Version
4.1.2, 4.2.1.
Issue
The service cb-nginx fails to start with the following error:
Starting cb-nginx: nginx: [emerg] open() "/var/run/cb/nginx.runtime.user.prop" failed (13: Permission denied) in /etc/cb/nginx/cb-nginx.conf:17
[FAILED]
or
Starting cb-nginx: nginx: [emerg] open() "/var/run/cb/nginx.runtime.ssl_certificate.prop" failed (2: No such file or directory) in /etc/cb/nginx/conf.d/cb.conf:30
[FAILED]
Symptoms
- No logs are written in /var/log/cb/nginx.
- Access Denied is showing in /var/log/audit/audit.log:
root@cb_server_lab02 nginx]# cat /var/log/audit/audit.log | grep nginx | grep deniedtype=AVC msg=audit(1414705710.509:130490): avc: denied { read } for pid=11731 comm="nginx" name="nginx.runtime.user.prop" dev=sda2 ino=1833402 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Cause
This will happen only when SELinux is enforced after a recent yum upgrade on CentOS/RedHat modifying SELinux default policies.
The latest SELinux package moves nginx into the https domain.
Solution
The solution applies to Carbon Black upgrades from versions earlier than 4.2.3 as this is fixed in version 4.2.3 and above.
- Edit the file /etc/cb/nginx/conf.d/cb.conf or /etc/cb/nginx/conf.d/cb-multihome.conf, depending which is used.
- Update the include statements to reference /var/cb/... instead of /var/run/cb/..., such that:
include /var/run/cb/nginx/props/nginx.runtime.ssl_certificate.prop;
Would be changed to:
include /var/cb/nginx/props/nginx.runtime.ssl_certificate.prop;
-- Perform this step for every include statement that point to /var/run/cb/... - Start the cb-nginx service: service cb-nginx start
Important Note(s)
The solution applies to Carbon Black upgrades from versions earlier than 4.2.3 as this is fixed in version 4.2.3 and above.