[Bug 1765191] Re: [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path

Felipe Reyes 1765191 at bugs.launchpad.net
Wed May 23 23:43:30 UTC 2018


Upgraded successfully from xenial-mitaka to xenial-queens, no
regressions detected (login, assets are loaded properly, create a router
using the UI works OK).

ubuntu at juju-dbdb77-lp1765191-8:~$ apt policy openstack-dashboard
openstack-dashboard:
  Installed: 3:13.0.0-0ubuntu1~cloud0
  Candidate: 3:13.0.0-0ubuntu1~cloud0
  Version table:
 *** 3:13.0.0-0ubuntu1~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/queens/main amd64 Packages
        100 /var/lib/dpkg/status
     2:9.1.2-0ubuntu5 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
     2:9.0.0-0ubuntu2 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo vim /etc/apache2/conf-enabled/openstack-dashboard.conf 
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo systemctl restart apache2
ubuntu at juju-dbdb77-lp1765191-8:~$ ls /var/lib/openstack-dashboard/ -ld
drwx------ 4 horizon horizon 4096 May 23 23:30 /var/lib/openstack-dashboard/
ubuntu at juju-dbdb77-lp1765191-8:~$ ls /var/lib/openstack-dashboard/ -l
ls: cannot open directory '/var/lib/openstack-dashboard/': Permission denied
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo ls /var/lib/openstack-dashboard/ -l
total 12
-rw-r--r--  1 horizon horizon    0 May 23 22:57 _var_lib_openstack-dashboard_secret_key.lock
drwxr-xr-x  2 horizon horizon 4096 Mar  1 02:25 secret-key
-rw-------  1 horizon horizon   64 May 23 22:57 secret_key
drwxr-xr-x 11 horizon horizon 4096 May 23 23:30 static
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo add-apt-repository cloud-archive:queens-proposed
 Ubuntu Cloud Archive for OpenStack Queens [proposed]
 More info: https://wiki.ubuntu.com/ServerTeam/CloudArchive
Press [ENTER] to continue or ctrl-c to cancel adding it

Reading package lists...
Building dependency tree...
Reading state information...
ubuntu-cloud-keyring is already the newest version (2012.08.14).
The following packages were automatically installed and are no longer required:
  libboost-iostreams1.58.0 libboost-random1.58.0 libboost-system1.58.0 libboost-thread1.58.0 python-httplib2 python-ndg-httpsclient python-openstackclient python-pyasn1
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo apt update
...
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo apt-get dist-upgrade
...
Setting up python-django-horizon (3:13.0.0-0ubuntu1.1~cloud1) ...
Setting up openstack-dashboard (3:13.0.0-0ubuntu1.1~cloud1) ...
Collecting and compressing static assets...
apache2_invoke openstack-dashboard.conf: already enabled
Setting up openstack-dashboard-ubuntu-theme (3:13.0.0-0ubuntu1.1~cloud1) ...
ubuntu at juju-dbdb77-lp1765191-8:~$ apt policy openstack-dashboard
openstack-dashboard:
  Installed: 3:13.0.0-0ubuntu1.1~cloud1
  Candidate: 3:13.0.0-0ubuntu1.1~cloud1
  Version table:
 *** 3:13.0.0-0ubuntu1.1~cloud1 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/queens/main amd64 Packages
        100 /var/lib/dpkg/status
     3:13.0.0-0ubuntu1~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/queens/main amd64 Packages
     2:9.1.2-0ubuntu5 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
     2:9.0.0-0ubuntu2 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
ubuntu at juju-dbdb77-lp1765191-8:~$ ls /var/lib/openstack-dashboard/ -ld
drwxr-xr-x 4 horizon horizon 4096 May 23 23:36 /var/lib/openstack-dashboard/
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo ls /var/lib/openstack-dashboard/ -l
total 12
-rw-r--r--  1 horizon horizon    0 May 23 22:57 _var_lib_openstack-dashboard_secret_key.lock
drwxr-xr-x  2 horizon horizon 4096 Mar  1 02:25 secret-key
-rw-------  1 horizon horizon   64 May 23 22:57 secret_key
drwxr-xr-x 11 horizon horizon 4096 May 23 23:36 static
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo pastebinit /var/log/apt/history.log 
http://paste.ubuntu.com/p/pDmXwDD7kP/
ubuntu at juju-dbdb77-lp1765191-8:~$ sudo pastebinit /var/log/apt/term.log 
http://paste.ubuntu.com/p/7zqmPJWbSm/


** Tags removed: verification-queens-needed
** Tags added: verification-queens-done

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1765191

Title:
  [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to
  /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib
  /openstack-dashboard/static') because search permissions are missing
  on a component of the path

Status in Ubuntu Cloud Archive:
  Fix Committed
Status in Ubuntu Cloud Archive ocata series:
  Fix Committed
Status in Ubuntu Cloud Archive pike series:
  Fix Committed
Status in Ubuntu Cloud Archive queens series:
  Fix Committed
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Artful:
  Fix Committed
Status in horizon source package in Bionic:
  Fix Committed
Status in horizon source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

  When upgrading from mitaka to pike horizon stops working because
  Apache can't read the static assets anymore

  [Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
  140071592240896] (13)Permission denied: [client 1.2.3.4:60750]
  AH00035: access to /static/dashboard/img/favicon.ico denied
  (filesystem path '/var/lib/openstack-dashboard/static') because search
  permissions are missing on a component of the path

  In xenial the home for the horizon user is /usr/share/openstack-
  dashboard, and /var/lib/openstack-dashboard permissions are changed to
  700 to secure the secret_key, while in artful/pike only the secret_key
  file is set to 700

  # ls -ld /var/lib/openstack-dashboard/
  drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
  # ls -ld /var/lib/openstack-dashboard/secret_key
  -rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
  # apt-cache policy openstack-dashboard
  openstack-dashboard:
    Installed: 3:12.0.2-0ubuntu1
    Candidate: 3:12.0.2-0ubuntu1
    Version table:
   *** 3:12.0.2-0ubuntu1 500
          500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       3:12.0.0-0ubuntu2.1 500
          500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages

  So during the upgrade of the package /var/lib/openstack-dashboard is
  left to 700

  xenial -> debian/openstack-dashboard.postinst
  ...
  if [ -d /var/lib/openstack-dashboard ] ; then
  # Generated secret storage for single node use - see local_settings.py
  # for more details of SECRET_KEY
  chmod 0700 /var/lib/openstack-dashboard
  if [ -f /etc/openstack-dashboard/secret_key ]; then
  mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
  fi
  chown -R horizon:horizon /var/lib/openstack-dashboard
  fi
  ....

  artful -> debian/openstack-dashboard.postinst
  ...
  if ! getent passwd horizon > /dev/null 2>&1 ; then
  adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
  --no-create-home --shell /bin/false horizon
  fi
  ...

  [Test Case]

  * deploy openstack
    juju deploy ./xenial-mitaka.yaml  # http://paste.ubuntu.com/p/7XtXRvf4cT/

  * upgrade openstack-dashboard to ocata, pike or queens
    juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata"  # for -proposed use "cloud:xenial-ocata/proposed"

  Expected result:

  http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is
  displayed with all the correct css/js/etc assets

  Actual result:

  http://`juju-deployer -f openstack-dashboard`/horizon/auth/login
  cannot load the static assets (javascript/css/etc)

  [Regression Potential]

  * Users who may have customized /var/lib/openstack-dashboard
  permissions to comply with some specific security policy will see
  changes in the permissions when they upgrade, but this is a common
  situation when packages are upgraded.

  [Other Info]
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1765191/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list