq-nameserver ● rocketmq-nameserver.service - nameserver Loaded: loaded (/usr/lib/systemd/system/rocketmq-nameserver.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-12-10 18:47:48 CST; 1min 15s ago Main PID: 2459 (mqnamesrv) Tasks: 36 (limit: 10931) Memory: 172.9M CGroup: /system.slice/rocketmq-nameserver.service ├─2459 /bin/sh /home/rocketmq/bin/mqnamesrv ├─2463 sh /home/rocketmq/bin/runserver.sh org.apache.rocketmq.namesrv.NamesrvStartup └─2480 /usr/local/jdk1.8.0_151/bin/java -server -Xms256m -Xmx256m -Xmn128m -XX:metaspaceSize=128m -XX:MaxmetaspaceSize=320m -XX:+UseConcMarkSweepGC -XX:+UseCMSCompactAtFullCollection -XX:CMSInitiatingOccupancyFraction=70 -XX:+CMSP
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)