Open Microscopy Environment

[manics]

Those permissions look correct.

Do you have anything else running on the server? Have you tried restarting everything (omero, omero-web, nginx)?

Simon

[xkunes]

Hello,
it is just clear installation - Only Omero.

I have tried it on 3 installations (2x Virtualbox localy on Windows, 1x server VMware) and I always got the same result.
- only Centos 6.6., nothing special, updated and installed Omero according the web manual.

Restarting dos nothing.


If I run nginx just as a program, than it is working, if I run it as service, than error.

[manics]

When you start nginx as a service do you see anything in /home/omero/OMERO.server/var/log/OMEROweb.log at the same time as the error?

[xkunes]

I don't understand, how to check it.

I am starting the service as root ... root is able to see all.
But, I thing that the "service nginx start" command is using a different "user", but I don't know how to check it.

[manics]

OMEROweb.log should be written to by OMERO.web.

`service nginx start` and `nginx` should behave the same if started as root (in both cases nginx should automatically switch to the nginx user). Could you paste the output of

Code: Select all

ps -ef | grep nginx

after starting nginx directly, and as a service

Simon

[xkunes]

Results:

Service nginx:

Code: Select all

[root@im~]# service nginx start
Starting nginx:                                            [  OK  ]
[root@im~]# ps -ef | grep nginx
root      2345     1  0 19:50 ?        00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx     2346  2345  0 19:50 ?        00:00:00 nginx: worker process
root      2349  2297  0 19:50 pts/0    00:00:00 grep nginx
[root@im~]# service nginx stop
Stopping nginx:                                            [  OK  ]


Nginx:

Code: Select all

[root@im~]# nginx
[root@im~]# ps -ef | grep nginx
root      2366     1  0 19:50 ?        00:00:00 nginx: master process nginx
nginx     2367  2366  0 19:50 ?        00:00:00 nginx: worker process
root      2369  2297  0 19:50 pts/0    00:00:00 grep nginx

[manics]

I'm running out of ideas now... could you try stopping omero, omero-web, nginx, delete the OMERO.server/var directory, and restart?

[xkunes]

No change :-/.

The var dir, was automatically crated and the behavior is the same.

(I tried to use "/usr/sbin/nginx -c /etc/nginx/nginx.conf" command, as it is running as a service in the "ps -ef" result, but it is again working.)

[manics]

Hi Michal, thanks for your persistence! Do you happen to have selinux enabled (run `sestatus`)? I've found some reports of nginx breaking between CentOS 6.5 and 6.6 due to a new more secure selinux policy:

http://forum.nginx.org/read.php?2,25445 ... msg-254456
https://www.centos.org/forums/viewtopic ... 13&t=49280

If so, could you see if there are any relevant messages in /var/log/audit/audit.log
(See http://wiki.centos.org/HowTos/SELinux#h ... 33505dd3af for more information on selinux)

and would you mind temporarily disabling it to see if that solves the problem?

Code: Select all

setenforce 0

If it is, the proper solution will be to fix the security contexts on the files nginx requires access to.

Thanks, Simon

[xkunes]

Hello,
thanks for trying me to help.

Yes, the sestatus is enabled:

Code: Select all

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

If I set the "setenforce 0", than it is working!!

Code: Select all

[root@images2 ~]# setenforce 0
[root@images2 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

There is an error in the log:

Code: Select all

type=AVC msg=audit(1420555412.784:47): avc:  denied  { search } for  pid=3386 comm="nginx" name="omero" dev=dm-0 ino=1325803 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

type=SYSCALL msg=audit(1420555412.784:47): arch=c000003e syscall=4 success=no exit=-13 a0=17dc081 a1=7fffa7cf5410 a2=7fffa7cf5410 a3=0 items=0 ppid=3385 pid=3386 auid=0 uid=494 gid=492 euid=494 suid=494 fsuid=494 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="nginx" exe="/usr/sbin/nginx" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1420555412.786:48): avc:  denied  { name_connect } for  pid=3386 comm="nginx" dest=4080 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1420555412.786:48): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=17dd6f8 a2=10 a3=7fffa7cf52a0 items=0 ppid=3385 pid=3386 auid=0 uid=494 gid=492 euid=494 suid=494 fsuid=494 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="nginx" exe="/usr/sbin/nginx" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

After installing the sealert (yum install setroubleshoot):

SELinux is preventing /usr/sbin/nginx from name_connect access on the tcp_socket.
and
SELinux is preventing /usr/sbin/nginx from search access on the directory /home/omero.

According that details, that I need to modify the port type:

Code: Select all

If you want to allow /usr/sbin/nginx to connect to network port 4080
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 4080
    where PORT_TYPE is one of the following: ldap_port_t, dns_port_t, http_port_t, ocsp_port_t, kerberos_port_t.

...

and

Code: Select all

If you want to allow httpd to read user content
Then you must tell SELinux about this by enabling the 'httpd_read_user_content'boolean.
Do
setsebool -P httpd_read_user_content 1

...

It seams, that I have to change the context of the var dir ... Am I right?
.. I am going to try it on my testing install . I will post my results.