我想为其创建一个单元文件stunnel,但我不知道为什么它会失败。
我的 stunnel.conf 是这样的:
#Provide the full path to your certificate-key pair file
cert = /etc/pki/tls/certs/stunnel.pem
#lock the process into a chroot jail
chroot = /var/run/stunnel
# and create the PID file in this jail
pid = /stunnel.pid
#change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody
#enable client mode
client = yes
socket = l:TCP_NODELAY=1
#socket = r:TCP:NODELAY=1
[mysqls]
accept = 127.0.0.1:3306
connect = 10.0.0.3:3307
当我执行stunnel /etc/stunnel/stunnel.conf然后它工作。
这是我用于 stunnel 的 systemd 单元文件:
[Unit]
;Description=SSL tunnel for network daemons
;Documentation=man:stunnel https://www.stunnel.org/docs.html
After=network.target
After=syslog.target
[Install]
WantedBy=multi-user.target
Alias=stunnel.target
[Service]
Type=forking
User=nobody
Group=nobody
RuntimeDirectory=stunnel
ExecStartPre=-/usr/bin/mkdir /var/run/stunnel
ExecStartPre=-/user/bin/chown nobody:nobody /var/run/stunnel
ExecStart=/bin/stunnel /etc/stunnel/stunnel.conf
ExecStop=/bin/killall -9 stunnel
当我尝试启动它时systemctl start mystunnel.service它失败了
Job for mystunnel.service failed because the control process exited with error code. See "systemctl status mystunnel.service" and "journalctl -xe" for details.
执行journalctl -xe:
Feb 20 19:26:07 otrs1 polkitd[610]: Registered Authentication Agent for unix-process:14179:2643087 (system bus name :1.62 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, loc
Feb 20 19:26:07 otrs1 systemd[1]: Starting mystunnel.service...
-- Subject: Unit stunnel-otrs.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit mystunnel.service has begun starting up.
Feb 20 19:26:07 otrs1 mkdir[14185]: /usr/bin/mkdir: cannot create directory ‘/var/run/stunnel’: File exists
Feb 20 19:26:07 otrs1 systemd[14186]: Failed at step EXEC spawning /user/bin/chown: No such file or directory
-- Subject: Process /user/bin/chown could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The process /user/bin/chown could not be executed and failed.
--
-- The error number returned by this process is 2.
Feb 20 19:26:08 otrs1 stunnel[14188]: Clients allowed=500
Feb 20 19:26:08 otrs1 stunnel[14188]: stunnel 4.56 on x86_64-redhat-linux-gnu platform
Feb 20 19:26:08 otrs1 stunnel[14188]: Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Feb 20 19:26:08 otrs1 stunnel[14188]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Feb 20 19:26:08 otrs1 stunnel[14188]: Reading configuration from file /etc/stunnel/stunnel.conf
Feb 20 19:26:08 otrs1 stunnel[14188]: FIPS mode is enabled
Feb 20 19:26:08 otrs1 stunnel[14188]: Compression not enabled
Feb 20 19:26:08 otrs1 stunnel[14188]: PRNG seeded successfully
Feb 20 19:26:08 otrs1 stunnel[14188]: Initializing service [mysqls]
Feb 20 19:26:08 otrs1 stunnel[14188]: Certificate: /etc/pki/tls/certs/stunnel.pem
Feb 20 19:26:08 otrs1 stunnel[14188]: Error reading certificate file: /etc/pki/tls/certs/stunnel.pem
Feb 20 19:26:08 otrs1 stunnel[14188]: error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
Feb 20 19:26:08 otrs1 stunnel[14188]: error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
Feb 20 19:26:08 otrs1 stunnel[14188]: SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopen:Permission denied
Feb 20 19:26:08 otrs1 stunnel[14188]: Service [mysqls]: Failed to initialize SSL context
Feb 20 19:26:08 otrs1 stunnel[14188]: str_stats: 12 block(s), 1050 data byte(s), 696 control byte(s)
Feb 20 19:26:08 otrs1 polkitd[610]: Unregistered Authentication Agent for unix-process:14179:2643087 (system bus name :1.62, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Feb 20 19:26:08 otrs1 systemd[1]: stunnel-otrs.service: control process exited, code=exited status=1
Feb 20 19:26:08 otrs1 systemd[1]: Failed to start stunnel-otrs.service.
-- Subject: Unit stunnel-otrs.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit stunnel-otrs.service has failed.
--
-- The result is failed.
Feb 20 19:26:08 otrs1 systemd[1]: Unit mystunnel.service entered failed state.
Feb 20 19:26:08 otrs1 systemd[1]: mystunnel.service failed.
我不知道为什么它会给出无法创建目录的错误(显然是因为它存在),但事实并非如此!另外,为什么无法读取证书?为什么手动运行它有效。SELinux 被禁用。
编辑:
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/cl-root 14G 1.9G 13G 14% /
devtmpfs 234M 0 234M 0% /dev
tmpfs 245M 54M 191M 22% /dev/shm
tmpfs 245M 4.4M 240M 2% /run
tmpfs 245M 0 245M 0% /sys/fs/cgroup
/dev/sda1 1014M 138M 877M 14% /boot
tmpfs 49M 0 49M 0% /run/user/0
编辑2:
应用 ErikF 的建议后,目录存在问题消失了,但读取证书仍然失败:
Feb 20 20:42:59 otrs1 polkitd[610]: Registered Authentication Agent for unix-process:16232:3104221 (system bus name :1.73 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, loc
Feb 20 20:42:59 otrs1 systemd[1]: Starting stunnel-otrs.service...
-- Subject: Unit stunnel-otrs.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit stunnel-otrs.service has begun starting up.
Feb 20 20:42:59 otrs1 stunnel[16239]: Clients allowed=500
Feb 20 20:42:59 otrs1 stunnel[16239]: stunnel 4.56 on x86_64-redhat-linux-gnu platform
Feb 20 20:42:59 otrs1 stunnel[16239]: Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Feb 20 20:42:59 otrs1 stunnel[16239]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Feb 20 20:42:59 otrs1 stunnel[16239]: Reading configuration from file /etc/stunnel/stunnel.conf
Feb 20 20:42:59 otrs1 stunnel[16239]: FIPS mode is enabled
Feb 20 20:42:59 otrs1 stunnel[16239]: Compression not enabled
Feb 20 20:42:59 otrs1 stunnel[16239]: PRNG seeded successfully
Feb 20 20:42:59 otrs1 stunnel[16239]: Initializing service [mysqls]
Feb 20 20:42:59 otrs1 stunnel[16239]: Certificate: /etc/pki/tls/certs/stunnel.pem
Feb 20 20:42:59 otrs1 stunnel[16239]: Error reading certificate file: /etc/pki/tls/certs/stunnel.pem
Feb 20 20:42:59 otrs1 stunnel[16239]: error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
Feb 20 20:42:59 otrs1 stunnel[16239]: error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
Feb 20 20:42:59 otrs1 stunnel[16239]: SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopen:Permission denied
Feb 20 20:42:59 otrs1 stunnel[16239]: Service [mysqls]: Failed to initialize SSL context
Feb 20 20:42:59 otrs1 stunnel[16239]: str_stats: 12 block(s), 1050 data byte(s), 696 control byte(s)
Feb 20 20:42:59 otrs1 polkitd[610]: Unregistered Authentication Agent for unix-process:16232:3104221 (system bus name :1.73, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Feb 20 20:42:59 otrs1 systemd[1]: stunnel-otrs.service: control process exited, code=exited status=1
Feb 20 20:42:59 otrs1 systemd[1]: Failed to start stunnel-otrs.service.
-- Subject: Unit stunnel-otrs.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit stunnel-otrs.service has failed.
--
-- The result is failed.
Feb 20 20:42:59 otrs1 systemd[1]: Unit stunnel-otrs.service entered failed state.
Feb 20 20:42:59 otrs1 systemd[1]: stunnel-otrs.service failed.
Any ideas or hints please?
Appreciate or help!
在服务管理器下运行的服务不应该尝试自我守护,不应该使用摇摇欲坠和危险的 PID 文件机制,也不应该(在绝大多数情况下)放弃特权本身。所有这些都将由服务管理系统正确完成。
因此,当您stunnel像这样在命令行上运行时,它应该让 shell 等待您终止/停止该进程。
所有在非特权用户帐户的支持下运行,设置减少的文件系统访问,以及实际上(对于那些能够继承和使用开放套接字文件描述符的程序)打开侦听套接字都是服务管理的领域。
这就是 systemd 人员天真地称之为运行守护进程的“新风格”方式。事实上,这正是过去 20 年 daemontools 用户所说的运行 dæmons 的方式,而 IBM 在过去的 25 年里一直如此。
该非特权用户帐户不应该是nobody,它可以被列为文件的所有者。有问题的服务不需要所有权权限的任何文件或目录的全部,所以特权的用户帐户应该明确一个为此目的而创建,喜欢的东西:
useradd --shell /usr/bin/true mysql-stunnel-d
一chroot()对这样的环境实际上是不平凡树立正确的systemd,因为/bin/stunnel和所有它读取(文件,其根据其除了证书文件和配置文件还包括相当多的系统的东西DOCO;与诸如/dev/zeroNSS 配置系统和时区数据库之类的东西需要使用BindReadOnlyPaths. 一种更简单的方法是Protect…机制。
插座由插座单元描述。 stunnel不了解LISTEN_FDS协议,但它是 UCSPI-TCP 兼容的。所以套接字单元必须描述一个接受套接字:
; /etc/systemd/service/mysql-stunnel.socket [单元] 说明 = MySQL 的 SSL 包装器 文档= [插座] ListenStream=127.0.0.1:mysql ListenStream=[::1]:mysql 接受=是 无延迟=是 [安装] WantedBy=multi-user.target
请注意,此处启用/禁用/启动/停止的是套接字,带有systemctl. 该服务由服务单位描述,会自动启动的需求由插座。因为它是一个接受套接字,所以它是一个模板服务单元。它描述了服务管理所做的所有权限删除和设置:
; /etc/systemd/service/mysql-stunnel@.service [单元] 说明 = MySQL 的 SSL 包装器 文档= [服务] 类型=简单 用户=mysql-stunnel-d ProtectHome=是 保护系统=严格 PrivateTmp=yes 标准输入=套接字 标准输出=套接字 标准错误=日志 ExecStart=/bin/stunnel /etc/stunnel/mysql-stunnel.conf
该stunnel配置文件不经营任何的是服务管理的东西确实为它:
# /etc/stunnel/mysql-stunnel.conf 证书 = /etc/pki/tls/certs/stunnel.pem 客户 = 是 前景=是 连接 = 10.0.0.3:3307
是的,这就是 daemontools 的方式。convert-systemd-units从nosh 工具集传递这两个单元文件,然后得到一个run和一个service程序(以及其他几个),它举例说明了如何以 daemontools 方式完成此操作,并使用一组合适的链式加载 UCSPI 和其他工具:
% system-control convert-systemd-units ./mysql-stunnel.socket 转换系统单位:警告:./mysql-stunnel@.service:强制设置:[Service] StandardError = log convert-systemd-units: 警告: ./mysql-stunnel.socket: 未使用的设置: [unit] 文档 = 转换系统单位:警告:./mysql-stunnel@.service:未使用的设置:[服务]标准错误=日志 convert-systemd-units: 警告: ./mysql-stunnel@.service: 未使用的设置: [unit] 文档 = % system-control cat ./mysql-stunnel 开始:#!/bin/nosh start:#从./mysql-stunnel.socket生成的启动文件 开始:真 停止:#!/bin/nosh stop:#Stop 文件从 ./mysql-stunnel.socket 生成 停止:真 运行:#!/bin/nosh run:#运行从./mysql-stunnel.socket生成的文件 运行:#SSL 包装器用于 MySQL 运行:tcp-socket-listen 127.0.0.1 mysql 运行:tcp-socket-listen "::1" mysql 运行:移动到控制组../mysql-stunnel.service 运行:envuidgid --supplementary -- mysql-stunnel-d 运行:userenv-fromenv 运行:unshare --mount 运行:set-mount-object --recursive slave / 运行:make-private-fs --temp --homes 运行:make-read-only-fs --os --etc 运行:set-mount-object --recursive shared / 运行:setuidgid --supplementary -- mysql-stunnel-d 运行:tcp-socket-accept --no-delay 运行:./服务 服务:#!/bin/nosh service:#Service 文件从 ./mysql-stunnel@.service 生成 服务:MySQL 的#SSL 包装器 服务:/bin/stunnel /etc/stunnel/mysql-stunnel.conf 重启:#!/bin/sh restart:#Restart 从./mysql-stunnel@.service 生成的文件 restart:exec false # 忽略脚本参数 %
convert-systemd-units. 小吃指南。软件。| 归档时间: |
|
| 查看次数: |
6479 次 |
| 最近记录: |