Bad Gateway 502 - 在 centos 7 上使用 gunicorn nginx 部署 Flask (python 3.5.2)
Bad Gateway 502 - Deploy Flask (python 3.5.2) using gunicorn nginx on centos 7
正如标题所说,我在我的服务器 运行 centos 7 上部署了一个烧瓶 api。我尝试按照 this DigitalOcean 上的指南进行操作,但有一些细微差别。一是我使用 conda 而不是 pip 作为我的包管理器。如下所述,当我设置好所有内容并尝试从另一台机器连接时,我得到 502 Bad Gateway(错误日志在本 post 末尾提供)。这是我的第一个 gunicorn/nginx 部署,因此欢迎任何帮助或建议。我曾尝试查看类似的 post,但进展甚微。
这是我目前所做的
我把我的项目放在/home/apps/myproject...,我的conda也安装在/home/apps/anaconda3...。
我的系统服务单元文件是这样的
/etc/systemd/system/myproject.service
[Unit]
Description=Gunicorn instance to serve myproject
After=network.target
[Service]
User=apps
Group=nginx
WorkingDirectory=/home/apps/myproject
Environment="PATH=/home/apps/anaconda3/envs/myproject/bin"
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind unix:myproject.sock -m 007 wsgi
[Install]
WantedBy=multi-user.target
当我创建这个时,我启动了服务
sudo systemctl start myproject
sudo systemctl enable myproject
在我将 nginx 配置文件修改为如下所示后
/etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name xx.xxx.xxx.xx;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/home/apps/myproject/myproject.sock;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
我根据guid修改权限
sudo usermod -a -G apps nginx
chmod 710 /home/apps
启动nginx服务
sudo systemctl start nginx
sudo systemctl enable nginx
还有 运行 这些命令允许 http 和 https 上的流量
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
当我现在尝试在另一台机器上公开访问服务器时,我收到 502 Bad Gateway。我试过了
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp
根据多个 post 的建议,例如here,但这些更改没有帮助。我得到以下信息:
/var/log/nginx/error.log
2016/11/29 08:49:25 [crit] 55119#0: *8 connect() to unix:/home/apps/myproject/myproject.sock failed (13: Permission denied) while connecting to upstream, client: yyy.yy.yyy.yyy, server: xx.xx.xxx.xx, request: "GET / HTTP/1.1", upstream: "http://unix:/home/apps/myproject/myproject.sock:/", host: "xx.xx.xxx.xx"
2016/11/29 08:49:25 [crit] 55119#0: *8 connect() to unix:/home/apps/myproject/myproject.sock failed (13: Permission denied) while connecting to upstream, client: yyy.yy.yyy.yyy, server: xx.xx.xxx.xx, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/home/apps/myproject/myproject.sock:/favicon.ico", host: "xx.xx.xxx.xx", referrer: "http://xx.xx.xxx.xx/"
cat /var/log/audit/audit.log | grep nginx | grep denied
type=AVC msg=audit(1480345112.140:161350): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345125.819:161351): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345399.544:161714): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345399.691:161715): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345405.091:161716): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345405.183:161717): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345441.732:161721): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345441.842:161722): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345576.952:161729): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345577.064:161730): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346023.191:161731): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346023.301:161732): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346190.944:161733): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346191.056:161734): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480347303.258:161771): avc: denied { search } for pid=40475 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347303.431:161772): avc: denied { search } for pid=40475 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347325.749:161776): avc: denied { search } for pid=41569 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347325.843:161777): avc: denied { search } for pid=41569 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347355.366:161783): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347355.518:161784): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347357.792:161785): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347357.890:161786): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347892.301:161796): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347892.417:161797): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480403397.905:166856): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480403398.043:166857): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404482.896:166913): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404482.988:166914): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404733.790:166933): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404733.898:166934): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404806.283:166935): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404806.376:166936): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480405765.395:167002): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480405765.507:167003): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
你们中有人知道这可能意味着什么吗?如何解决它。
经过一番摆弄后,我对权限错误感到厌烦。
我最终决定做的是将 gunicorn 绑定到 http://127.0.0.1:8000,例如:
[Unit]
Description=Gunicorn instance to serve myproject
After=network.target
[Service]
User=apps
Group=nginx
WorkingDirectory=/home/apps/myproject
Environment="PATH=/home/apps/anaconda3/envs/myproject/bin"
# Old
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind unix:myproject.sock -m 007 wsgi
# New
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind 127.0.0.1 -m 007 wsgi
[Install]
WantedBy=multi-user.target
并改变
proxy_pass http://unix:/home/apps/myproject/myproject.sock;
到
proxy_pass http://127.0.0.1:8000;
在我的 nginx 配置中
正如标题所说,我在我的服务器 运行 centos 7 上部署了一个烧瓶 api。我尝试按照 this DigitalOcean 上的指南进行操作,但有一些细微差别。一是我使用 conda 而不是 pip 作为我的包管理器。如下所述,当我设置好所有内容并尝试从另一台机器连接时,我得到 502 Bad Gateway(错误日志在本 post 末尾提供)。这是我的第一个 gunicorn/nginx 部署,因此欢迎任何帮助或建议。我曾尝试查看类似的 post,但进展甚微。
这是我目前所做的
我把我的项目放在/home/apps/myproject...,我的conda也安装在/home/apps/anaconda3...。
我的系统服务单元文件是这样的
/etc/systemd/system/myproject.service
[Unit]
Description=Gunicorn instance to serve myproject
After=network.target
[Service]
User=apps
Group=nginx
WorkingDirectory=/home/apps/myproject
Environment="PATH=/home/apps/anaconda3/envs/myproject/bin"
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind unix:myproject.sock -m 007 wsgi
[Install]
WantedBy=multi-user.target
当我创建这个时,我启动了服务
sudo systemctl start myproject
sudo systemctl enable myproject
在我将 nginx 配置文件修改为如下所示后
/etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name xx.xxx.xxx.xx;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/home/apps/myproject/myproject.sock;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
我根据guid修改权限
sudo usermod -a -G apps nginx
chmod 710 /home/apps
启动nginx服务
sudo systemctl start nginx
sudo systemctl enable nginx
还有 运行 这些命令允许 http 和 https 上的流量
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
当我现在尝试在另一台机器上公开访问服务器时,我收到 502 Bad Gateway。我试过了
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp
根据多个 post 的建议,例如here,但这些更改没有帮助。我得到以下信息:
/var/log/nginx/error.log
2016/11/29 08:49:25 [crit] 55119#0: *8 connect() to unix:/home/apps/myproject/myproject.sock failed (13: Permission denied) while connecting to upstream, client: yyy.yy.yyy.yyy, server: xx.xx.xxx.xx, request: "GET / HTTP/1.1", upstream: "http://unix:/home/apps/myproject/myproject.sock:/", host: "xx.xx.xxx.xx"
2016/11/29 08:49:25 [crit] 55119#0: *8 connect() to unix:/home/apps/myproject/myproject.sock failed (13: Permission denied) while connecting to upstream, client: yyy.yy.yyy.yyy, server: xx.xx.xxx.xx, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/home/apps/myproject/myproject.sock:/favicon.ico", host: "xx.xx.xxx.xx", referrer: "http://xx.xx.xxx.xx/"
cat /var/log/audit/audit.log | grep nginx | grep denied
type=AVC msg=audit(1480345112.140:161350): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345125.819:161351): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345399.544:161714): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345399.691:161715): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345405.091:161716): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345405.183:161717): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345441.732:161721): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345441.842:161722): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345576.952:161729): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345577.064:161730): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346023.191:161731): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346023.301:161732): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346190.944:161733): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346191.056:161734): avc: denied { search } for pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480347303.258:161771): avc: denied { search } for pid=40475 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347303.431:161772): avc: denied { search } for pid=40475 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347325.749:161776): avc: denied { search } for pid=41569 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347325.843:161777): avc: denied { search } for pid=41569 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347355.366:161783): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347355.518:161784): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347357.792:161785): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347357.890:161786): avc: denied { search } for pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347892.301:161796): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347892.417:161797): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480403397.905:166856): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480403398.043:166857): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404482.896:166913): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404482.988:166914): avc: denied { search } for pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404733.790:166933): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404733.898:166934): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404806.283:166935): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404806.376:166936): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480405765.395:167002): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480405765.507:167003): avc: denied { write } for pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
你们中有人知道这可能意味着什么吗?如何解决它。
经过一番摆弄后,我对权限错误感到厌烦。
我最终决定做的是将 gunicorn 绑定到 http://127.0.0.1:8000,例如:
[Unit]
Description=Gunicorn instance to serve myproject
After=network.target
[Service]
User=apps
Group=nginx
WorkingDirectory=/home/apps/myproject
Environment="PATH=/home/apps/anaconda3/envs/myproject/bin"
# Old
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind unix:myproject.sock -m 007 wsgi
# New
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind 127.0.0.1 -m 007 wsgi
[Install]
WantedBy=multi-user.target
并改变
proxy_pass http://unix:/home/apps/myproject/myproject.sock;
到
proxy_pass http://127.0.0.1:8000;
在我的 nginx 配置中