[Bug 1765191] Re: [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path
Felipe Reyes
1765191 at bugs.launchpad.net
Thu May 24 02:14:32 UTC 2018
Upgraded successfully from xenial-mitaka to xenial-pike
root at juju-612ca4-pike-8:~# apt policy openstack-dashboard
openstack-dashboard:
Installed: 2:9.1.2-0ubuntu5
Candidate: 2:9.1.2-0ubuntu5
Version table:
*** 2:9.1.2-0ubuntu5 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2:9.0.0-0ubuntu2 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
root at juju-612ca4-pike-8:~# ls -ld /var/lib/openstack-dashboard/
drwx------ 2 horizon horizon 4096 May 24 01:43 /var/lib/openstack-dashboard/
root at juju-612ca4-pike-8:~# ls -l /var/lib/openstack-dashboard/
total 4
-rw------- 1 horizon horizon 64 May 24 01:43 secret_key
-rw-r--r-- 1 horizon horizon 0 May 24 01:43 _var_lib_openstack-dashboard_secret_key.lock
root at juju-612ca4-pike-8:~# add-apt-repository cloud-archive:pike
Ubuntu Cloud Archive for OpenStack Pike
More info: https://wiki.ubuntu.com/ServerTeam/CloudArchive
Press [ENTER] to continue or ctrl-c to cancel adding it
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
ubuntu-cloud-keyring
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,086 B of archives.
After this operation, 34.8 kB of additional disk space will be used.
Get:1 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/universe amd64 ubuntu-cloud-keyring all 2012.08.14 [5,086 B]
Fetched 5,086 B in 0s (24.7 kB/s)
Selecting previously unselected package ubuntu-cloud-keyring.
(Reading database ... 80958 files and directories currently installed.)
Preparing to unpack .../ubuntu-cloud-keyring_2012.08.14_all.deb ...
Unpacking ubuntu-cloud-keyring (2012.08.14) ...
Setting up ubuntu-cloud-keyring (2012.08.14) ...
Importing ubuntu-cloud.archive.canonical.com keyring
OK
Processing ubuntu-cloud.archive.canonical.com removal keyring
gpg: /etc/apt/trustdb.gpg: trustdb created
OK
root at juju-612ca4-pike-8:~# apt-get -qq update
root at juju-612ca4-pike-8:~# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
...
Setting up qemu-block-extra:amd64 (1:2.10+dfsg-0ubuntu3.5~cloud0) ...
Setting up qemu-utils (1:2.10+dfsg-0ubuntu3.5~cloud0) ...
Setting up python-mock (2.0.0-3~cloud0) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
root at juju-612ca4-pike-8:~# apt policy openstack-dashboard
openstack-dashboard:
Installed: 3:12.0.2-0ubuntu1~cloud0
Candidate: 3:12.0.2-0ubuntu1~cloud0
Version table:
*** 3:12.0.2-0ubuntu1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/pike/main amd64 Packages
100 /var/lib/dpkg/status
2:9.1.2-0ubuntu5 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
2:9.0.0-0ubuntu2 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
root at juju-612ca4-pike-8:~# ls -ld /var/lib/openstack-dashboard/
drwx------ 4 horizon horizon 4096 May 24 02:04 /var/lib/openstack-dashboard/
root at juju-612ca4-pike-8:~# ls -l /var/lib/openstack-dashboard/
total 12
-rw------- 1 horizon horizon 64 May 24 01:43 secret_key
drwxr-xr-x 2 horizon horizon 4096 Feb 6 03:07 secret-key
drwxr-xr-x 11 horizon horizon 4096 May 24 02:04 static
-rw-r--r-- 1 horizon horizon 0 May 24 01:43 _var_lib_openstack-dashboard_secret_key.lock
root at juju-612ca4-pike-8:~# add-apt-repository cloud-archive:pike-proposed
Ubuntu Cloud Archive for OpenStack Pike [proposed]
More info: https://wiki.ubuntu.com/ServerTeam/CloudArchive
Press [ENTER] to continue or ctrl-c to cancel adding it
Reading package lists...
Building dependency tree...
Reading state information...
ubuntu-cloud-keyring is already the newest version (2012.08.14).
The following packages were automatically installed and are no longer required:
libboost-iostreams1.58.0 libboost-random1.58.0 libboost-system1.58.0 libboost-thread1.58.0 python-deprecation python-httplib2 python-ndg-httpsclient python-openstackclient
python-openstacksdk python-pyasn1
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root at juju-612ca4-pike-8:~# apt-get -qq update
root at juju-612ca4-pike-8:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
libboost-iostreams1.58.0 libboost-random1.58.0 libboost-system1.58.0 libboost-thread1.58.0 python-deprecation python-httplib2 python-ndg-httpsclient python-openstackclient
python-openstacksdk python-pyasn1
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
librados2 librbd1 openstack-dashboard openstack-dashboard-ubuntu-theme python-django-horizon
5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.5 MB of archives.
After this operation, 103 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/pike/main amd64 librbd1 amd64 12.2.4-0ubuntu0.17.10.1~cloud0 [916 kB]
Get:2 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/pike/main amd64 librados2 amd64 12.2.4-0ubuntu0.17.10.1~cloud0 [2,752 kB]
Get:3 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/pike/main amd64 openstack-dashboard all 3:12.0.2-0ubuntu1.1~cloud0 [2,322 kB]
Get:4 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/pike/main amd64 openstack-dashboard-ubuntu-theme all 3:12.0.2-0ubuntu1.1~cloud0 [1,846 B]
Get:5 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/pike/main amd64 python-django-horizon all 3:12.0.2-0ubuntu1.1~cloud0 [7,521 kB]
Fetched 13.5 MB in 12s (1,096 kB/s)
(Reading database ... 84327 files and directories currently installed.)
Preparing to unpack .../librbd1_12.2.4-0ubuntu0.17.10.1~cloud0_amd64.deb ...
Unpacking librbd1 (12.2.4-0ubuntu0.17.10.1~cloud0) over (12.2.2-0ubuntu0.17.10.1~cloud0) ...
Preparing to unpack .../librados2_12.2.4-0ubuntu0.17.10.1~cloud0_amd64.deb ...
Unpacking librados2 (12.2.4-0ubuntu0.17.10.1~cloud0) over (12.2.2-0ubuntu0.17.10.1~cloud0) ...
Preparing to unpack .../openstack-dashboard_3%3a12.0.2-0ubuntu1.1~cloud0_all.deb ...
Unpacking openstack-dashboard (3:12.0.2-0ubuntu1.1~cloud0) over (3:12.0.2-0ubuntu1~cloud0) ...
Preparing to unpack .../openstack-dashboard-ubuntu-theme_3%3a12.0.2-0ubuntu1.1~cloud0_all.deb ...
Unpacking openstack-dashboard-ubuntu-theme (3:12.0.2-0ubuntu1.1~cloud0) over (3:12.0.2-0ubuntu1~cloud0) ...
Preparing to unpack .../python-django-horizon_3%3a12.0.2-0ubuntu1.1~cloud0_all.deb ...
Unpacking python-django-horizon (3:12.0.2-0ubuntu1.1~cloud0) over (3:12.0.2-0ubuntu1~cloud0) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
Setting up librados2 (12.2.4-0ubuntu0.17.10.1~cloud0) ...
Setting up librbd1 (12.2.4-0ubuntu0.17.10.1~cloud0) ...
Setting up python-django-horizon (3:12.0.2-0ubuntu1.1~cloud0) ...
Setting up openstack-dashboard (3:12.0.2-0ubuntu1.1~cloud0) ...
Collecting and compressing static assets...
apache2_invoke openstack-dashboard.conf: already enabled
Setting up openstack-dashboard-ubuntu-theme (3:12.0.2-0ubuntu1.1~cloud0) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
root at juju-612ca4-pike-8:~# apt policy openstack-dashboard
openstack-dashboard:
Installed: 3:12.0.2-0ubuntu1.1~cloud0
Candidate: 3:12.0.2-0ubuntu1.1~cloud0
Version table:
*** 3:12.0.2-0ubuntu1.1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/pike/main amd64 Packages
100 /var/lib/dpkg/status
3:12.0.2-0ubuntu1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/pike/main amd64 Packages
2:9.1.2-0ubuntu5 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
2:9.0.0-0ubuntu2 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
root at juju-612ca4-pike-8:~# ls -ld /var/lib/openstack-dashboard/
drwxr-xr-x 4 horizon horizon 4096 May 24 02:09 /var/lib/openstack-dashboard/
root at juju-612ca4-pike-8:~# ls -l /var/lib/openstack-dashboard/
total 12
-rw------- 1 horizon horizon 64 May 24 01:43 secret_key
drwxr-xr-x 2 horizon horizon 4096 Feb 6 03:07 secret-key
drwxr-xr-x 11 horizon horizon 4096 May 24 02:09 static
-rw-r--r-- 1 horizon horizon 0 May 24 01:43 _var_lib_openstack-dashboard_secret_key.lock
root at juju-612ca4-pike-8:~# pastebinit /var/log/apt/history.log
http://paste.ubuntu.com/p/zgFgtPRgQP/
root at juju-612ca4-pike-8:~# pastebinit /var/log/apt/term.log
http://paste.ubuntu.com/p/DMrJBd2WGQ/
** Tags removed: verification-pike-needed
** Tags added: verification-pike-done
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1765191
Title:
[SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to
/static/dashboard/img/favicon.ico denied (filesystem path '/var/lib
/openstack-dashboard/static') because search permissions are missing
on a component of the path
Status in Ubuntu Cloud Archive:
Fix Committed
Status in Ubuntu Cloud Archive ocata series:
Fix Committed
Status in Ubuntu Cloud Archive pike series:
Fix Committed
Status in Ubuntu Cloud Archive queens series:
Fix Committed
Status in horizon package in Ubuntu:
Fix Released
Status in horizon source package in Artful:
Fix Committed
Status in horizon source package in Bionic:
Fix Committed
Status in horizon source package in Cosmic:
Fix Released
Bug description:
[Impact]
When upgrading from mitaka to pike horizon stops working because
Apache can't read the static assets anymore
[Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid
140071592240896] (13)Permission denied: [client 1.2.3.4:60750]
AH00035: access to /static/dashboard/img/favicon.ico denied
(filesystem path '/var/lib/openstack-dashboard/static') because search
permissions are missing on a component of the path
In xenial the home for the horizon user is /usr/share/openstack-
dashboard, and /var/lib/openstack-dashboard permissions are changed to
700 to secure the secret_key, while in artful/pike only the secret_key
file is set to 700
# ls -ld /var/lib/openstack-dashboard/
drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
# ls -ld /var/lib/openstack-dashboard/secret_key
-rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
# apt-cache policy openstack-dashboard
openstack-dashboard:
Installed: 3:12.0.2-0ubuntu1
Candidate: 3:12.0.2-0ubuntu1
Version table:
*** 3:12.0.2-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
100 /var/lib/dpkg/status
3:12.0.0-0ubuntu2.1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages
So during the upgrade of the package /var/lib/openstack-dashboard is
left to 700
xenial -> debian/openstack-dashboard.postinst
...
if [ -d /var/lib/openstack-dashboard ] ; then
# Generated secret storage for single node use - see local_settings.py
# for more details of SECRET_KEY
chmod 0700 /var/lib/openstack-dashboard
if [ -f /etc/openstack-dashboard/secret_key ]; then
mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
fi
chown -R horizon:horizon /var/lib/openstack-dashboard
fi
....
artful -> debian/openstack-dashboard.postinst
...
if ! getent passwd horizon > /dev/null 2>&1 ; then
adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
--no-create-home --shell /bin/false horizon
fi
...
[Test Case]
* deploy openstack
juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/
* upgrade openstack-dashboard to ocata, pike or queens
juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata" # for -proposed use "cloud:xenial-ocata/proposed"
Expected result:
http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is
displayed with all the correct css/js/etc assets
Actual result:
http://`juju-deployer -f openstack-dashboard`/horizon/auth/login
cannot load the static assets (javascript/css/etc)
[Regression Potential]
* Users who may have customized /var/lib/openstack-dashboard
permissions to comply with some specific security policy will see
changes in the permissions when they upgrade, but this is a common
situation when packages are upgraded.
[Other Info]
N/A
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1765191/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list