[jboss-jira] [JBoss JIRA] (WFLY-6915) Mod cluster not working with non-root user

Matias Rand (JIRA) issues at jboss.org
Thu Nov 10 07:42:01 EST 2016 

    [ https://issues.jboss.org/browse/WFLY-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13320243#comment-13320243 ] 

Matias Rand commented on WFLY-6915:
-----------------------------------

We have hit the same issue setting up a new EAP 7 environment. To troubleshoot I started EAP as root (JBOSS_USER=root) and created a server instance with port offset to 100. The server/modcluster is able to connect and register with the Apache load balancer. However, doing a tcpdump on the load balancer I see that the source port in the requests coming from EAP is 100. When running as the e.g. jboss user (JBOSS_USER=jboss) that user is not allowed to bind to ports below 1024, and then you will get the permission denied (bind failed) error message.
When port offset is 0, high source port numbers are used.
As far as I can tell this looks like an application issue.

> Mod cluster not working with non-root user
> ------------------------------------------
>
>                 Key: WFLY-6915
>                 URL: https://issues.jboss.org/browse/WFLY-6915
>             Project: WildFly
>          Issue Type: Bug
>          Components: mod_cluster
>    Affects Versions: 10.0.0.Final
>         Environment: OS's tested:
> # Red Hat Enterprise Linux Server release 6.5 (Santiago)
> # CentOS Linux release 7.2.1511 (Core) 
> *SELINUX*: Disabled
> *IPTABLES/FIREWALLD: *disabled with no rules
> #wildfly: 10.0.0.Final
> #httpd:
> httpd-2.2.15-31.el6_5.x86_64
> httpd-tools-2.2.15-31.el6_5.x86_64
> httpd-devel-2.2.15-31.el6_5.x86_64
> #modcluster/httpd version: 1.2.6
>            Reporter: Rafael Pereira
>            Assignee: Radoslav Husar
>
> When I run wildfly with a non-root user(wildfly)  mod_cluster won't work. I got this error:
> 14:09:06,327 ERROR [org.jboss.modcluster] (UndertowEventHandlerAdapter - 1) MODCLUSTER000043: Failed to send INFO command to relatorios.sistemafieg.org.br/11.12.13.14:6666: Permission denied
> This happens when I use port-offset>0 and run wildfly service.
> However, if I run with root user, this error won't happen
> Steps to reproduce
> 1. Adding user
> {code:shell}
> groupadd -r wildfly
> useradd -r -g wildfly -d /opt/wildfly -s /sbin/nologin wildfly
> {code}
> 2. use init.d or systemd script
> {code:shell}
> wildfly-10.0.0.Final/docs/contrib/scripts/init.d/wildfly-init-redhat.sh
> {code}
> 3. start wildfly and register proxy list and socket binding
> {code:shell}
> /socket-binding-group=ha-sockets/remote-destination-outbound-socket-binding=mod_cluster:add(port=6666,host=11.12.13.14)
> /profile=ha/subsystem=modcluster/mod-cluster-config=configuration:write-attribute(name=proxies,value=[mod_cluster])
> {code}
> 4. edit wildfly.conf
> {code:shell}
> JBOSS_HOME="/opt/wildfly/server"
> JBOSS_USER=wildfly
> JBOSS_MODE=domain
> JBOSS_HOST_CONFIG=host.xml
> JBOSS_CONSOLE_LOG="/var/log/wildfly/console.log"
> JBOSS_OPTS="-Djboss.domain.base.dir=/opt/wildfly/config/domain -Djboss.bind.address.management=11.12.13.10 -Djboss.bind.address=11.12.13.10"
> {code}
> 5. edit httpd.conf
> {code}
> LoadModule slotmem_module modules/mod_slotmem.so
> LoadModule manager_module modules/mod_manager.so
> LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
> LoadModule advertise_module modules/mod_advertise.so
> Listen 6666
> <VirtualHost *:6666>
>     <Location />
>         Order deny,allow
>         Deny from all
>         Allow from 11.12.13
>     </Location>
>     <Location /mcm>
>         SetHandler mod_cluster-manager
>         Order deny,allow
>         Allow from all
>     </Location>
>     KeepAliveTimeout 300
>     MaxKeepAliveRequests 0
>     Timeout 5400
>     ProxyTimeout 5400
>     EnableMCPMReceive On
>     ManagerBalancerName   myCluster
>     ServerAdvertise Off 
>     ErrorLog logs/cluster-error.log
>     CustomLog logs/cluster-access.log INFO
> </VirtualHost>
> {code}
> 6. Run with service or systemctl command: *service wildfly start*
> *Environment:*
> OS's tested:
> # Red Hat Enterprise Linux Server release 6.5 (Santiago)
> # CentOS Linux release 7.2.1511 (Core) 
> *SELINUX*: Disabled
> *IPTABLES/FIREWALLD: * disabled and no rules set
> *wildfly:* 10.0.0.Final
> *httpd:*
> httpd-2.2.15-31.el6_5.x86_64
> httpd-tools-2.2.15-31.el6_5.x86_64
> httpd-devel-2.2.15-31.el6_5.x86_64
>  *modcluster/httpd version:* 1.2.6



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list