Hello All,

I am using Solaris 10 with Coolstack v1.2 and have enabled SSL on Apache. Unfortunately, since then, I can't start and stop the http service using SMF. What's really strange is that I can run the /opt/coolstack/lib/svc/method/svc-cskapache2 script by hand, and everything works just fine.

I took a look at the /var/svc/log/network-csk-http:CSKapache2.log file, and all that is stated is:

[ Feb 25 16:43:42 Executing start method ("/opt/coolstack/lib/svc/method/svc-cskapache2 start") ]
[ Feb 25 16:43:43 Method "start" exited with status 1 ]

Again, this log shows that every time this service was started or stopped prior to enabling SSL exited status 0.

Thanks for your time and help,

Matthew

 

 

It's a long shot but ...

Try checking the permissions and ownership of the Apache log/pid files (see /opt/coolstack/apache2/logs). Usually, when you launch Apache directly using the control script (/opt/coolstack/lib/svc/method/svc-cskapache2) you probably do this as root, which can sometimes result in the log/pid files being (re)created as root, causing subsequent attempts to start using SMF to fail (since it tries to start Apache as the "webservd" user).

I have suffered from this problem a few times and whilst it's unlikely to be the cause of your problem based on your description, it's no harm to rule it out.

 

 

Well, you are correct, when I invoke apache using apachectl or the script (/opt/coolstack/lib/svc/method/svc-cskapache2,) the httpd.pid is in fact owned by root. When I attempted to run the script as webservd, however, I got errors back stating that webservd did not have permission to start the service. One of my colleagues mentioned that opening ports below 1024 was only allowed by root. Not sure about that last statement, but like you said, I don't think it's the pid permission problem. :( Thanks for the advice, though!

 

 

This is correct - you need privileged access for port 80 and we set that via SMF. That's why you can run apache via SMF on port 80 with uid webservd but you can't do that manually as user webservd since you're not raising your privileges. If you check out the manifest, you'll understand how this is done.

Shanti

 

 

Matthew,
Your colleague is correct. Non-root processes are not allowed to open any port below 1024. This has been the case in all Unix flavours for as long as I can remember.

Shanti,
Thanks for the explanation of how it is that CSK Apache is started as a non-root user but yet can open port 80. I looked in the manifest file and see how (on line 64) the privileges for the start method seem to allow this.

Matthew,
Have you tried removing the httpd.pid file before re-attempting to start using SMF. If you look in the /opt/coolstack/lib/svc/method/svc-cskapache2 file, you will see that the only thing the start method is doing is trying to remove the PID file and then settings another variable (cmd=start) and your error is stating that the start method exited with an error. It's possible that this error is happening on the removal of this PID file (unlikely to be related to the setting of the cmd parameter).

 

 

Hi Shanti and jmernin,

Thank you very much for your advice and help. FYI, I am still a novice with Solaris. Most of my background has been setting up AMP on apache for the past year and a half. I am still learning the details of apache.

Unfortunately, even after I removed the httpd.pid file, invoking apache with:

# svcadm enable csk-httpd

still resulted in the process failing. I am able to start apache just fine using the smf script or apachectl. The solution I am truly looking for is a "best practice" way of starting this process automatically on boot. Is using rc still a valid way to start processes on boot?

Also, I have looked at all of the logs I can find, but none of them are very verbose for the reason SMF is exiting with an error. Any recommendations?

Thanks again,

Matthew

Edited by: Matthew_West on Feb 27, 2008 5:37 PM

 

 

I would like to get more information about why httpd is failing to start.
Here is the information, I need :

1. Make sure service is not in maintenance mode.
# svcs -a csk-httpd

If it is in maintenance mode then clear the maintenance mode first e.g
# svcadm clear csk-httpd

2. Make sure previous apache is not running
# ps -ef | grep httpd

3. Make sure logs directory is own by webservd user and httpd.pid doesn't exist.
# cd /opt/coolstack/apache2
# chown -R webservd:webservd logs
# rm logs/httpd.pid

4. Now start the csk-service
# svcadm enable csk-httpd
# svcs -a csk-httpd

5. If apache fails to start then please provide the following :
smf service log file output and apache log output :
# tail /var/svc/log/network-csk-http\:CSKapache2.log
# tail /opt/coolstack/apache2/logs/error_log

 

 

Hi Basantk,

Thanks for your guide. Unfortunately, I have been through this process before. I tried again using your guide and had the same result.

Output from tail /var/svc/log/network-csk-http\:CSKapache2.log:

[ Feb 27 13:48:29 Method "start" exited with status 1 ]
[ Feb 27 13:48:52 Leaving maintenance because clear requested. ]
[ Feb 27 13:48:52 Enabled. ]
[ Feb 27 13:48:52 Executing start method ("/opt/coolstack/lib/svc/method/svc-cskapache2 start") ]
[ Feb 27 13:48:52 Method "start" exited with status 1 ]
[ Feb 27 13:49:17 Leaving maintenance because disable requested. ]
[ Feb 27 13:49:17 Disabled. ]
[ Feb 27 13:50:43 Enabled. ]
[ Feb 27 13:50:43 Executing start method ("/opt/coolstack/lib/svc/method/svc-cskapache2 start") ]
[ Feb 27 13:50:43 Method "start" exited with status 1 ]

Output from /opt/coolstack/apache2/logs/error_log:

[Wed Feb 27 12:10:12 2008] [error] [client 149.175.204.53] Out of memory!, referer: https://blog.lclark.edu/cgi-bin/mt.cgi?__mode=cfg_prefs&_type=blog&blog_id=5&id=5&saved=1
[Wed Feb 27 12:10:16 2008] [error] [client 149.175.204.53] Callback called exit., referer: https://blog.lclark.edu/cgi-bin/mt.cgi?__mode=cfg_prefs&_type=blog&blog_id=5&id=5&saved=1
[Wed Feb 27 12:10:16 2008] [error] [client 149.175.204.53] END failed--call queue aborted., referer: https://blog.lclark.edu/cgi-bin/mt.cgi?__mode=cfg_prefs&_type=blog&blog_id=5&id=5&saved=1
[Wed Feb 27 13:47:42 2008] [notice] caught SIGTERM, shutting down
[Wed Feb 27 13:48:29 2008] [notice] suEXEC mechanism enabled (wrapper: /opt/coolstack/apache2/bin/suexec)
[Wed Feb 27 13:48:29 2008] [error] (13)Permission denied: Init: Can't open server private key file /opt/coolstack/apache2/conf/ssl.key/server.key
[Wed Feb 27 13:48:52 2008] [notice] suEXEC mechanism enabled (wrapper: /opt/coolstack/apache2/bin/suexec)
[Wed Feb 27 13:48:52 2008] [error] (13)Permission denied: Init: Can't open server private key file /opt/coolstack/apache2/conf/ssl.key/server.key
[Wed Feb 27 13:50:43 2008] [notice] suEXEC mechanism enabled (wrapper: /opt/coolstack/apache2/bin/suexec)
[Wed Feb 27 13:50:43 2008] [error] (13)Permission denied: Init: Can't open server private key file /opt/coolstack/apache2/conf/ssl.key/server.key

Ouch, that last one looks bad. Checked permissions on my server.key file, changed that, and now everything works. Should I make sure any of the directories/files in the opt/coolstack/apache2/conf are owned by webservd?

Here's the output after the permissions are changed from error_log. And yes, I know I need to get an icon.

Wed Feb 27 13:58:25 2008] [notice] suEXEC mechanism enabled (wrapper: /opt/coolstack/apache2/bin/suexec)
[Wed Feb 27 13:58:25 2008] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 27 13:58:25 2008] [notice] Digest: done
[Wed Feb 27 13:58:25 2008] [notice] Apache/2.2.6 (Unix) PHP/5.2.4 mod_ssl/2.2.6 OpenSSL/0.9.7d configured -- resuming normal operations
[Wed Feb 27 13:58:41 2008] [error] [client 149.175.21.87] File does not exist: /opt/coolstack/apache2/htdocs/favicon.ico, referer: https://blog.lclark.edu/cgi-bin/mt.cgi

Thanks for all your help everyone,

Matthew

 

 

No. For csk-http service, it must be readable by webservd user. It should not be owned by webservd.

Does favicon.ico exist in your installation? What is the perimission/ownership of faviocon.ico?

It exists in default installation.

[/opt/coolstack/apache2] # ls htdocs/favicon.ico
htdocs/favicon.ico

 

 

Basantk,

Thank you for the clarification and help. As far as the icon goes, I just haven't put our campus favicon.ico file there yet and had previously removed the old one.

Take Care,

Matthew

 

 

What are the permissions on the files that SSLCertificateFile and SSLCertificateKeyFile point to?
Assuming that you have something like this in httpd.conf or httpd-ssl.conf

SSLCertificateFile=server.crt
SSLCertificateKeyFile=server.key

Then both of those files must be readable by the apache user webservd.

Try:
chown webservd:webservd server.crt server.key

Many references state that you should chown root:root and chmod 400 those files.
That works when manually starting Apache, since you are starting Apache as root.
But SMF starts Apache as webservd. So you need to change the owner to webservd.

 

 

I believe this is a bug in Coolstack apache SMF.

apache2 must be started as root and later apache change the owner of the
process to webservd.

The above is not much of a problem when ssl is not enabled but when ssl is
enabled it becomes security issue.

We will fix this issue in next release.

 

 

To run the apache 2, SMF do the following changes :
First change the cskapache2.xml

[/var/svc/manifest/network] # diff -u /var/tmp/cskapache2.xml cskapache2.xml
--- /var/tmp/cskapache2.xml     Tue Mar  4 01:07:02 2008
+++ cskapache2.xml      Tue Mar  4 01:13:03 2008
@@ -58,11 +58,6 @@
            name='start'
            exec='/opt/coolstack/lib/svc/method/svc-cskapache2 start'
            timeout_seconds='60'>
-           <method_context>
-               <method_credential
-                   user='webservd' group='webservd'
-                   privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr' />
-           </method_context>
       </exec_method>
 
       <exec_method

Then import your changes in SMF.

# cd /var/svc/manifest/network
# svccfg delete csk-http
# svccfg import cskapache2.xml
# svcs -a csk-http
svcs: -a ignored when used with arguments.
STATE          STIME    FMRI
disabled        1:14:31 svc:/network/csk-http:CSKapache2
[/var/svc/manifest/network] # svcadm enable csk-http
[/var/svc/manifest/network] # svcs -a csk-http
svcs: -a ignored when used with arguments.
STATE          STIME    FMRI
online          1:14:53 svc:/network/csk-http:CSKapache2
[/var/svc/manifest/network] # ps -ef | grep httpd
webservd  6598  6597   0 01:14:55 ?           0:00 /opt/coolstack/apache2/bin/httpd -k start
    root  6601 17535   0 01:15:05 pts/2       0:00 grep httpd
    root  6597     1   1 01:14:54 ?           0:01 /opt/coolstack/apache2/bin/httpd -k start

Note that parent apache is running as root while child apache process (which
serves the request runs as webservd now).

 

 

Basantk,

Thank you very much for your help. I will be applying the changes you made and will post back with my results (I am sure everything will work great!) Glad to hear you will be incorporating this fix into your next release.

Take Care,

Matthew

 

 

Pardon me for hi-jacking this thread, but I have this exact problem.

I am unclear on your change advice. Do you mean to change the items you have highlighted in blue texted or remove (comment out) the lines you have a - in front of?

I assumed the later because my text is identical and it works with pulling those 5 lines out and importing, but just wanted to make sure.

Thank you,

Tim