I have a docker image that runs fine on Debian jessie (with kernel 3.16), and when I moved that image to an Ubuntu host (kernel 3.13), postgresql failed to come up. I've narrowed it down to a difference in behaviour when accessing a certain file, and my only explication for it is the difference in host kernel. I'd like to know if anyone has confirm this to be the problem, or has ideas on a possible different root cause for it.
The following sequence of commands shows the problem. First on the 'good' host:
root#lava-docker:/etc# ls -l /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1708 Oct 20 19:31 /etc/ssl/private/ssl-cert-snakeoil.key
root#lava-docker:/etc# su - postgres
postgres#lava-docker:~$ ls -l /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1708 Oct 20 19:31 /etc/ssl/private/ssl-cert-snakeoil.key
postgres#lava-docker:~$ ls -ld /etc/ssl/private
drwx--x--- 2 root ssl-cert 4096 Oct 20 19:31 /etc/ssl/private
postgres#lava-docker:~$ id
uid=110(postgres) gid=115(postgres) groups=115(postgres),114(ssl-cert)
now the same sequence on the 'bad' host:
root#lava-docker:/# ls -l /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1708 Oct 20 19:31 /etc/ssl/private/ssl-cert-snakeoil.key
root#lava-docker:/# su - postgres
postgres#lava-docker:~$ ls -l /etc/ssl/private/ssl-cert-snakeoil.key
ls: cannot access /etc/ssl/private/ssl-cert-snakeoil.key: Permission denied
postgres#lava-docker:~$ ls -ld /etc/ssl/private
drwx--x--- 2 root ssl-cert 4096 Oct 20 19:31 /etc/ssl/private
postgres#lava-docker:~$ id
uid=110(postgres) gid=115(postgres) groups=115(postgres),114(ssl-cert)
as can be seen, even though the file and directory permissions are identical, as is the user configuration (same docker image after all), on one postgres user can see it, but not on the other.
This directory is not mounted with volume option, it is under aufs control
This might be the aufs issue where the permissions in one Docker layer can't be made less restrictive than those in a lower layer.
https://github.com/moby/moby/issues/1295#issuecomment-269058662
The solution seems to be to not use aufs. Use overlay2 instead.
Alternatively it seems if you have Docker 17.09 or later you can use the --chown flag on ADD/COPY. https://stackoverflow.com/a/44766666/127670
Related
In uWSGI, if I change my socket location to /tmp/api, the website renders. However, if I change the socket address to /srv/www/api/, I get a 502 gateway error.
I believe this is due to a permissions issue regarding the /srv folder and the Nginx/uWSGI users.
In /var/log/nginx/error.log:
*1 connect() to unix:///srv/www/api/app.sock failed (2: No such file or directory) while connecting to upstream, client: xxx.xxx.xxx.xxx, server: api.example.com, request: "GET / HTTP/2.0", upstream: "uwsgi://unix:///srv/www/api/app.sock:", host: "api.example.com"
The Flask project code is located in /srv/www/api. I am logged in as username user.
Permissions:
$ ll -ld /srv/www/api/
drwxrwxr-x 4 www-data www-data 4096 Jun 28 20:52 /srv/www/api/
$ ll -ld /srv/www
drwxrwxr-x 4 username www-data 4096 Jun 27 21:41 /srv/www
$ ll -ld /srv
drwxrwxr-x 4 username username 4096 Jun 27 21:37 /srv
$ ll -ld /tmp
drwxrwxrwt 9 root root 4096 Jun 28 23:05 /tmp
User groups:
$ groups username
username : username sudo dev
$ groups www-data
www-data : www-data dev
$ grep 'dev' /etc/group
dev:x:1001:username,www-data
I have several users setup to be in the dev group. The goal is so that users in the group would be able to read and write to /srv without also being in the root group (is this a bad practice?).
/srv/www/api/app.ini:
[uwsgi]
module = wsgi:app
master = true
processes = 5
socket = /tmp/app.sock
chmod-socket = 660
vacuum = true
die-on-term = true
/etc/nginx/sites/sites-available/api.example.com (location section):
location / {
include uwsgi_params;
uwsgi_pass unix:/tmp/app.sock;
}
Is there a way to fix my permissions setup so that:
The socket would be able to be created in that folder
Users in the dev group without sudo would also be able to read and write the /srv folder and subdirectories
I figured this out. I ended up setting the owners for my folder to:
chown -R username:www-data /srv/www/api
I also made sure to restart the systemctl service after each change. I don't remember doing that earlier so that was very likely the reason why nothing was working even after all the changes made. I only restarted Nginx and not the service itself -- the one responsible for creating the sockets.
To restart the systemctl service:
sudo systemctl restart <service_name>
How to fix this error?
psql: error: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
We use Docker, Postgres12, Wercker.
When we run this command in Wercker, we can't create a database.
But we can create it in my local Ubuntu environment.
sudo docker exec docker_postgres_1 psql -U postgres -c 'create database postgres_dev'
First, you need to make sure the socket file is located in /var/run/postgresql/.s.PGSQL.5432. To check that
$ cat /var/run/postgresql/.s.PGSQL.5432
if result shows something, then the problem is anything else. But, if file is not there you need to check /tmp dir (specially for OSX Homebrew users)
$ cd /tmp
$ l
total 16
drwxrwxrwt 7 root wheel 224B Mar 11 08:03 .
drwxr-xr-x 6 root wheel 192B Jan 23 18:35 ..
-rw-r--r-- 1 root wheel 65B Nov 7 22:59 .BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F
srwxrwxrwx 1 shiva wheel 0B Mar 11 08:03 .s.PGSQL.5432
-rw------- 1 shiva wheel 57B Mar 11 08:03 .s.PGSQL.5432.lock
drwx------ 3 shiva wheel 96B Mar 10 17:11 com.apple.launchd.C1tUB2MvF8
drwxr-xr-x 2 root wheel 64B Mar 10 17:10 powerlog
Now, there are two ways you can solve the error
Solution One
You can change the application configuration to see for sockets at /tmp/.s.PGSQL.5432
For Rails Users
# config/database.yml
default: &default
adapter: postgresql
pool: 5
# port:
timeout: 5000
encoding: utf8
# min_messages: warning
socket: /tmp/.s.PGSQL.5432
Solution Two
You can create symlinks to the expected location
$ sudo mkdir /var/pgsql_socket
$ sudo ln /tmp/.s.PGSQL.5432 /var/pgsql_socket/
```
Then the error should go.
Hope this helps.
Previously working Dovecot / Postfix / DKIM setup with multiple domains working correctly for months.
I attempted to add a new domain name. Retracing what I did for the original ones. Once I got past most issues, with all config files, keys, text records etc working, I could receive email with no problems, but not send email on the new email/domain.
Received the following error:
Mar 23 02:48:49 MainFrame-2017 opendkim[4225]: can't load key from /etc/opendkim/keys/zaehlas.com/mail.private: Permission denied
Mar 23 02:48:49 MainFrame-2017 opendkim[4225]: DF0CF5C4CC0: error loading key 'mail._domainkey.zaehlas.com'
Installed with following versions:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
root#MainFrame-2017:/etc/opendkim/keys/zaehlas.com# dpkg -s opendkim | grep '^Version:'
Version: 2.10.3-3build1
root#MainFrame-2017:/etc/opendkim/keys/zaehlas.com# dpkg -s postfix | grep '^Version:'
Version: 3.1.0-3ubuntu0.3
I checked permissions and config files. Working perfectly for 4 domains, not working with the last one. Finally reset all permissions as recommended on the (MANY) guides I can find, rebooted entire server, multiple service restarts, and now none of my domains will send email using DKIM
My opendkim.conf (with comments and white space removed)
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301#localhost
Permissions in opendkim and keyfiles
root#MainFrame-2017:/etc/opendkim# ls -l
total 16
drw------- 9 opendkim opendkim 4096 Mar 23 00:31 keys
-rw-r--r-- 1 opendkim opendkim 772 Mar 23 02:10 KeyTable
-rw-r--r-- 1 opendkim opendkim 394 Mar 23 00:28 SigningTable
-rw-r--r-- 1 opendkim opendkim 286 Mar 23 02:42 TrustedHosts
root#MainFrame-2017:/etc/opendkim# namei -l /etc/opendkim/keys/zaehlas.com/mail.private
f: /etc/opendkim/keys/zaehlas.com/mail.private
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x opendkim opendkim opendkim
drw------- opendkim opendkim keys
drw------- opendkim opendkim zaehlas.com
-rw------- opendkim opendkim mail.private
KeyTable File:
mail._domainkey.zaehlas.com zaehlas.com:mail:/etc/opendkim/keys/zaehlas.com/mail.private
mail._domainkey.bglancesglass.com bglancesglass.com:mail:/etc/opendkim/keys/bglancesglass.com/mail.private
mail._domainkey.millenniumlarp.com millenniumlarp.com:mail:/etc/opendkim/keys/millenniumlarp.com/mail.private
mail._domainkey.pittsburghglassclub.com pittsburghglassclub.com:mail:/etc/opendkim/keys/pittsburghglassclub.com/mail.private
mail._domainkey.pittsburghglassclub.org pittsburghglassclub.org:mail:/etc/opendkim/keys/pittsburghglassclub.org/mail.private
mail._domainkey.chataboutdg.com chataboutdg.com:mail:/etc/opendkim/keys/chataboutdg.com/mail.private
mail._domainkey.lostvalleylegacy.com lostvalleylegacy.com:mail/etc/opendkim/keys/lostvalleylegacy.com/mail.private
And DKIM Test works:
root#MainFrame-2017:/etc/opendkim# opendkim-testkey -d zaehlas.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.zaehlas.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK
I've run completely dry of ideas. It worked, and now it doesn't, and nothing critical has changed. I've tried several different permissions, verified opendkim is using correct group and username.
Thank you ahead of time for something Ive missed, or mentioning something to check that none of the other guides mention.
I had the same problem and fixed it by making the keys and config files (KeyTable, SigningTable etc) executable.
sudo chmod -R ug+x /etc/opendkim
Bit late, but problem could be in, who is owner of file with key,it should be opendkim. Check owner of files with command:
ls -la /etc/opendkim/keys/{domain-name}/
output should be something like this:
-rw------- 1 opendkim opendkim 1679 30. bře 21.17 default.private
you can change owner with command:
chown opendkim:opendkim /etc/opendkim/keys/{domain-name}/default.private
I backed up my configuration files. apt-get purged opendkim, reinstalled opendkim, restored my exact configuration files, and it worked.
I have no idea why.
PFM
I am using PostgreSQL 9.5 on Ubuntu 16.04 LTS.
I receive the below error when I type psql:
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
On checking the logs in /var/log/postgresql/postgresql-9.5-main.log, I see the error as:
2018-11-26 13:17:41 IST [3508-1] FATAL: could not access private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied
Below are the permissions of the /etc/ssl/private and ssl-cert-snakeoil.key files:
vivek#vivek-ThinkPad-E480:~$ ls -l /etc/ssl
total 36
drwxr-xr-x 2 root root 20480 Nov 22 13:06 certs
-rwxr-xr-x 1 root root 10835 Dec 8 2017 openssl.cnf
drwxr--r-- 2 root ssl-cert 4096 Nov 22 13:06 private
vivek#vivek-ThinkPad-E480:~$ sudo ls -l /etc/ssl/private
total 4
-rw-r----- 1 root ssl-cert 1704 Nov 22 13:06 ssl-cert-snakeoil.key
The postgres user is also added to the group ssl-cert.
vivek#vivek-ThinkPad-E480:~$ getent group ssl-cert
ssl-cert:x:112:postgres
NOTE: I found that there is no server.key present in /var/lib/postgresql/9.5/main.
I also posted this on DBA Stackexchange, but no response as yet.
Can anyone guide me in the right direction in setting permissions?
That can never work, and your server will not be able to start, because the OS user postgres has no permissions to access files in etc/ssl/private.
To allow users in the group ssl-cert to access files in the directory, run
chmod g+x /etc/ssl/private
While you're at it, make sure that /etc/ssl has the required permissions.
To test if everything works, become user postgres and try to read the file.
After some time the Postgres database stopped working of my live server. I'm working on this server from last 8 months. Now suddenly it's stopped working.
when I try to enter the command, psql produces an error
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
enter image description here
I'm using odoo8.
First, you need to make sure the socket file is located in /var/run/postgresql/.s.PGSQL.5432. To check that
$ cat /var/run/postgresql/.s.PGSQL.5432
if result shows something, then the problem is anything else. But, if file is not there you need to check /tmp dir (specially for OSX Homebrew users)
$ cd /tmp
$ l
total 16
drwxrwxrwt 7 root wheel 224B Mar 11 08:03 .
drwxr-xr-x 6 root wheel 192B Jan 23 18:35 ..
-rw-r--r-- 1 root wheel 65B Nov 7 22:59 .BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F
srwxrwxrwx 1 shiva wheel 0B Mar 11 08:03 .s.PGSQL.5432
-rw------- 1 shiva wheel 57B Mar 11 08:03 .s.PGSQL.5432.lock
drwx------ 3 shiva wheel 96B Mar 10 17:11 com.apple.launchd.C1tUB2MvF8
drwxr-xr-x 2 root wheel 64B Mar 10 17:10 powerlog
Now, there are two ways you can solve the error
Solution One
You can change the application configuration to see for sockets at /tmp/.s.PGSQL.5432
For Rails Users
# config/database.yml
default: &default
adapter: postgresql
pool: 5
# port:
timeout: 5000
encoding: utf8
# min_messages: warning
socket: /tmp/.s.PGSQL.5432
Solution Two
You can create symlinks to the expected location
$ sudo mkdir /var/pgsql_socket
$ sudo ln /tmp/.s.PGSQL.5432 /var/pgsql_socket/
Then the error should go.
Hope this helps.
Note: Your default socket directory may not be /tmp
Did you update/upgrade your database?
Did you start a docker container that interfered with any of your data-store/socket file locations?
This probably doesn't fit your situation exactly, but maybe it will provide some insight:
Sometimes when you try
sudo systemctl start postgresql.service
and the systemd status says it is started but you still get that error message when trying to connect, try this instead:
sudo pg_ctlcluster <version> <cluster> <action>
which in my case had been
sudo pg_ctlcluster 13 main start