Centos7 http 无法正常启动。httpd 有效，systemctl start httpd 无效

Question

我可以通过 直接启动 apache httpd，但不能通过systemctl start httpd. 我更喜欢守护进程方法，这样我就可以让它自动启动。

有人遇到过这个问题吗？这是在一个新的 CentOS7 虚拟机上。

systemctl 启动 http

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

systemctl status httpd.service

    ? httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Tue 2018-03-20 17:20:54 EDT; 37s ago
         Docs: man:httpd(8)
               man:apachectl(8)
      Process: 7025 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
      Process: 7024 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
     Main PID: 7024 (code=exited, status=1/FAILURE)

    Mar 20 17:20:54 test.local.com systemd[1]: Starting The Apache HTTP Server...
    Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
    Mar 20 17:20:54 test.local.com kill[7025]: kill: cannot find process ""
    Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: control process exited, code=exited status=1
    Mar 20 17:20:54 test.local.com systemd[1]: Failed to start The Apache HTTP Server.
    Mar 20 17:20:54 test.local.com systemd[1]: Unit httpd.service entered failed state.
    Mar 20 17:20:54 test.local.com systemd[1]: httpd.service failed.

journalctl -xe

糊状

/etc/httpd/logs/error_log

糊状

对默认配置所做的唯一更改：

/etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf

/etc/httpd/sites-enabled/local.com.conf
<VirtualHost *:80>
    ServerName test.local.com
    ServerAlias local.com
    Redirect / https://local.com
</VirtualHost>

<VirtualHost _default_:443>
    ServerName test.local.com
    ServerAlias local.com
    ServerAdmin testemail@local.com

    DocumentRoot /var/www/local.com/public_html

    ErrorLog /var/www/local.com/error.log
    CustomLog /var/www/local.com/access.log common

    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/www/local.com.crt
    SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
</VirtualHost>

仅开放端口：

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-dmc --reload

这是我从全新 CentOS7 安装中完成的完整过程：

Fresh CentOS 7 installation (VM)

yum upgrade -y

yum search http
yum install -y httpd httpd-devel mod_ssl openssl

systemctl start httpd

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

    Browse to 192.168.1.241
        Apache is live!

yum search mariadb
yum install -y mariadb-server

systemctl start mariadb
mysql_secure_installation

    mysql -uroot -p
        Login to mysql server works!

yum search php

yum install -y php php-cli php-dba php-devel php-fpm php-mysql php-process php-pspell php-xml

systemctl restart httpd

    Browse to 192.168.1.241/info.php
        PHP is live!

mkdir /etc/httpd/sites-enabled
echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf

/etc/httpd/sites-enabled/local.com.conf
    <VirtualHost *:80>
        ServerName test.local.com
        ServerAlias local.com
        Redirect permenent / https://local.com
    </VirtualHost>

    <VirtualHost _default_:443>
        ServerName test.local.com
        ServerAlias local.com
        ServerAdmin testemail@local.com

        DocumentRoot /var/www/local.com/public_html

        ErrorLog /var/www/local.com/error.log
        CustomLog /var/www/local.com/access.log combined

        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/www/local.com.crt
        SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
    </VirtualHost>

mkdir -p /var/www/local.com/public_html

chown -R apache:apache /var/www/local.com/public_html
chmod -R 755 /var/www

cd /etc/ssl/certs/www
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout local.com.key -out local.com.crt

    Browse to 192.168.1.241
        Unsecure service (self signed ssl) accept
        Site is live!
        I was redirected to https://local.com

NOTE: I added the following to my desktop's (separate PC) /etc/hosts
    192.168.1.241 test.local.com local.com

    This acts as a DNS record for my site

yum install -y epel-release
yum install -y phpmyadmin

edit /etc/httpd/conf.d/phpMyAdmin.conf
    Add under any line with Require ip 127.0.0.1 with
    Require ip 192.168.1.5

    Add under any line with Allow from 127.0.0.1 with
    Allow from 192.168.1.5

systemctl restart httpd # FAILS
kill pid for httpd
httpd # start httpd directly
    Access https://local.com/phpMyAdmin
    Now have access to phpMyAdmin

    Login with root, 12345
    And have mariadb access!

yum install -y awstats

edit /etc/httpd/conf.d/awstats.conf
     Change Require ip and Allow ip same as phpMyAdmin

cp /etc/awstats/awstats.localhost.localdomain.conf /etc/awstats/awstats.local.com.conf

edit /etc/awstats/awstats.local.com.conf
     LogFile="/var/log/httpd/access.log"
     SiteDomain="www.local.com"
     HostAliases="local.com 127.0.0.1"

echo "*/30 * * * * root /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=www.local.com -update" >> /etc/crontab

kill httpd pid
httpd

    Browse to https://local.com/awstats/awstats.pl?config=local.com
        Awstats is live!

Answer 1

您在使用 SELinux 时遇到了麻烦。

/var/www出于安全原因，CentOS 7 附带的规则将阻止 httpd 写入 下的文件。

您正在为 VirtualHost 配置日志文件，使其位于该目录下的某个位置：

    ErrorLog /var/www/local.com/error.log
    CustomLog /var/www/local.com/access.log combined

因此，当 httpd（由 systemd 启动）尝试写入这些日志文件时，SELinux 会阻止这种情况，最终导致 httpd 退出并显示错误退出代码。

您可以使用以下ausearch命令来确认，该命令会检查审核日志（存储在 下/var/log/audit/audit.log）中的条目：

$ sudo ausearch -m avc
type=AVC msg=audit(1234567890.123:234): avc:  denied  { write } for  pid=12345 comm="httpd" name="local.com" dev="sda1" ino=12345678 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

在此消息中，您将看到写入的目标标有httpd_sys_content_t。如果您ls -Z在日志文件上使用，您会看到它们是这样标记的：

$ ls -Z /var/www/local.com/
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_content_t:s0 access.log                                                                                         
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_content_t:s0 error.log                                                                                          
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html

这仅影响由 systemd 启动的 httpd 而不是直接运行 httpd 的原因是您的 SSH 会话在“无限制”域中运行，因此在那里运行 httpd 不会触发任何 SELinux 转换......通过 systemd 启动时，它将在启动守护程序时应用正确的 SELinux 权限。

您可以通过使用chcon命令更改这些文件的 SELinux“类型”来临时解决这个问题：

$ sudo chcon -t httpd_log_t /var/www/local.com/*.log
$ ls -Z /var/www/local.com/
-rw-r--r--. root   root   unconfined_u:object_r:httpd_log_t:s0 access.log
-rw-r--r--. root   root   unconfined_u:object_r:httpd_log_t:s0 error.log
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html

那时，通过 systemctl 启动 httpd 会正常工作...

但这不是一个很好的解决方案，因为如果重新创建这些文件（例如，在日志轮换期间）或者如果您的文件系统被重新标记，SELinux 类型将会丢失......

有一些方法可以使该类型更持久（例如，semanage fcontext命令），但是这个 SELinux 策略在这里尝试实施的是防止将 Web 内容与日志混淆，以防止意外提供日志文件或覆盖 Web 内容.

正确的答案是在/var/log/httpd, 或该目录的子目录下创建日志文件。如果你这样做，SELinux 类型从一开始就是正确的，在任何操作中都会保持正确，包括 SELinux 重新标记，一切都应该按预期工作。

所以，如果你可以把你的日志放在下面/var/log/httpd，那应该可以解决这个问题！