2021年12月4日09:58:25
今天在梳理線上安全問題的時候,發現給
/etc/systemd/system/nginx.service
增加user 和group的時候發現,啟動會報錯
the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/nginx/nginx.conf:1
[Unit] Description=nginx After=network.target [Service] Type=forking ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/usr/local/nginx/sbin/nginx -s quit PrivateTmp=true
User=www Group=www [Install] WantedBy=multi-user.target
在配置nginx.conf文件的
user www;
worker_processes 1;
其實設置的是nginx的worker線程的用戶是www,不是master進程
root 37796 1 0 09:50 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf www 37797 37796 0 09:50 ? 00:00:00 nginx: worker process root 38546 38413 0 10:09 pts/1 00:00:00 grep --color=auto nginx
默認情況下Linux的1024以下端口是只有root用戶才有權限占用,nginx一般使用80 443端口原因造成的
即使你在 nginx.service 指定了你的www用戶,還是會報錯,因為無法啟動使用80 443端口
你只需要把
#User=www #Group=www
注意掉就可以了,其他的服務基本直接加上就可以了,比如fpm es
注意:修改了.service之后需要執行 systemctl daemon-reload
es的啟動腳本
[Service] Type=notify RuntimeDirectory=elasticsearch PrivateTmp=true Environment=ES_HOME=/usr/share/elasticsearch Environment=ES_PATH_CONF=/etc/elasticsearch Environment=PID_DIR=/var/run/elasticsearch Environment=ES_SD_NOTIFY=true EnvironmentFile=-/etc/sysconfig/elasticsearch WorkingDirectory=/usr/share/elasticsearch User=elasticsearch Group=elasticsearch ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet # StandardOutput is configured to redirect to journalctl since # some error messages may be logged in standard output before # elasticsearch logging system is initialized. Elasticsearch # stores its logs in /var/log/elasticsearch and does not use # journalctl by default. If you also want to enable journalctl # logging, you can simply remove the "quiet" option from ExecStart. StandardOutput=journal StandardError=inherit # Specifies the maximum file descriptor number that can be opened by this process LimitNOFILE=65535 # Specifies the maximum number of processes LimitNPROC=4096 # Specifies the maximum size of virtual memory LimitAS=infinity # Specifies the maximum file size LimitFSIZE=infinity # Disable timeout logic and wait until process is stopped TimeoutStopSec=0 # SIGTERM signal is used to stop the Java process KillSignal=SIGTERM # Send the signal only to the JVM rather than its control group KillMode=process # Java process is never killed SendSIGKILL=no # When a JVM receives a SIGTERM signal it exits with code 143 SuccessExitStatus=143 # Allow a slow startup before the systemd notifier module kicks in to extend the timeout TimeoutStartSec=75 [Install] WantedBy=multi-user.target
php-fpm的啟動腳本
[Unit] Description=php8-fpm After=syslog.target network.target [Service] Type=simple PIDFile=/usr/local/php8/php-fpm.pid ExecStart=/usr/local/php8/sbin/php-fpm -c /usr/local/php8/etc/php.ini -y /usr/local/php8/etc/php-fpm.conf ExecReload=/bin/kill -USR2 $MAINPID ExecStop=/bin/kill -SIGINT $MAINPID User=www Group=www [Install] WantedBy=multi-user.target
其他解決辦法
方法一: 所有用戶都可以運行(因為是755權限,文件所有者:root,組所有者:root) chown root.root ./nginx/ chmod 755 ./nginx/ chmod u+s ./nginx/ 方法二: 僅 root 用戶和 wyq 用戶可以運行(因為是750權限,文件所有者:root,組所有者:www) chown root.www ./nginx/ chmod 750 ./nginx/ chmod u+s ./nginx/