KB-1271 "Forbidden" error message thrown from Apache with "errno=13. Load balancing workers will not function properly" thrown in mod_jk.log

Symptoms

When navigating to <APPIAN_URL>/suite/, users encounter a Forbidden message from Apache. The following error is printed in the mod_jk.log file:

Initializing shm:/etc/httpd/logs/mod_jk.shm.2237 errno=13. Load balancing workers will not function properly.

Cause

SELinux policy is being enforced on the current Linux system. Thus, SELinux is preventing the Apache process, httpd, from reading and writing to files on the file system. This results in the permission error response in the client when mod_jk is invoked. Under SELinux, all files must be explicitly labeled for read and write access. By default, SELinux allows the correct access on files which have the "httpd_var_run_t" context:

allow httpd_t httpd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename };

This can be verified by the following methods:

  1. Executing the command sestatus in the Linux terminal.
  2. Verifying the configuration in the /etc/selinux/config file.

Action

There are two options provided below:

Option 1

Configure the Apache mod_jk files to comply with SELinux policy:

  1. Create a mod_jk directory. This directory will be used to store the mod_jk shared memory files:
    mkdir /var/mod_jk
  2. Execute the following SELinux managing command to force the "httpd_var_run_t" context onto the new mod_jkfolder and all of its contents:
    semanage fcontext -a -t httpd_var_run_t "/var/mod_jk(/.*)?"
  3. Add the following line in httpd.conf to set the location of the mod_jk shared memory files:
    JkShmFile /var/mod_jk/jk-runtime-status
  4. Check the httpd log directory and clean out any orphaned jk-runtime-status files.
  5. Restart the httpd Apache service.

Note: The mod_jk shared memory contains configuration and runtime information for load balance workers and their members. It is needed in order for all Apache children to:

  • share the same status information for load balancing members (OK, ERROR, ...).
  • share the information about load taken by the individual workers.
  • share the information for the parts of the configuration, which are changeable during runtime by status workers.

Option 2

Disable SELinux policy enforcement by accessing /etc/selinux/config file and setting the policy to "disabled". Ensure the system is restarted for the setting to take effect.

Note: This this will disable SELinux enforcement across the entire system. Please consult with your system administrators before proceeding with this option. SELinux can also be put into permissive mode for testing without disabling SELinux completely with the command:

setenforce 0

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2017

Related
Recommended