Error, appache failed to start, can not open

13 posts / 0 new
Last post
#1 Fri, 08/31/2007 - 00:06
DaveG

Error, appache failed to start, can not open

Hello all,

Im having a problem which I think may be related to virtualmim.

OS: SuSE 10

I just recently re-installed a machine using SuSE 10 in which I am running all current... Apache2, PHP5, MySQL etc...

I had a bit of a problem with virtualmim at first in that it could not create the group name but I found the problem with that. Now, Virtualmim works great... well..

After virtualmim builds the Virtual Domain, Apache will not restart. When I try to restar Apache I get the following...

      Error
      Failed to start apache : 
      Starting httpd2 (prefork) ..failed

When I look in the "Error log" located at /var/log/apache2/ I see this in the log

      (13)Permission denied: httpd2-prefork: could not open     error log file /home/mydomain1/logs/error_log.

Unable to open logs (13)Permission denied: httpd2-prefork: could not open error log file /home/mydomain2/logs/error_log. Unable to open logs

When I look in the /home/mydomain/logs/ i do find the error_log

and so on and so on, If i remove these Virtual domain via virtualmim, I am able to start apache once again. when I try to add them again, same problem and error.

I am assuming that this is a permissions issue but I can not find where to edit or what conf file to edit to fix.

Any help or assistance would be greatly appreciated!<br><br>Post edited by: DaveG, at: 2007/08/31 00:08

Fri, 08/31/2007 - 00:28
Joe
Joe's picture

Hey Dave,

Yes, by default Virtualmin sets up 750 permissions on the domain homes. In order for this to work, Apache needs to be a member of the group of that directory.

Sounds like there is a mis-match between what Virtualmin thinks Apache's username is and what it really is (or maybe it's not configured to add the group membership at all).

In the Server Template(s) that you use, have a look at the Apache Website section. Specifically, the &quot;Permissions on website subdirectory&quot; and &quot;Add Apache user to Unix group for new servers?&quot; options. Either open the permissions some, or make sure the Apache user is correct and is being added to the group of the virtual server owner.

Anyway, I'm guessing that's the source of your troubles.

--

Check out the forum guidelines!

Thu, 08/30/2007 - 11:57
DaveG

Hi Joe,

I think I follow, forgive me, im kind of a noob to unix/linux settings.

What I think I hear you saying is that I need to go into the &quot;Server Templates&quot; option in virtualmim, edit the &quot;Administration user&quot; then default settings, and select a &quot;Default Unix group for domain owners&quot; (which I currently have selected as &quot;None&quot;.

Question is, do i select &quot;Selected group&quot; and pick &quot;www&quot; (wwwrun)?

Or... do I edit the Apache website template? i noticed that there is an option for write logs via program as well?

Thu, 08/30/2007 - 17:11 (Reply to #3)
Joe
Joe's picture

<div class='quote'>Question is, do i select &quot;Selected group&quot; and pick &quot;www&quot; (wwwrun)?</div>

No. Definitely not. This is an ugly option that I've never liked. But some goofy users wanted it way back when Virtualmin was young and foolish. (Reasonable people can disagree on whether putting all virtual servers into a group is wise, but not in the context of what Virtualmin can do and how it is usually configured...it's only sane in a <i>very</i> restrictive type of deployment--i.e. a server where no one can run scripts of any kind.)

--

Check out the forum guidelines!

Thu, 08/30/2007 - 17:14 (Reply to #4)
Joe
Joe's picture

<div class='quote'>Or... do I edit the Apache website template? i noticed that there is an option for write logs via program as well?</div>

This is to solve a different problem, and won't alter permissions issues at all.

This option is to prevent malicious (or stupid) users from being able to DoS your Apache by deleting or moving their logs directory. We do a few things to prevent that, like making the directory impossible to delete for normal users...but we can't prevent moves while still allowing the user to do things with their own logs (the containing directory determines whether it can be renamed, and obviously the containing directory is owned by the virtual server owner).

--

Check out the forum guidelines!

Thu, 08/30/2007 - 12:03
DaveG

Oh, btw, thanks for the quick response and help!

I actually understand what you were suggesting.... the &quot;Add Apache user to Unix group for new servers?&quot; already has &quot;Yes, find Apache user automatically&quot; sellected.

Are you saying I should use the &quot;Yes, Apache user is (Blank)&quot; option and select the apache user from the ... selection button?

If so, the &quot;www&quot; which is my apache demon, should be selected, correct?

Thanks again for you help on this!

Thu, 08/30/2007 - 17:06 (Reply to #6)
Joe
Joe's picture

<div class='quote'>Are you saying I should use the &quot;Yes, Apache user is (Blank)&quot; option and select the apache user from the ... selection button?

If so, the &quot;www&quot; which is my apache demon, should be selected, correct?</div>

I dunno--the auto-select ought to work. Check the /etc/group file to see what is being added to the group of your virtual server account holders. If it's something other than www, then you'll need to set it manually. It's also kind of bug-like, if you're using the default Apache package for your OS--the default ought to be correct. We'd want to fix that on Virtualmin (it pulls it from the Apache configuration file, though, so I'm not sure how auto-selection would be wrong).

BTW-Sorry for the threading issues in the forum. I just updated the time zone to be accurate, and it's thrown all of the posts for a loop for a few hours.

--

Check out the forum guidelines!

Fri, 08/31/2007 - 04:34 (Reply to #7)
DaveG

<b>Joe wrote:</b>
<div class='quote'>Hey Dave,

Yes, by default Virtualmin sets up 750 permissions on the domain homes. In order for this to work, Apache needs to be a member of the group of that directory.

Sounds like there is a mis-match between what Virtualmin thinks Apache's username is and what it really is (or maybe it's not configured to add the group membership at all).

In the Server Template(s) that you use, have a look at the Apache Website section. Specifically, the &quot;Permissions on website subdirectory&quot; and &quot;Add Apache user to Unix group for new servers?&quot; options. Either open the permissions some, or make sure the Apache user is correct and is being added to the group of the virtual server owner.

Anyway, I'm guessing that's the source of your troubles.</div>

Hi again Joe,

First, thanks for your quick response! I have used virtualmim for a couple years now which has, in effect, made me kind of dumb where as Linux is concerned because it has made an moron like me able to set up and maintain virtual hosting of several of my own domains with little interaction... of course webmin has helped in that area too! ;-)

Ok, looking at the ect/group file, I see that when a v-server is created, it seems to adds the user group ID as well as wwwrun as groups. for the life of me, i do not see where wwwrun was or is being added though. Apache still will not start.

Fri, 08/31/2007 - 04:48 (Reply to #8)
DaveG

oh, also, I have another server running webmin and virtual mim which I have been trying to compare various settings now. even though the other server is running on older OS and ver of vmim, settings appear to be pretty much the same with the exception of the following I just found....

1. The user www on the older server has &quot;nogoup&quot; as the Primary group and it also appears that it has nothing selected for &quot;Secondary Groups&quot;, not even the groups which own the Virtual domain. the Primary Group for the server I am having problems with have &quot;www&quot; as primary and the groups for the Virtual domains as &quot;secondary group&quot;

2. when I looked at the etc/group file on the older server, it has the virtual domain user listed but does not include a second like wwwrun as in the new server which I am having problems with.

Every thing else seems to be pretty much the same.

Since this server has nothing of value on it as of yet, would you be interested in having access to it so that you can see what I see?

Again, I REALLY appreciate your time and efforts in helping me with this!

Fri, 08/31/2007 - 08:57 (Reply to #9)
Joe
Joe's picture

<div class='quote'>1. The user www on the older server has &quot;nogoup&quot; as the Primary group and it also appears that it has nothing selected for &quot;Secondary Groups&quot;, not even the groups which own the Virtual domain. the Primary Group for the server I am having problems with have &quot;www&quot; as primary and the groups for the Virtual domains as &quot;secondary group&quot;</div>

Your throwing around a lot of user and group names assuming I know which is which. I am not a SUSE expert--I don't have this knowledge on the top of my head (and even for systems that I am very familiar with, I can't keep up with all of this stuff without looking). ;-)

So, let's simplify and talk about one virtual server on one machine (one that doesn't work, since I'm getting the impression now that some are working, but maybe I'm just confused).

So, assume this one non-working virtual server is called domain.tld, and the username is &quot;domain&quot; and the group is also &quot;domain&quot;.

When you look in /etc/group, find the &quot;domain&quot; group...does it have the Apache username on the line?

For example, my doxfer.com virtual server on my RHEL4 system looks like this:

doxfer:x:501:apache

Apache runs as user apache, and so it is a member of the doxfer group. So, assuming /home/doxfer/logs is group owned by &quot;doxfer&quot; and 750 permissions, and /home/doxfer is also group owned by &quot;doxfer&quot; and has 750 permissions, everything should be fine.

If all of that is true and it still doesn't work, maybe just switch to using the write logs via process option...while it wasn't intended to solve this problem, it does have a different set of permissions requirements which may be easier to meet on your system.

As for the older server, it's probably got 755 permissions on /home, which is less secure (it can be just as secure, but it requires a lot more diligence on the part of your virtual server owners, which as we all know is not realistic).

--

Check out the forum guidelines!

Sat, 09/01/2007 - 21:04 (Reply to #10)
DaveG

Hi Joe,

Sorry about the confusion, I have two boxes, both running two different ver of SuSE and both now running different ver of webmin/virtualmim. The older box, of course is running the old versions of OS, vmim etc...

Ok... on the &quot;problem box&quot; (running all new OS, Vmim, web min etc) i looked at the /etc/group file.

like what you said I should see, it is there with one difference...

You said I should see, as you example, doxfer:x:501:apache

What I see is me::1002:wwwrun

Me = domain or is it group name? (this shows the same as the user dir in my &quot;/home dir and is where the domain dir is set up at)
1002 = user (or is it group) number
wwwrun = is what apache is running under (user)

Apache runs, on this box as user wwwrun and group www

what I find interesting is that anything virtualmim sets up in this file does not put the &quot;x&quot; between the :: as shown in what I see above. Although, in this group file, i see every other entry has mostly &quot;x&quot; between with a few that have another charactor.

Could this be part of the problem? the missing &quot;x&quot;?

Sun, 09/02/2007 - 12:56 (Reply to #11)
Joe
Joe's picture

OK, in all cases where you're asking &quot;is it domain or is it group name&quot;, it's group name. /etc/group deals with groups. The format of the file is:

groupname:grouppasswd:GID:members

Note that group only applies to secondary groups. Primary group membership is in the passwd file and is irrelevant to this discussion.

wwwrun, since it is the Apache username on your system, is the correct value for that field.

I'm surprised there is no &quot;x&quot; in the password field. There is on all of my Virtualmin systems. It shouldn't make a difference, it's just symbolic of &quot;no password for this group&quot;--an empty field should also work the same way, because nothing MD5 hashes to an empty string. It's almost certainly not the problem, but you could give it a try to see.

Frankly, I'm not sure what to make of the issues you're seeing, at this point.

And now that I'm looking at it more, it think the logs should be started before Apache drops privileges, and so anything root can touch ought to be touchable by Apache. Sounds like your Apache is not behaving that way. Do you have some special configuration that causes/allows Apache to start without being root? (It also needs root to bind to port 80, so it's not just about logging...I can't imagine any easy way to get around that, but maybe SUSE has something fancy pants going on...I know they have an SELinux-like security partitioning system. Maybe it's in play here?)

--

Check out the forum guidelines!

Mon, 09/03/2007 - 22:16
DaveG

Hi Joe,

I tried all your suggestions and made no progress so... I decided to do a very detailed and fresh install of the box. What I am lead to belive now that the box has been re-installed and seems to be running is that something in the server set up was not quite right or a file was corrupt and causing the problem. What it was, i have no idea and I wish I could so if this problem ever arrises again, you would have a better understanding of what was going on.

I do have another problem now but I will start a new thread so as to keep things unconfusing :)

Thanks again!

Topic locked