1. Accueil
  2. Question et réponse
  3. centos 7 répertoires personnalisés chef mysql

centos 7 répertoires personnalisés chef mysql

2017-08-22 9 views
0

Ceci est une question générale autour de chef et mysql. Je veux configurer mysql pour utiliser un emplacement personnalisé pour stocker les fichiers mysql.centos 7 répertoires personnalisés chef mysql

Le problème que je rencontre est que je crée le répertoire après avoir installé MySQL. J'ai aussi mis le contexte selinux, mais mysql ne démarre pas car le contexte selinux n'est pas appliqué au répertoire. Il commence bien si je redémarre le serveur

Je ne peux pas créer le répertoire avant d'installer MySQL, car le répertoire doit appartenir à l'utilisateur MySQL qui n'est créé après MySQL est installé

recettes

yum_package 'Install MySQL dev' do 
    package_name 'mysql-community-devel' 
    version node['mysql']['server_package_version'] 
    arch 'x86_64' 
    action :install 
end 

template '/etc/my.cnf' do 
    source 'my.cnf.erb' 
    mode '0644' 
    notifies :restart, 'service[mysqld]', :delayed 
end 

template '/etc/systemd/system/mysqld.service' do 
    source 'mysqld.service.erb' 
    mode '0644' 
    action :create 
end 

# we put mysql on the /data/ filesytem 
directory '/data/var/lib/' do 
    mode '0755' 
    recursive true 
    action :create 
end 

directory '/data/var/lib/mysql' do 
    owner 'mysql' 
    group 'mysql' 
    mode '0755' 
    action :create 
end 

directory '/data/var/lib/mysql/bin_logs' do 
    owner 'mysql' 
    group 'mysql' 
    mode '0755' 
    action :create 
end 

directory '/data/var/lib/mysql/relay_logs' do 
    owner 'mysql' 
    group 'mysql' 
    mode '0755' 
    action :create 
end 

# allow mysql to write to the new directory 
selinux_policy_fcontext '/data/var/lib/mysql(/.*)?' do 
    secontext 'mysqld_db_t' 
    action :addormodify 
end 

service 'mysqld' do 
    action [:enable, :start] 
end

erreur MySQL journal

170822 12:49:44 mysqld_safe Logging to '/var/log/mysql/mysqld.log'. 
170822 12:49:44 mysqld_safe Starting mysqld daemon with databases from /data/var/lib/mysql 
2017-08-22 12:49:45 0 [Warning] 'THREAD_CONCURRENCY' is deprecated and will be removed in a future release. 
2017-08-22 12:49:45 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details). 
2017-08-22 12:49:45 0 [Warning] Insecure configuration for --secure-file-priv: Data directory is accessible through --secure-file-priv. Consider choosing a different directory. 
2017-08-22 12:49:45 0 [Warning] Insecure configuration for --secure-file-priv: Location is accessible to all OS users. Consider choosing a different directory. 
2017-08-22 12:49:45 0 [Note] /usr/sbin/mysqld (mysqld 5.6.35-log) starting as process 9001 ... 
2017-08-22 12:49:45 9001 [Warning] Buffered warning: Changed limits: max_open_files: 1024 (requested 5000) 

2017-08-22 12:49:45 9001 [Warning] Buffered warning: Changed limits: table_open_cache: 457 (requested 1024) 

/usr/sbin/mysqld: File '/data/var/lib/mysql/bin_logs/bin_logs.index' not found (Errcode: 13 - Permission denied) 
2017-08-22 12:49:45 9001 [ERROR] Aborting 

2017-08-22 12:49:45 9001 [Note] Binlog end 
2017-08-22 12:49:45 9001 [Note] /usr/sbin/mysqld: Shutdown complete 

170822 12:49:45 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended

entrée du journal d'audit

grep mysqld /var/log/audit/audit.log 
type=USER_MAC_CONFIG_CHANGE msg=audit(1503420569.572:176): pid=8302 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=fcontext op=add tglob="/data/var/lib/mysql(/.*)?" ftype=any tcontext=system_u:object_r:mysqld_db_t:s0 comm="semanage" exe="/usr/bin/python2.7" hostname=? addr=? terminal=? res=success' 
type=AVC msg=audit(1503420585.113:205): avc: **denied** { read write } for pid=9001 comm="mysqld" name="bin_logs.index" dev="xvdb" ino=22544533 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file

Comment réparer cette erreur?

Mise à jour 1:

Chef de client Sortie

12:49:09   [ 10.201.3.197] Recipe: cartera-mysql::default 
12:49:25   [ 10.201.3.197] * yum_package[Install MySQL] action install 
12:49:25   [ 10.201.3.197]  - install version 5.6.35-2.el7 of package mysql-community-server 
12:49:27   [ 10.201.3.197] * yum_package[Install MySQL dev] action install 
12:49:27   [ 10.201.3.197]  - install version 5.6.35-2.el7 of package mysql-community-devel 
12:49:27   [ 10.201.3.197] * template[/etc/my.cnf] action create 
12:49:27   [ 10.201.3.197]  - update content in file /etc/my.cnf from ad0361 to 8a9530 
12:49:27   [ 10.201.3.197]  --- /etc/my.cnf 2016-11-28 18:13:43.000000000 -0500 
12:49:27   [ 10.201.3.197]  +++ /etc/.chef-my.cnf20170822-2540-1nsliu0 2017-08-22 12:49:27.495530842 -0400 
12:49:27   [ 10.201.3.197]  @@ -1,32 +1,59 @@ 
12:49:27   [ 10.201.3.197]  # For advice on how to change settings please see 
12:49:27   [ 10.201.3.197]  # http://dev.mysql.com/doc/refman/5.6/en/server-configuration-defaults.html 
12:49:27   [ 10.201.3.197]  
12:49:27   [ 10.201.3.197]  +[mysql] 
12:49:27   [ 10.201.3.197]  +skip-secure-auth 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  [mysqld] 
12:49:27   [ 10.201.3.197]  -# 
12:49:27   [ 10.201.3.197]  -# Remove leading # and set to the amount of RAM for the most important data 
12:49:27   [ 10.201.3.197]  -# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%. 
12:49:27   [ 10.201.3.197]  -# innodb_buffer_pool_size = 128M 
12:49:27   [ 10.201.3.197]  -# 
12:49:27   [ 10.201.3.197]  -# Remove leading # to turn on a very important data integrity option: logging 
12:49:27   [ 10.201.3.197]  -# changes to the binary log between backups. 
12:49:27   [ 10.201.3.197]  -# log_bin 
12:49:27   [ 10.201.3.197]  -# 
12:49:27   [ 10.201.3.197]  -# Remove leading # to set options mainly useful for reporting servers. 
12:49:27   [ 10.201.3.197]  -# The server defaults are faster for transactions and fast SELECTs. 
12:49:27   [ 10.201.3.197]  -# Adjust sizes as needed, experiment to find the optimal values. 
12:49:27   [ 10.201.3.197]  -# join_buffer_size = 128M 
12:49:27   [ 10.201.3.197]  -# sort_buffer_size = 2M 
12:49:27   [ 10.201.3.197]  -# read_rnd_buffer_size = 2M 
12:49:27   [ 10.201.3.197]  -datadir=/var/lib/mysql 
12:49:27   [ 10.201.3.197]  +datadir=/data/var/lib/mysql 
12:49:27   [ 10.201.3.197]  socket=/var/lib/mysql/mysql.sock 
12:49:27   [ 10.201.3.197]  +secure_file_priv=/data 
12:49:27   [ 10.201.3.197]  
12:49:27   [ 10.201.3.197]  # Disabling symbolic-links is recommended to prevent assorted security risks 
12:49:27   [ 10.201.3.197]  symbolic-links=0 
12:49:27   [ 10.201.3.197]  
12:49:27   [ 10.201.3.197]  # Recommended in standard MySQL setup 
12:49:27   [ 10.201.3.197]  -sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES 
12:49:27   [ 10.201.3.197]  +# sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES 
12:49:27   [ 10.201.3.197]  +ft_min_word_len = 3 
12:49:27   [ 10.201.3.197]  +max_allowed_packet = 16M 
12:49:27   [ 10.201.3.197]  +table_open_cache = 1024 
12:49:27   [ 10.201.3.197]  +thread_concurrency = 8 
12:49:27   [ 10.201.3.197]  +log-bin=/data/var/lib/mysql/bin_logs/bin_logs 
12:49:27   [ 10.201.3.197]  
12:49:27   [ 10.201.3.197]  +# slow query logging 
12:49:27   [ 10.201.3.197]  +slow_query_log=1 
12:49:27   [ 10.201.3.197]  +slow_query_log_file=/var/log/mysql/slow_query.log 
12:49:27   [ 10.201.3.197]  +long_query_time=1 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +key_buffer_size = 384M 
12:49:27   [ 10.201.3.197]  +sort_buffer_size = 8M 
12:49:27   [ 10.201.3.197]  +read_buffer_size = 2M 
12:49:27   [ 10.201.3.197]  +read_rnd_buffer_size = 8M 
12:49:27   [ 10.201.3.197]  +myisam_sort_buffer_size = 64M 
12:49:27   [ 10.201.3.197]  +max_connections = 100 
12:49:27   [ 10.201.3.197]  +max_connect_errors = 1000 
12:49:27   [ 10.201.3.197]  +default-storage-engine = InnoDB 
12:49:27   [ 10.201.3.197]  +innodb_buffer_pool_size = 2G 
12:49:27   [ 10.201.3.197]  +innodb_file_per_table = 1 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# turn on the query cache 
12:49:27   [ 10.201.3.197]  +query_cache_type = 1 
12:49:27   [ 10.201.3.197]  +query_cache_size = 256M 
12:49:27   [ 10.201.3.197]  +#query_cache_limit = 2M 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# Replication 
12:49:27   [ 10.201.3.197]  +server-id = 2 
12:49:27   [ 10.201.3.197]  +relay-log = /data/var/lib/mysql/relay_logs/relay_logs 
12:49:27   [ 10.201.3.197]  +relay_log_index = /data/var/lib/mysql/relay_logs/relay-log.index 
12:49:27   [ 10.201.3.197]  +relay-log-info-file = relay-log.info 
12:49:27   [ 10.201.3.197]  +replicate-do-db = transactions 
12:49:27   [ 10.201.3.197]  +expire-logs-days = 3 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +innodb_log_file_size = 256M 
12:49:27   [ 10.201.3.197]  +innodb_log_files_in_group = 4 
12:49:27   [ 10.201.3.197]  +innodb_sort_buffer_size = 128M 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  [mysqld_safe] 
12:49:27   [ 10.201.3.197]  -log-error=/var/log/mysqld.log 
12:49:27   [ 10.201.3.197]  +log-error=/var/log/mysql/mysqld.log 
12:49:27   [ 10.201.3.197]  pid-file=/var/run/mysqld/mysqld.pid 
12:49:27   [ 10.201.3.197]  - restore selinux security context 
12:49:27   [ 10.201.3.197] * template[/etc/systemd/system/mysqld.service] action create 
12:49:27   [ 10.201.3.197]  - create new file /etc/systemd/system/mysqld.service 
12:49:27   [ 10.201.3.197]  - update content in file /etc/systemd/system/mysqld.service from none to fb5916 
12:49:27   [ 10.201.3.197]  --- /etc/systemd/system/mysqld.service 2017-08-22 12:49:27.533531086 -0400 
12:49:27   [ 10.201.3.197]  +++ /etc/systemd/system/.chef-mysqld.service20170822-2540-1e7mcj6 2017-08-22 12:49:27.532531080 -0400 
12:49:27   [ 10.201.3.197]  @@ -1 +1,50 @@ 
12:49:27   [ 10.201.3.197]  +# 
12:49:27   [ 10.201.3.197]  +# Simple MySQL systemd service file 
12:49:27   [ 10.201.3.197]  +# 
12:49:27   [ 10.201.3.197]  +# systemd supports lots of fancy features, look here (and linked docs) for a full list: 
12:49:27   [ 10.201.3.197]  +# http://www.freedesktop.org/software/systemd/man/systemd.exec.html 
12:49:27   [ 10.201.3.197]  +# 
12:49:27   [ 10.201.3.197]  +# Note: this file (/usr/lib/systemd/system/mysql.service) 
12:49:27   [ 10.201.3.197]  +# will be overwritten on package upgrade, please copy the file to 
12:49:27   [ 10.201.3.197]  +# 
12:49:27   [ 10.201.3.197]  +# /etc/systemd/system/mysql.service 
12:49:27   [ 10.201.3.197]  +# 
12:49:27   [ 10.201.3.197]  +# to make needed changes. 
12:49:27   [ 10.201.3.197]  +# 
12:49:27   [ 10.201.3.197]  +# systemd-delta can be used to check differences between the two mysql.service files. 
12:49:27   [ 10.201.3.197]  +# 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +[Unit] 
12:49:27   [ 10.201.3.197]  +Description=MySQL Community Server 
12:49:27   [ 10.201.3.197]  +After=network.target 
12:49:27   [ 10.201.3.197]  +After=syslog.target 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +[Install] 
12:49:27   [ 10.201.3.197]  +WantedBy=multi-user.target 
12:49:27   [ 10.201.3.197]  +Alias=mysql.service 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +[Service] 
12:49:27   [ 10.201.3.197]  +User=mysql 
12:49:27   [ 10.201.3.197]  +Group=mysql 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# Execute pre and post scripts as root 
12:49:27   [ 10.201.3.197]  +PermissionsStartOnly=true 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# Needed to create system tables etc. 
12:49:27   [ 10.201.3.197]  +ExecStartPre=/usr/bin/mysql-systemd-start pre 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# Start main service 
12:49:27   [ 10.201.3.197]  +ExecStart=/usr/bin/mysqld_safe 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# Don't signal startup success before a ping works 
12:49:27   [ 10.201.3.197]  +ExecStartPost=/usr/bin/mysql-systemd-start post 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# Give up if ping don't get an answer 
12:49:27   [ 10.201.3.197]  +TimeoutSec=600 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +Restart=always 
12:49:27   [ 10.201.3.197]  +PrivateTmp=false 
12:49:27   [ 10.201.3.197]  + 
12:49:27   [ 10.201.3.197]  +# allow more open files 
12:49:27   [ 10.201.3.197]  +LimitNOFILE=5000 
12:49:27   [ 10.201.3.197]  - change mode from '' to '0644' 
12:49:27   [ 10.201.3.197]  - change owner from '' to 'root' 
12:49:27   [ 10.201.3.197]  - change group from '' to 'root' 
12:49:27   [ 10.201.3.197]  - restore selinux security context 
12:49:27   [ 10.201.3.197] * directory[/data/var/lib/] action create 
12:49:27   [ 10.201.3.197]  - create new directory /data/var/lib/ 
12:49:27   [ 10.201.3.197]  - change mode from '' to '0755' 
12:49:27   [ 10.201.3.197]  - change owner from '' to 'root' 
12:49:27   [ 10.201.3.197]  - change group from '' to 'root' 
12:49:27   [ 10.201.3.197]  - restore selinux security context 
12:49:27   [ 10.201.3.197] * directory[/data/var/lib/mysql] action create 
12:49:27   [ 10.201.3.197]  - create new directory /data/var/lib/mysql 
12:49:27   [ 10.201.3.197]  - change mode from '' to '0755' 
12:49:27   [ 10.201.3.197]  - change owner from '' to 'mysql' 
12:49:27   [ 10.201.3.197]  - change group from '' to 'mysql' 
12:49:27   [ 10.201.3.197]  - restore selinux security context 
12:49:27   [ 10.201.3.197] * directory[/data/var/lib/mysql/bin_logs] action create 
12:49:27   [ 10.201.3.197]  - create new directory /data/var/lib/mysql/bin_logs 
12:49:27   [ 10.201.3.197]  - change mode from '' to '0755' 
12:49:27   [ 10.201.3.197]  - change owner from '' to 'mysql' 
12:49:27   [ 10.201.3.197]  - change group from '' to 'mysql' 
12:49:27   [ 10.201.3.197]  - restore selinux security context 
12:49:27   [ 10.201.3.197] * directory[/data/var/lib/mysql/relay_logs] action create 
12:49:27   [ 10.201.3.197]  - create new directory /data/var/lib/mysql/relay_logs 
12:49:27   [ 10.201.3.197]  - change mode from '' to '0755' 
12:49:27   [ 10.201.3.197]  - change owner from '' to 'mysql' 
12:49:27   [ 10.201.3.197]  - change group from '' to 'mysql' 
12:49:27   [ 10.201.3.197]  - restore selinux security context 
12:49:27   [ 10.201.3.197] * selinux_policy_fcontext[/data/var/lib/mysql(/.*)?] action addormodify 
12:49:29   [ 10.201.3.197]  * execute[selinux-fcontext-mysqld_db_t-add] action run 
12:49:29   [ 10.201.3.197]  - execute /usr/sbin/semanage fcontext -a -t mysqld_db_t '/data/var/lib/mysql(/.*)?' 
12:49:29   [ 10.201.3.197] 
12:49:29   [ 10.201.3.197] * execute[selinux-fcontext-mysqld_db_t-modify] action run/data/var/lib/mysql(/.*)?       all files   system_u:object_r:mysqld_db_t:s0 
12:49:30   [ 10.201.3.197] /data/var/lib/mysql(/.*)?       all files   system_u:object_r:mysqld_db_t:s0 
12:49:30   [ 10.201.3.197] (skipped due to not_if) 
12:49:30   [ 10.201.3.197] 
12:49:30   [ 10.201.3.197] 
12:49:30   [ 10.201.3.197] * directory[/var/log/mysql] action create 
12:49:30   [ 10.201.3.197] - create new directory /var/log/mysql 
12:49:30   [ 10.201.3.197] - change mode from '' to '0755' 
12:49:30   [ 10.201.3.197] - change owner from '' to 'mysql' 
12:49:30   [ 10.201.3.197] - change group from '' to 'mysql' 
12:49:30   [ 10.201.3.197] - restore selinux security context 
12:49:30   [ 10.201.3.197] * template[/etc/logrotate.d/mysql] action create 
12:49:30   [ 10.201.3.197] - update content in file /etc/logrotate.d/mysql from 7beb57 to 5a22fd 
12:49:30   [ 10.201.3.197] --- /etc/logrotate.d/mysql 2016-11-28 18:13:43.000000000 -0500 
12:49:30   [ 10.201.3.197] +++ /etc/logrotate.d/.chef-mysql20170822-2540-hkv8l8 2017-08-22 12:49:30.160547978 -0400 
12:49:30   [ 10.201.3.197] @@ -4,35 +4,55 @@ 
12:49:30   [ 10.201.3.197] # follows: 
12:49:30   [ 10.201.3.197] # 
12:49:30   [ 10.201.3.197] # [mysqld] 
12:49:30   [ 10.201.3.197] -# log-error=/var/lib/mysql/mysqld.log 
12:49:30   [ 10.201.3.197] +# log-error=/var/log/mysql/mysqld.log 
12:49:30   [ 10.201.3.197] # 
12:49:30   [ 10.201.3.197] # In case the root user has a password, then you 
12:49:30   [ 10.201.3.197] # have to create a /root/.my.cnf configuration file 
12:49:30   [ 10.201.3.197] # with the following content: 
12:49:30   [ 10.201.3.197] # 
12:49:30   [ 10.201.3.197] # [mysqladmin] 
12:49:30   [ 10.201.3.197] -# password = <secret> 
12:49:30   [ 10.201.3.197] +# password = <secret> 
12:49:30   [ 10.201.3.197] # user= root 
12:49:30   [ 10.201.3.197] # 
12:49:30   [ 10.201.3.197] -# where "<secret>" is the password. 
12:49:30   [ 10.201.3.197] +# where "<secret>" is the password. 
12:49:30   [ 10.201.3.197] # 
12:49:30   [ 10.201.3.197] # ATTENTION: The /root/.my.cnf file should be readable 
12:49:30   [ 10.201.3.197] # _ONLY_ by root ! 
12:49:30   [ 10.201.3.197]  
12:49:30   [ 10.201.3.197] -/var/lib/mysql/mysqld.log { 
12:49:30   [ 10.201.3.197] +/var/log/mysql/mysqld.log { 
12:49:30   [ 10.201.3.197]   # create 600 mysql mysql 
12:49:30   [ 10.201.3.197]   notifempty 
12:49:30   [ 10.201.3.197]   daily 
12:49:30   [ 10.201.3.197] -  rotate 5 
12:49:30   [ 10.201.3.197] +  rotate 30 
12:49:30   [ 10.201.3.197]   missingok 
12:49:30   [ 10.201.3.197]   compress 
12:49:30   [ 10.201.3.197] +  delaycompress 
12:49:30   [ 10.201.3.197]  postrotate 
12:49:30   [ 10.201.3.197] - # just if mysqld is really running 
12:49:30   [ 10.201.3.197] - if test -x /usr/bin/mysqladmin && \ 
12:49:30   [ 10.201.3.197] -  /usr/bin/mysqladmin ping &>/dev/null 
12:49:30   [ 10.201.3.197] - then 
12:49:30   [ 10.201.3.197] -  /usr/bin/mysqladmin flush-logs 
12:49:30   [ 10.201.3.197] - fi 
12:49:30   [ 10.201.3.197] +  # just if mysqld is really running 
12:49:30   [ 10.201.3.197] +  if test -x /usr/bin/mysqladmin && \ 
12:49:30   [ 10.201.3.197] +   /usr/bin/mysqladmin ping &>/dev/null 
12:49:30   [ 10.201.3.197] +  then 
12:49:30   [ 10.201.3.197] +   /usr/bin/mysqladmin flush-logs 
12:49:30   [ 10.201.3.197] +  fi 
12:49:30   [ 10.201.3.197] + endscript 
12:49:30   [ 10.201.3.197] +} 
12:49:30   [ 10.201.3.197] + 
12:49:30   [ 10.201.3.197] +/var/log/mysql/slow_query.log { 
12:49:30   [ 10.201.3.197] + compress 
12:49:30   [ 10.201.3.197] + delaycompress 
12:49:30   [ 10.201.3.197] + create 660 mysql mysql 
12:49:30   [ 10.201.3.197] + daily 
12:49:30   [ 10.201.3.197] + rotate 30 
12:49:30   [ 10.201.3.197] + dateext 
12:49:30   [ 10.201.3.197] + missingok 
12:49:30   [ 10.201.3.197] + sharedscripts 
12:49:30   [ 10.201.3.197] + postrotate 
12:49:30   [ 10.201.3.197] +  # just if mysqld is really running 
12:49:30   [ 10.201.3.197] +  if test -x /usr/bin/mysqladmin && \ 
12:49:30   [ 10.201.3.197] +   /usr/bin/mysqladmin ping &>/dev/null 
12:49:30   [ 10.201.3.197] +  then 
12:49:30   [ 10.201.3.197] +   /usr/bin/mysqladmin flush-logs 
12:49:30   [ 10.201.3.197] +  fi 
12:49:30   [ 10.201.3.197]  endscript 
12:49:30   [ 10.201.3.197] } 
12:49:30   [ 10.201.3.197] - restore selinux security context 
12:49:30   [ 10.201.3.197] * service[mysqld] action enable (up to date) 
12:56:24   Result: 2147483647 
12:56:25   Failed: NonZeroResultCode: Result code was 2147483647 
12:56:25   Execution failed: 4229: [Workflow result: , step failures: {4=JobFailed: Job [ops/Chef Tasks/Bootstrap Environment] failed}, flow control: Continue, status: failed]

Mise à jour 2: selinux_policy 0.9.6

# Run restorecon to fix label 
action :relabel do 
    execute "selinux-fcontext-relabel-#{new_resource.secontext}" do 
    command restorecon(new_resource.file_spec) 
    not_if "test -z \"$(#{restorecon(new_resource.file_spec)} -vn)\"" 
    end 
end 

# Create if doesnt exist, do not touch if fcontext is already registered 
action :add do 
    escaped_file_spec = Regexp.escape(new_resource.file_spec) 
    execute "selinux-fcontext-#{new_resource.secontext}-add" do 
    command "/usr/sbin/semanage fcontext -a -t #{new_resource.secontext} '#{new_resource.file_spec}'" 
    not_if fcontext_defined(new_resource.file_spec) 
    only_if {use_selinux} 
    notifies :relabel, new_resource 
    end 
end 

# Delete if exists 
action :delete do 
    escaped_file_spec = Regexp.escape(new_resource.file_spec) 
    execute "selinux-fcontext-#{new_resource.secontext}-delete" do 
    command "/usr/sbin/semanage fcontext -d '#{new_resource.file_spec}'" 
    only_if fcontext_defined(new_resource.file_spec, new_resource.secontext) 
    only_if {use_selinux} 
    notifies :relabel, new_resource 
    end 
end 

action :modify do 
    execute "selinux-fcontext-#{new_resource.secontext}-modify" do 
    command "/usr/sbin/semanage fcontext -m -t #{new_resource.secontext} '#{new_resource.file_spec}'" 
    only_if {use_selinux} 
    only_if fcontext_defined(new_resource.file_spec) 
    not_if fcontext_defined(new_resource.file_spec, new_resource.secontext) 
    notifies :relabel, new_resource 
    end 
end 

action :addormodify do 
    run_action(:add) 
    run_action(:modify) 
end

Source

2017-08-22 Jeetendra Pujari

+0

Pouvez-vous inclure la sortie du journal 'chef-client' pour que nous puissions voir si l'action': relabel' s'est déroulée correctement ou non? – coderanger

+0

Il y a définitivement quelque chose de bizarre avec la relabel. Je voudrais plonger dans ce code et recouper avec la sortie de commande que vous voyez. Vous pouvez voir l'exécution ignorée à cause de not_if, ce qui signifie que le relabel ne se produira pas non plus. Il y a aussi des trucs bizarres dans la sortie qui semblent provenir d'une commande de politique selinux. – coderanger

+0

@coderanger le not_if est parce que j'utilise l'action addormodify, puisque add l'a ajouté, modifie le saute –

Répondre

1

Si vous comparez le dernier code pour le livre de recettes à ce que vous avez là , vous pouvez voir que le déclencheur relabel a été modifié de temporisation différée (par défaut) à immédiat. Avec ce retard, cela arriverait à la fin de la course, c'est-à-dire après que le service ait essayé de démarrer. Si vous prenez le nouveau code, vous devriez être plus heureux.

Source

2017-08-23 17:26:40 coderanger

+0

J'ai des contraintes folles avec les livres de recettes en amont, j'ai besoin de comprendre comment mettre à jour le livre de cuisine selinux_policy. Merci d'avoir regarder ceci. J'apprécie beaucoup. –

+0

Vous pouvez également réécrire une partie de votre code pour mettre le démarrage du service dans une notification retardée, mais cela peut être plus problématique que cela en vaut la peine. – coderanger

+0

J'ai essayé cela, le livre de cuisine mysql en amont essaie de redémarrer le service même si je mets une notification retardée, le temps de mettre à jour le livre de cuisine mysql en amont aussi. –

 Questions connexes

  • Aucun problème connexe^_^