2021年12月4日09:58:25
今天在梳理线上安全问题的时候,发现给
/etc/systemd/system/nginx.service
增加user 和group的时候发现,启动会报错
the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/nginx/nginx.conf:1
[Unit] Description=nginx After=network.target [Service] Type=forking ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/usr/local/nginx/sbin/nginx -s quit PrivateTmp=true
User=www Group=www [Install] WantedBy=multi-user.target
在配置nginx.conf文件的
user www;
worker_processes 1;
其实设置的是nginx的worker线程的用户是www,不是master进程
root 37796 1 0 09:50 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf www 37797 37796 0 09:50 ? 00:00:00 nginx: worker process root 38546 38413 0 10:09 pts/1 00:00:00 grep --color=auto nginx
默认情况下Linux的1024以下端口是只有root用户才有权限占用,nginx一般使用80 443端口原因造成的
即使你在 nginx.service 指定了你的www用户,还是会报错,因为无法启动使用80 443端口
你只需要把
#User=www #Group=www
注意掉就可以了,其他的服务基本直接加上就可以了,比如fpm es
注意:修改了.service之后需要执行 systemctl daemon-reload
es的启动脚本
[Service] Type=notify RuntimeDirectory=elasticsearch PrivateTmp=true Environment=ES_HOME=/usr/share/elasticsearch Environment=ES_PATH_CONF=/etc/elasticsearch Environment=PID_DIR=/var/run/elasticsearch Environment=ES_SD_NOTIFY=true EnvironmentFile=-/etc/sysconfig/elasticsearch WorkingDirectory=/usr/share/elasticsearch User=elasticsearch Group=elasticsearch ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet # StandardOutput is configured to redirect to journalctl since # some error messages may be logged in standard output before # elasticsearch logging system is initialized. Elasticsearch # stores its logs in /var/log/elasticsearch and does not use # journalctl by default. If you also want to enable journalctl # logging, you can simply remove the "quiet" option from ExecStart. StandardOutput=journal StandardError=inherit # Specifies the maximum file descriptor number that can be opened by this process LimitNOFILE=65535 # Specifies the maximum number of processes LimitNPROC=4096 # Specifies the maximum size of virtual memory LimitAS=infinity # Specifies the maximum file size LimitFSIZE=infinity # Disable timeout logic and wait until process is stopped TimeoutStopSec=0 # SIGTERM signal is used to stop the Java process KillSignal=SIGTERM # Send the signal only to the JVM rather than its control group KillMode=process # Java process is never killed SendSIGKILL=no # When a JVM receives a SIGTERM signal it exits with code 143 SuccessExitStatus=143 # Allow a slow startup before the systemd notifier module kicks in to extend the timeout TimeoutStartSec=75 [Install] WantedBy=multi-user.target
php-fpm的启动脚本
[Unit] Description=php8-fpm After=syslog.target network.target [Service] Type=simple PIDFile=/usr/local/php8/php-fpm.pid ExecStart=/usr/local/php8/sbin/php-fpm -c /usr/local/php8/etc/php.ini -y /usr/local/php8/etc/php-fpm.conf ExecReload=/bin/kill -USR2 $MAINPID ExecStop=/bin/kill -SIGINT $MAINPID User=www Group=www [Install] WantedBy=multi-user.target
其他解决办法
方法一: 所有用户都可以运行(因为是755权限,文件所有者:root,组所有者:root) chown root.root ./nginx/ chmod 755 ./nginx/ chmod u+s ./nginx/ 方法二: 仅 root 用户和 wyq 用户可以运行(因为是750权限,文件所有者:root,组所有者:www) chown root.www ./nginx/ chmod 750 ./nginx/ chmod u+s ./nginx/