Ask Your Question
1

compressor.py doesnt have the correct permissions when debug=true

asked 2014-11-14 08:36:24 -0600

Reinis gravatar image

I have an openstack server. It has a couple of custom dashboards added to it. Horizon works just fine when DEBUG in local_settings.py is set to False and loads the custom dashboard quite nicely. But when i set it to True for production needs, trying to access the custom panels, i get an error:

OSError at /neo/custom/dashboard/
[Errno 13] Permission denied: '/usr/share/openstack-dashboard/static/dashboard/css/b4cc9f997a3e.css'
Error during template rendering
In template /usr/lib/python2.7/site-packages/horizon/templates/horizon/_scripts.html

When i follow through the error down to the actual function that throws this error, it is an os.open function trying to create a new file

/usr/lib/python2.7/site-packages/django/core/files/storage.py in _save
                # This is a normal uploadedfile that we can stream.
                else:
                    # This fun binary flag incantation makes os.open throw an
                    # OSError if the file already exists before we open it.
                    flags = (os.O_WRONLY | os.O_CREAT | os.O_EXCL |
                             getattr(os, 'O_BINARY', 0))
                    # The current umask value is masked out by os.open!
                    fd = os.open(full_path, flags, 0o666) ...
                    _file = None
                    try:
                        locks.lock(fd, locks.LOCK_EX)
                        for chunk in content.chunks():
                            if _file is None:
                                mode = 'wb' if isinstance(chunk, bytes) else 'wt'

Full error dump can be found here : http://pastebin.com/2Qb3MTLJ

As far as i can understand, the problem is being caused when compressor.py is trying to create a static file to send back to the client, but is unable to do it, because it doesn't have the correct permissions. But it works just fine when Debug is set to False. So after some googling, i found out that when debug is set to true, the django server runs under a different user and thus has different permissions. My question is, under which user does the django server run, when debug is set to true?

The file permissions in the static folder (the folder that compressor.py fails to create files in) so far are

drwxr-xr-x. 7 root      root      72 Nov  7 08:37 .
drwxr-xr-x. 4 root      root      95 Sep 30 15:16 ..
drwxr-xr-x. 5 root      root      36 Sep 30 15:16 bootstrap
drwxr-xr-x. 7 root      root      78 Nov  7 09:01 dashboard
drwxr-xr-x. 5 root      root      37 Sep 30 15:16 horizon
drwxr-xr-x. 5 root      root      35 Nov  7 08:37 neo
drwxr-xr-x. 5 root      root      35 Nov  7 08:36 vnf

with the last two folders being the custom dashboard ones. I've tried to set all owners of all of these folders recursively to root, apache, nobody and other users. That didn't change anything.

So if i'm correct in assuming that this is my fault for not having the correct permissions and owners for my static directory, then what kind of permissions should there be? What is the user that the django server runs as when debug=true? If i'm wrong, then what else could cause this error only when trying to open ... (more)

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2014-12-12 05:19:54 -0600

Reinis gravatar image

Found the problem. Since i hadn't deployed the server myself, i didn't know that the SELinux preferences weren't changed. They were left to enforcing, when everybody from openstack says that it should be set to permissive. Also, found out that it might not hurt to set the static folder so that the owner is apache. Here's the email i sent out to all my colleagues using the same openstack deployment. It includes bugfix and description of the problem:

Compressor.py, a component of Horizon that, when the user requests a website, dynamically generates html, css and js files, compresses them to make the payload smaller and then sends them back to the user, is blocked by SELinux on the server. That happens because SELinux is set to enforce it’s security policies and thus doesn’t allow compressor.py to generate it’s files. That’s why sometimes we get weirdly formatted sites or not working buttons. Openstack docs recommend setting SELinux to permissive ( https://openstack.redhat.com/SELinux_... ). All of the guides online on deploying openstack also suggest doing this.

This may also sometimes be caused because the static directory in our server (the directory, that compressor.py saves files to) has wrong permissions and owners. The owner needs to be set to apache, so that the server has access to those files, as suggested by people who adapted WSGI module for Apache ( https://code.google.com/p/modwsgi/wik... ). Here’s how to change those two things.

# start your openstack controller virtual machine.
$ cd /usr/share/openstack-dashboard
# set all of the right ownerships and permissions
$ sudo chmod -R 755 static
$ sudo chown -R apache:apache static
# check if SELinux is enforcing it's policies
$ sestatus
# ”current mode” should be permissive, if it is enforcing, do
$ vim /etc/sysconfig/selinux
# on line 7 change "enforcing" to "permissive"
# and then restart your machine
$ sudo shutdown -r now
# when the machine has restarted and is running, open
# http://192.168.56.101/dashboard/ in your browser and login
# you should be able to access http://192.168.56.101/dashboard/neo/
# without any OSErrors thrown, or weird formatting

This bugfix may stay unapplied, but then you have to be ready for weird formatting (caused by non-generated css) and if your deployment is running in debug mode, then even full on error messages on compressor.py throwing OSErrors, because it isn’t allowed to generate files.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-11-14 08:36:24 -0600

Seen: 1,365 times

Last updated: Dec 12 '14