[Bug 1765191] Re: (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path
Felipe Reyes
1765191 at bugs.launchpad.net
Thu Apr 26 21:57:54 UTC 2018
** Description changed:
+ [Impact]
+
When upgrading from mitaka to pike horizon stops working because Apache
can't read the static assets anymore
[Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
140071592240896] (13)Permission denied: [client 1.2.3.4:60750] AH00035:
access to /static/dashboard/img/favicon.ico denied (filesystem path
'/var/lib/openstack-dashboard/static') because search permissions are
missing on a component of the path
In xenial the home for the horizon user is /usr/share/openstack-
dashboard, and /var/lib/openstack-dashboard permissions are changed to
700 to secure the secret_key, while in artful/pike only the secret_key
file is set to 700
# ls -ld /var/lib/openstack-dashboard/
drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
- # ls -ld /var/lib/openstack-dashboard/secret_key
+ # ls -ld /var/lib/openstack-dashboard/secret_key
-rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
# apt-cache policy openstack-dashboard
openstack-dashboard:
- Installed: 3:12.0.2-0ubuntu1
- Candidate: 3:12.0.2-0ubuntu1
- Version table:
- *** 3:12.0.2-0ubuntu1 500
- 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
- 100 /var/lib/dpkg/status
- 3:12.0.0-0ubuntu2.1 500
- 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages
+ Installed: 3:12.0.2-0ubuntu1
+ Candidate: 3:12.0.2-0ubuntu1
+ Version table:
+ *** 3:12.0.2-0ubuntu1 500
+ 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
+ 100 /var/lib/dpkg/status
+ 3:12.0.0-0ubuntu2.1 500
+ 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages
So during the upgrade of the package /var/lib/openstack-dashboard is
left to 700
xenial -> debian/openstack-dashboard.postinst
...
if [ -d /var/lib/openstack-dashboard ] ; then
# Generated secret storage for single node use - see local_settings.py
# for more details of SECRET_KEY
chmod 0700 /var/lib/openstack-dashboard
if [ -f /etc/openstack-dashboard/secret_key ]; then
mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
fi
chown -R horizon:horizon /var/lib/openstack-dashboard
fi
....
-
artful -> debian/openstack-dashboard.postinst
...
if ! getent passwd horizon > /dev/null 2>&1 ; then
adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
--no-create-home --shell /bin/false horizon
fi
...
+
+ [Test Case]
+
+ * deploy openstack
+ juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/
+
+ * upgrade openstack-dashboard to ocata, pike or queens
+ juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata"
+
+ Expected result:
+
+ http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is
+ displayed with all the correct css/js/etc assets
+
+ Actual result:
+
+ http://`juju-deployer -f openstack-dashboard`/horizon/auth/login cannot
+ load the static assets (javascript/css/etc)
+
+ [Regression Potential]
+
+ * Users who may have customized /var/lib/openstack-dashboard permissions
+ to comply with some specific security policy will see changes in the
+ permissions when they upgrade, but this is a common situation when
+ packages are upgraded.
+
+ [Other Info]
+ N/A
** Description changed:
[Impact]
When upgrading from mitaka to pike horizon stops working because Apache
can't read the static assets anymore
[Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
140071592240896] (13)Permission denied: [client 1.2.3.4:60750] AH00035:
access to /static/dashboard/img/favicon.ico denied (filesystem path
'/var/lib/openstack-dashboard/static') because search permissions are
missing on a component of the path
In xenial the home for the horizon user is /usr/share/openstack-
dashboard, and /var/lib/openstack-dashboard permissions are changed to
700 to secure the secret_key, while in artful/pike only the secret_key
file is set to 700
# ls -ld /var/lib/openstack-dashboard/
drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
# ls -ld /var/lib/openstack-dashboard/secret_key
-rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
# apt-cache policy openstack-dashboard
openstack-dashboard:
Installed: 3:12.0.2-0ubuntu1
Candidate: 3:12.0.2-0ubuntu1
Version table:
*** 3:12.0.2-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
100 /var/lib/dpkg/status
3:12.0.0-0ubuntu2.1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages
So during the upgrade of the package /var/lib/openstack-dashboard is
left to 700
xenial -> debian/openstack-dashboard.postinst
...
if [ -d /var/lib/openstack-dashboard ] ; then
# Generated secret storage for single node use - see local_settings.py
# for more details of SECRET_KEY
chmod 0700 /var/lib/openstack-dashboard
if [ -f /etc/openstack-dashboard/secret_key ]; then
mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
fi
chown -R horizon:horizon /var/lib/openstack-dashboard
fi
....
artful -> debian/openstack-dashboard.postinst
...
if ! getent passwd horizon > /dev/null 2>&1 ; then
adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
--no-create-home --shell /bin/false horizon
fi
...
[Test Case]
* deploy openstack
- juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/
+ juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/
* upgrade openstack-dashboard to ocata, pike or queens
- juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata"
+ juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata" # for -proposed use "cloud:xenial-ocata/proposed"
Expected result:
http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is
displayed with all the correct css/js/etc assets
Actual result:
http://`juju-deployer -f openstack-dashboard`/horizon/auth/login cannot
load the static assets (javascript/css/etc)
[Regression Potential]
* Users who may have customized /var/lib/openstack-dashboard permissions
to comply with some specific security policy will see changes in the
permissions when they upgrade, but this is a common situation when
packages are upgraded.
[Other Info]
N/A
** Summary changed:
- (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path
+ [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1765191
Title:
[SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to
/static/dashboard/img/favicon.ico denied (filesystem path '/var/lib
/openstack-dashboard/static') because search permissions are missing
on a component of the path
Status in Ubuntu Cloud Archive:
Triaged
Status in Ubuntu Cloud Archive ocata series:
Triaged
Status in Ubuntu Cloud Archive pike series:
Triaged
Status in Ubuntu Cloud Archive queens series:
Triaged
Status in horizon package in Ubuntu:
Triaged
Status in horizon source package in Artful:
Triaged
Status in horizon source package in Bionic:
Triaged
Status in horizon source package in CC-Series:
Triaged
Bug description:
[Impact]
When upgrading from mitaka to pike horizon stops working because
Apache can't read the static assets anymore
[Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
140071592240896] (13)Permission denied: [client 1.2.3.4:60750]
AH00035: access to /static/dashboard/img/favicon.ico denied
(filesystem path '/var/lib/openstack-dashboard/static') because search
permissions are missing on a component of the path
In xenial the home for the horizon user is /usr/share/openstack-
dashboard, and /var/lib/openstack-dashboard permissions are changed to
700 to secure the secret_key, while in artful/pike only the secret_key
file is set to 700
# ls -ld /var/lib/openstack-dashboard/
drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
# ls -ld /var/lib/openstack-dashboard/secret_key
-rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
# apt-cache policy openstack-dashboard
openstack-dashboard:
Installed: 3:12.0.2-0ubuntu1
Candidate: 3:12.0.2-0ubuntu1
Version table:
*** 3:12.0.2-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
100 /var/lib/dpkg/status
3:12.0.0-0ubuntu2.1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages
So during the upgrade of the package /var/lib/openstack-dashboard is
left to 700
xenial -> debian/openstack-dashboard.postinst
...
if [ -d /var/lib/openstack-dashboard ] ; then
# Generated secret storage for single node use - see local_settings.py
# for more details of SECRET_KEY
chmod 0700 /var/lib/openstack-dashboard
if [ -f /etc/openstack-dashboard/secret_key ]; then
mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
fi
chown -R horizon:horizon /var/lib/openstack-dashboard
fi
....
artful -> debian/openstack-dashboard.postinst
...
if ! getent passwd horizon > /dev/null 2>&1 ; then
adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
--no-create-home --shell /bin/false horizon
fi
...
[Test Case]
* deploy openstack
juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/
* upgrade openstack-dashboard to ocata, pike or queens
juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata" # for -proposed use "cloud:xenial-ocata/proposed"
Expected result:
http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is
displayed with all the correct css/js/etc assets
Actual result:
http://`juju-deployer -f openstack-dashboard`/horizon/auth/login
cannot load the static assets (javascript/css/etc)
[Regression Potential]
* Users who may have customized /var/lib/openstack-dashboard
permissions to comply with some specific security policy will see
changes in the permissions when they upgrade, but this is a common
situation when packages are upgraded.
[Other Info]
N/A
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1765191/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list