Solarium gets "Permission Denied" when trying to connect apache solr at local ip

Question

I have a drupal 8 site on the same physical server as apache solr (5.2.1). Drupal 8 uses the search_api_solr contrib module, which uses Solarium (installed by composer) to talk to the solr server using the http api.

I have successfully installed solr and created a core. I can query the core using cUrl on the linux command line, using various linux users.

I can access the solr admin screen in a browser (over vpn with 192.168 ip or domain resolving to such) and view the core I created on the cli.

However, the drupal solr module cannot connect to the solr server core, and if I create an index using the drupal module, it throws a php error:

[error] Uncaught PHP Exception Solarium\Exception\HttpException: "Solr HTTP error: HTTP request failed, Failed to connect to 127.0.0.1: Permission denied" at modules/search_api_solr/vendor/solarium/solarium/library/Solarium/Core/Client/Adapter/Curl.php line 248

My url is like this: http://127.0.0.1:8983/solr/mycore

I get the same error for

http://192.168.254.78:8983/solr/mycore

or

http://127.0.0.1:8080/solr/mycore << different port!

Why should Solarium not be able to send http to a local ip?

Note that nothing is listening on 8080, so I suspect that this http failure has nothing to do with the solr server.

Answer 1

The problem turns out to be that SELinux on this CentOS6 machine is not allowing apache to talk to port 8983.

# setenforce 0

and our error goes away.

# setenforce 1

error is back

Check /var/log/audit.log.

This is what we saw:

type=AVC msg=audit(1457115397.149:224568): avc: denied { name_connect } for pid=4029 comm="httpd" dest=8983 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Notice scontext is httpd_t (apache) And tcontext is port_t (a port)

Now by default apache can only listen on ports that are http_port_t

SO -- we check to see if our desired port "8983"

But first we need "semanage" which is provided by :

yum install policycoreutils-python

Now check for existing http_port_r's:

# semanage port -l | grep 'http_port_t'

http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000

pegasus_http_port_t tcp 5988

Now let's add 8983

# semanage port -a -t http_port_t -p tcp 8983

And check again -- yup 8983 is there

# semanage port -l | grep 'http_port_t'

http_port_t tcp 8983, 80, 81, 443, 488, 8008, 8009, 8443, 9000

pegasus_http_port_t tcp 5988

No more error with SELinux enforcing