[Bug 1765191] [NEW] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path

Felipe Reyes 1765191 at bugs.launchpad.net
Wed Apr 18 20:09:14 UTC 2018 

Public bug reported:

When upgrading from mitaka to pike horizon stops working because Apache
can't read the static assets anymore

[Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
140071592240896] (13)Permission denied: [client 1.2.3.4:60750] AH00035:
access to /static/dashboard/img/favicon.ico denied (filesystem path
'/var/lib/openstack-dashboard/static') because search permissions are
missing on a component of the path

In xenial the home for the horizon user is /usr/share/openstack-
dashboard, and /var/lib/openstack-dashboard permissions are changed to
700 to secure the secret_key, while in artful/pike only the secret_key
file is set to 700

# ls -ld /var/lib/openstack-dashboard/
drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
# ls -ld /var/lib/openstack-dashboard/secret_key 
-rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
# apt-cache policy openstack-dashboard
openstack-dashboard:
  Installed: 3:12.0.2-0ubuntu1
  Candidate: 3:12.0.2-0ubuntu1
  Version table:
 *** 3:12.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3:12.0.0-0ubuntu2.1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages

So during the upgrade of the package /var/lib/openstack-dashboard is
left to 700

xenial -> debian/openstack-dashboard.postinst
...
if [ -d /var/lib/openstack-dashboard ] ; then
# Generated secret storage for single node use - see local_settings.py
# for more details of SECRET_KEY
chmod 0700 /var/lib/openstack-dashboard
if [ -f /etc/openstack-dashboard/secret_key ]; then
mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
fi
chown -R horizon:horizon /var/lib/openstack-dashboard
fi
....


artful -> debian/openstack-dashboard.postinst
...
if ! getent passwd horizon > /dev/null 2>&1 ; then
adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
--no-create-home --shell /bin/false horizon
fi
...

** Affects: horizon (Ubuntu)
     Importance: Undecided
     Assignee: Felipe Reyes (freyes)
         Status: New


** Tags: sts

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1765191

Title:
  (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to
  /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib
  /openstack-dashboard/static') because search permissions are missing
  on a component of the path

Status in horizon package in Ubuntu:
  New

Bug description:
  When upgrading from mitaka to pike horizon stops working because
  Apache can't read the static assets anymore

  [Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
  140071592240896] (13)Permission denied: [client 1.2.3.4:60750]
  AH00035: access to /static/dashboard/img/favicon.ico denied
  (filesystem path '/var/lib/openstack-dashboard/static') because search
  permissions are missing on a component of the path

  In xenial the home for the horizon user is /usr/share/openstack-
  dashboard, and /var/lib/openstack-dashboard permissions are changed to
  700 to secure the secret_key, while in artful/pike only the secret_key
  file is set to 700

  # ls -ld /var/lib/openstack-dashboard/
  drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
  # ls -ld /var/lib/openstack-dashboard/secret_key 
  -rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
  # apt-cache policy openstack-dashboard
  openstack-dashboard:
    Installed: 3:12.0.2-0ubuntu1
    Candidate: 3:12.0.2-0ubuntu1
    Version table:
   *** 3:12.0.2-0ubuntu1 500
          500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       3:12.0.0-0ubuntu2.1 500
          500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages

  So during the upgrade of the package /var/lib/openstack-dashboard is
  left to 700

  xenial -> debian/openstack-dashboard.postinst
  ...
  if [ -d /var/lib/openstack-dashboard ] ; then
  # Generated secret storage for single node use - see local_settings.py
  # for more details of SECRET_KEY
  chmod 0700 /var/lib/openstack-dashboard
  if [ -f /etc/openstack-dashboard/secret_key ]; then
  mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
  fi
  chown -R horizon:horizon /var/lib/openstack-dashboard
  fi
  ....

  
  artful -> debian/openstack-dashboard.postinst
  ...
  if ! getent passwd horizon > /dev/null 2>&1 ; then
  adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
  --no-create-home --shell /bin/false horizon
  fi
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1765191/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list