[原]openstack-kilo--issue(一) httpd汇总

/**

系统环境:redhat7.2

repo:163

openstack version : kilo

author: lihaibo

**/

问题1：Invalid command 'group=keystone', perhaps misspelled or defined by a modul...ration

按照官方文档(january 10,2016)安装openstack-kilo的时候,在启动httpd的时候无法正常启动，并报错：

[root@controller0 ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2016-05-28 20:17:58 EDT; 3min 8s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 4299 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 4297 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 4297 (code=exited, status=1/FAILURE)

May 28 20:17:58 controller0 systemd[1]: Starting The Apache HTTP Server...
May 28 20:17:58 controller0 httpd[4297]: AH00526: Syntax error on line 16 of /etc/httpd/conf.d/wsgi-keystone.conf:
May 28 20:17:58 controller0 httpd[4297]: Invalid command 'group=keystone', perhaps misspelled or defined by a modul...ration
May 28 20:17:58 controller0 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 28 20:17:58 controller0 kill[4299]: kill: cannot find process ""
May 28 20:17:58 controller0 systemd[1]: httpd.service: control process exited, code=exited status=1
May 28 20:17:58 controller0 systemd[1]: Failed to start The Apache HTTP Server.
May 28 20:17:58 controller0 systemd[1]: Unit httpd.service entered failed state.
May 28 20:17:58 controller0 systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

　检查错误：打开http配置文件

/etc/httpd/conf.d/wsgi-keystone.conf

由于是从官方文档粘贴到文件，所有有两处group被换行了（下面红色字体），只需要调整group上面一行的末尾就解决了。[root@controller0 ~]# vim /etc/httpd/conf.d/wsgi-keystoneWSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone

[root@controller0 ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf

WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone
Listen 5000
Listen 35357
<VirtualHost *:5000>

WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone

group=keystone display-name=%{GROUP}

WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>

WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone

group=keystone display-name=%{GROUP}

WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>

改动后验证配置文件是否正确：

　

[root@controller0 ~]# service httpd configtest
Syntax OK

　问题2：(13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000

[root@controller0 ~]# systemctl start httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@controller0 ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2016-05-28 20:22:34 EDT; 11s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 4501 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 4499 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 4499 (code=exited, status=1/FAILURE)

13 May 28 20:22:34 controller0 httpd[4499]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000
14 May 28 20:22:34 controller0 httpd[4499]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:5000
May 28 20:22:34 controller0 httpd[4499]: no listening sockets available, shutting down
May 28 20:22:34 controller0 httpd[4499]: AH00015: Unable to open logs
May 28 20:22:34 controller0 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 28 20:22:34 controller0 kill[4501]: kill: cannot find process ""
May 28 20:22:34 controller0 systemd[1]: httpd.service: control process exited, code=exited status=1
May 28 20:22:34 controller0 systemd[1]: Failed to start The Apache HTTP Server.
May 28 20:22:34 controller0 systemd[1]: Unit httpd.service entered failed state.
May 28 20:22:34 controller0 systemd[1]: httpd.service failed.

 问题检查：audit daemon

检查/var/log/audit/audit.log和/var/log/message:

[root@controller0 audit]# cat /var/log/audit/audit.log |grep 5000
type=AVC msg=audit(1464574273.240:492): avc:  denied  { name_bind } for  pid=4289 comm="httpd" src=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socke

 cat /var/log/messages 
......
 1 May 29 22:18:01 controller0 systemd-logind: New session 1 of user root.
May 29 22:18:01 controller0 systemd: Started Session 1 of user root.
May 29 22:18:01 controller0 systemd: Starting Session 1 of user root.
May 29 22:18:01 controller0 dbus-daemon: dbus[1027]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
May 29 22:18:01 controller0 dbus[1027]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
May 29 22:18:01 controller0 dbus[1027]: [system] Successfully activated service 'org.freedesktop.problems'
May 29 22:18:01 controller0 dbus-daemon: dbus[1027]: [system] Successfully activated service 'org.freedesktop.problems'
May 29 22:18:26 controller0 systemd-logind: New session 2 of user root.
May 29 22:18:26 controller0 systemd: Started Session 2 of user root.
May 29 22:18:26 controller0 systemd: Starting Session 2 of user root.
May 29 22:19:19 controller0 systemd: Starting The Apache HTTP Server...
12 May 29 22:19:19 controller0 httpd: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000
13 May 29 22:19:19 controller0 httpd: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:5000
May 29 22:19:19 controller0 httpd: no listening sockets available, shutting down
May 29 22:19:19 controller0 httpd: AH00015: Unable to open logs
May 29 22:19:19 controller0 systemd: httpd.service: main process exited, code=exited, status=1/FAILURE

分析：网上说需要使用root用户关闭selinux。由于操作命令时使用的是root用户，所以排除这个可能

　　其次防火墙都是关闭了的，其他如果能控制端口的可能是selinux，检查selinux

1）检查selinux状态

[root@controller0 ~]# getenforce 
enforcing                                     #如果不为disabled 则表示为selinux正常运行

2)检查/etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing                             #这个地方是关键点，发现selinux还是打开的。修改为disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELINUX=enforcing 改为 selinux=distabled
重启reboot
查看

[root@controller0 ~]# netstat -anp|grep 5000
tcp6       0      0 :::5000                 :::*                    LISTEN      1762/httpd  

lsof查看
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   1762   root    6u  IPv6  24712      0t0  TCP *:commplex-main (LISTEN)
httpd   1959 apache    6u  IPv6  24712      0t0  TCP *:commplex-main (LISTEN)
httpd   1961 apache    6u  IPv6  24712      0t0  TCP *:commplex-main (LISTEN)
httpd   1962 apache    6u  IPv6  24712      0t0  TCP *:commplex-main (LISTEN)
httpd   1973 apache    6u  IPv6  24712      0t0  TCP *:commplex-main (LISTEN)
httpd   1974 apache    6u  IPv6  24712      0t0  TCP *:commplex-main (LISTEN)

问题解决，参考：https://lkubaski.wordpress.com/2012/10/17/solving-the-permission-denied-make_sock-could-not-bind-to-address-issue-when-starting-apache-on-linux/

问题三： openstack The request you have made requires authentication. (HTTP 401)

在核心组件装好了以后，heat创建用户的时候出现了401错误

检查了安装日志中有个验证环节，是 unset OS_TOKEN OS_URL

 

 执行之后：

就能正常创建：