Astara

Permission denied on /etc/nginx/sites-enabled in loadbalancer appliance

Bug #1558577 reported by Tom Walsh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Astara
Fix Released
Critical
Adam Gandelman
Mitaka
Fix Committed
Critical
Adam Gandelman
Astara mitaka-rc2

Bug Description

Running the latest appliance built using the following command:

We are getting the following error from astara via the appliance when creating a load balancer:

2016-03-17 00:05:48.462 INFO ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b:22788:p14:t01 Updating config for ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b
2016-03-17 00:05:48.782 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b:22788:p14:t01 failed to update config
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b Traceback (most recent call last):
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara/instance_manager.py", line 411, in configure
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b config)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara/drivers/loadbalancer.py", line 133, in update_config
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b astara_client.update_config(management_address, self.mgt_port, config)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara/api/astara_client.py", line 82, in update_config
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b raise Exception('Config update failed: %s' % r.text)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b Exception: Config update failed: Traceback (most recent call last):
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b response = self.full_dispatch_request()
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b rv = self.handle_user_exception(e)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b reraise(exc_type, exc_value, tb)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b rv = self.dispatch_request()
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b return self.view_functions[rule.endpoint](**req.view_args)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara_router/utils.py", line 91, in wrapper
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b retval = f(*args, **kwargs)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara_router/api/v1/system.py", line 153, in put_configuration
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b cache=_get_cache())
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara_router/manager.py", line 234, in update_config
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b manager.update_config(svc_cfg, cache)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara_router/manager.py", line 155, in update_config
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b self.lb_manager.update_config(self.config)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara_router/drivers/loadbalancer/nginx.py", line 68, in update_config
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b self._render_config_template(path=path, config=config)
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b File "/usr/local/lib/python2.7/dist-packages/astara_router/drivers/loadbalancer/nginx.py", line 57, in _render_config_template
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b with open(path, 'w') as out:
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b IOError: [Errno 13] Permission denied: u'/etc/nginx/sites-enabled/ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b.conf'
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b {'CONTENT_LENGTH': '2060',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'CONTENT_TYPE': 'application/json',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'HTTP_ACCEPT': '*/*',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'HTTP_CONNECTION': 'keep-alive',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'HTTP_HOST': '[[fdca:3ba5:a17a:acda::5a]]:5000',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'HTTP_USER_AGENT': 'python-requests/2.9.1',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'PATH_INFO': '/v1/system/config',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'QUERY_STRING': '',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'RAW_URI': '/v1/system/config',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'REMOTE_ADDR': 'fdca:3ba5:a17a:acda::1',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'REMOTE_PORT': '43569',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'REQUEST_METHOD': 'PUT',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'SCRIPT_NAME': '',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'SERVER_NAME': '::',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'SERVER_PORT': '5000',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'SERVER_PROTOCOL': 'HTTP/1.1',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'SERVER_SOFTWARE': 'gunicorn/19.0.0',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'gunicorn.socket': <socket._socketobject object at 0x7f4d7e060fa0>,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'werkzeug.request': <Request 'http://[[fdca:3ba5:a17a:acda::5a]/v1/system/config' [PUT]>,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.errors': <gunicorn.http.wsgi.WSGIErrorsWraper object at 0x7f4d7e05fad0>,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.file_wrapper': <class 'gunicorn.http.wsgi.FileWrapper'>,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.input': <gunicorn.http.body.Body object at 0x7f4d7e05ff90>,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.multiprocess': True,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.multithread': False,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.run_once': False,
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.url_scheme': 'http',
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b 'wsgi.version': (1, 0)}
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b
2016-03-17 00:05:48.782 22788 ERROR ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b

If I SSH into the appliance and chmod 777 that directory the appliance is able to create the entry as required with the following permissions:

-rw-rw-rw- 1 gunicorn root 1 Mar 17 04:05 ak-loadbalancer-5c8b6fdf-cfd8-49dc-9622-a424d8f81e4b.conf

So it looks like gunicorn is creating the file, and doesn't have access to the directory.

Adam Gandelman (gandelman-a)
Changed in astara:
importance: Undecided → High
importance: High → Critical
Adam Gandelman (gandelman-a)
tags: added: mitaka-rc-potential
Adam Gandelman (gandelman-a)
Changed in astara:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to astara-appliance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/298378

Changed in astara:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to astara-appliance (master)

Reviewed: https://review.openstack.org/298378
Committed: https://git.openstack.org/cgit/openstack/astara-appliance/commit/?id=effbf9e95004e67eec3ea49bc8f6c83b0a9d2fc9
Submitter: Jenkins
Branch: master

commit effbf9e95004e67eec3ea49bc8f6c83b0a9d2fc9
Author: Adam Gandelman <email address hidden>
Date: Mon Mar 28 11:47:48 2016 -0700

    Fix permissions on /etc/nginx/sites-enabled

    With the switch to rootwrap, the API service now runs as the gunicorn
    user but /etc/nginx/sites-enabled is still owned by root. This updates
    the DIB element to ensure its writable by gunicorn for config rendering.

    Also makes a trivial update to releasenotes to remove the UNRELEASED
    flag from mitaka.

    Change-Id: Ieac128e47a44dd48acd00f68cd8e3a9ca15441ec
    Closes-bug: #1558577

Changed in astara:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to astara-appliance (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/298854

Adam Gandelman (gandelman-a)
Changed in astara:
assignee: nobody → Adam Gandelman (gandelman-a)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to astara-appliance (stable/mitaka)

Reviewed: https://review.openstack.org/298854
Committed: https://git.openstack.org/cgit/openstack/astara-appliance/commit/?id=cd26f8925cdc178096bd298db654e5d66312c4b9
Submitter: Jenkins
Branch: stable/mitaka

commit cd26f8925cdc178096bd298db654e5d66312c4b9
Author: Adam Gandelman <email address hidden>
Date: Mon Mar 28 11:47:48 2016 -0700

    Fix permissions on /etc/nginx/sites-enabled

    With the switch to rootwrap, the API service now runs as the gunicorn
    user but /etc/nginx/sites-enabled is still owned by root. This updates
    the DIB element to ensure its writable by gunicorn for config rendering.

    Also makes a trivial update to releasenotes to remove the UNRELEASED
    flag from mitaka.

    Change-Id: Ieac128e47a44dd48acd00f68cd8e3a9ca15441ec
    Closes-bug: #1558577
    (cherry picked from commit effbf9e95004e67eec3ea49bc8f6c83b0a9d2fc9)

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/astara-appliance 9.0.0.0b1

This issue was fixed in the openstack/astara-appliance 9.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.