[Bug 1765191] Re: [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path

Felipe Reyes 1765191 at bugs.launchpad.net
Tue May 22 22:08:29 UTC 2018 

openstack-dashboard-ubuntu-theme needs to be updated to depend on
3:13.0.0-0ubuntu1, I wonder if we could relax this dependency a bit,
something like:

Depends: openstack-dashboard (>= 3:13.0.0, <= 3:14.0.0)

The problem would be that this kind of change may not be SRUable, and
this is a dummy package, so maybe we should just bite the bullet and
everytime bump up the version in the openstack-dashboard we need to
remember to do update openstack-dashboard-ubuntu-theme as well.

# apt-get install openstack-dashboard openstack-dashboard-ubuntu-theme
Reading package lists... Done
Building dependency tree       
Reading state information... Done
openstack-dashboard-ubuntu-theme is already the newest version (3:13.0.0-0ubuntu1).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 openstack-dashboard-ubuntu-theme : Depends: openstack-dashboard (= 3:13.0.0-0ubuntu1) but 3:13.0.0-0ubuntu1.1 is to be installed
E: Unable to correct problems, you have held broken packages.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1765191

Title:
  [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to
  /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib
  /openstack-dashboard/static') because search permissions are missing
  on a component of the path

Status in Ubuntu Cloud Archive:
  Fix Committed
Status in Ubuntu Cloud Archive ocata series:
  Fix Committed
Status in Ubuntu Cloud Archive pike series:
  Fix Committed
Status in Ubuntu Cloud Archive queens series:
  Fix Committed
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Artful:
  Fix Committed
Status in horizon source package in Bionic:
  Fix Committed
Status in horizon source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

  When upgrading from mitaka to pike horizon stops working because
  Apache can't read the static assets anymore

  [Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
  140071592240896] (13)Permission denied: [client 1.2.3.4:60750]
  AH00035: access to /static/dashboard/img/favicon.ico denied
  (filesystem path '/var/lib/openstack-dashboard/static') because search
  permissions are missing on a component of the path

  In xenial the home for the horizon user is /usr/share/openstack-
  dashboard, and /var/lib/openstack-dashboard permissions are changed to
  700 to secure the secret_key, while in artful/pike only the secret_key
  file is set to 700

  # ls -ld /var/lib/openstack-dashboard/
  drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
  # ls -ld /var/lib/openstack-dashboard/secret_key
  -rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
  # apt-cache policy openstack-dashboard
  openstack-dashboard:
    Installed: 3:12.0.2-0ubuntu1
    Candidate: 3:12.0.2-0ubuntu1
    Version table:
   *** 3:12.0.2-0ubuntu1 500
          500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       3:12.0.0-0ubuntu2.1 500
          500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages

  So during the upgrade of the package /var/lib/openstack-dashboard is
  left to 700

  xenial -> debian/openstack-dashboard.postinst
  ...
  if [ -d /var/lib/openstack-dashboard ] ; then
  # Generated secret storage for single node use - see local_settings.py
  # for more details of SECRET_KEY
  chmod 0700 /var/lib/openstack-dashboard
  if [ -f /etc/openstack-dashboard/secret_key ]; then
  mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
  fi
  chown -R horizon:horizon /var/lib/openstack-dashboard
  fi
  ....

  artful -> debian/openstack-dashboard.postinst
  ...
  if ! getent passwd horizon > /dev/null 2>&1 ; then
  adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
  --no-create-home --shell /bin/false horizon
  fi
  ...

  [Test Case]

  * deploy openstack
    juju deploy ./xenial-mitaka.yaml  # http://paste.ubuntu.com/p/7XtXRvf4cT/

  * upgrade openstack-dashboard to ocata, pike or queens
    juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata"  # for -proposed use "cloud:xenial-ocata/proposed"

  Expected result:

  http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is
  displayed with all the correct css/js/etc assets

  Actual result:

  http://`juju-deployer -f openstack-dashboard`/horizon/auth/login
  cannot load the static assets (javascript/css/etc)

  [Regression Potential]

  * Users who may have customized /var/lib/openstack-dashboard
  permissions to comply with some specific security policy will see
  changes in the permissions when they upgrade, but this is a common
  situation when packages are upgraded.

  [Other Info]
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1765191/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list