Gnocchi Charm

Upgrade from Pike to Queens results in permission errors.

Bug #1780490 reported by Charles Dunbar
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Gnocchi Charm
Fix Released
Medium
James Page
Gnocchi Charm 18.08
charms.openstack
Fix Released
Medium
James Page

Bug Description

When upgrading an environment from Pike to Queens, gnocchi.conf is left as root:root 640, which results in apache2 being unable to read it, causing errors to appear in its log:

[Fri Jul 06 21:54:34.675791 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] mod_wsgi (pid=867238): Target WSGI script '/usr/bin/gnocchi-api' cannot be loaded as Python module.
[Fri Jul 06 21:54:34.675842 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] mod_wsgi (pid=867238): Exception occurred processing WSGI script '/usr/bin/gnocchi-api'.
[Fri Jul 06 21:54:34.675985 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] Traceback (most recent call last):
[Fri Jul 06 21:54:34.676026 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] File "/usr/bin/gnocchi-api", line 22, in <module>
[Fri Jul 06 21:54:34.676032 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] application = app.load_app(api.prepare_service())
[Fri Jul 06 21:54:34.676041 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] File "/usr/lib/python3/dist-packages/gnocchi/cli/api.py", line 40, in prepare_service
[Fri Jul 06 21:54:34.676045 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] conf = service.prepare_service(conf=conf)
[Fri Jul 06 21:54:34.676053 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] File "/usr/lib/python3/dist-packages/gnocchi/service.py", line 54, in prepare_service
[Fri Jul 06 21:54:34.676057 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] version=version)
[Fri Jul 06 21:54:34.676065 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] File "/usr/lib/python3/dist-packages/oslo_config/cfg.py", line 2503, in __call__
[Fri Jul 06 21:54:34.676069 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] self._namespace._files_permission_denied)
[Fri Jul 06 21:54:34.676088 2018] [wsgi:error] [pid 867238:tid 140089931683584] [remote 127.0.0.1:43838] oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/gnocchi/gnocchi.conf

The file continues to revert back to root:root if I manually chown it, but I'm not seeing any juju logs to indicate that it's dealing with that file.

-rw-r----- 1 root root 1217 May 17 00:31 /etc/gnocchi/gnocchi.conf

Drew Freiberger (afreiberger)
tags: added: canonical-bootstack
James Troup (elmo)
tags: added: upgrade
James Page (james-page)
Changed in charm-gnocchi:
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

# ls -lrt
total 20
-rw-r----- 1 gnocchi gnocchi 1600 Apr 25 15:24 policy.json.dpkg-dist
-rw-r----- 1 gnocchi gnocchi 1146 Apr 25 15:24 api-paste.ini
-rw-r----- 1 gnocchi gnocchi 1547 Jul 13 11:23 policy.json
-rw-r----- 1 gnocchi gnocchi 1134 Jul 13 11:23 api-paste.ini.old
-r--r--r-- 1 root root 1223 Jul 13 11:47 gnocchi.conf

Changed in charm-gnocchi:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
James Page (james-page) wrote :

The render helper in charm helpers set the permissions and ownership everytime the file is rendered:

def render(source, target, context, owner='root', group='root',
           perms=0o444, templates_dir=None, encoding='UTF-8',
           template_loader=None, config_template=None):

that said you should be getting as I commented in bug comment #1, not -rw-r-----

Changed in charm-gnocchi:
importance: High → Medium
James Page (james-page)
Changed in charm-gnocchi:
status: Confirmed → Incomplete
Revision history for this message
James Page (james-page) wrote :

https://review.openstack.org/582755

Changed in charms.openstack:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

I'm proposing switching the render behaviour to:

  0640 (permissions)
  root/<charmsubclass.group (ownership)

This avoids the global read permission, and allows the rendered files
to be read by processes in the appropriate service group.

Revision history for this message
James Page (james-page) wrote :

Actually I do see the reason why the perms end up as 0640 - that's what the package sets as permissions; the charm then re-calls rendering, but as the content of the file does not change, the permissions are never reset to 0444, however the uid/gid is changed to root/root resulting in this break.

Revision history for this message
James Page (james-page) wrote :

Either way my proposed fix is valid - it brings the charm inline with security best practice as well.

Revision history for this message
James Page (james-page) wrote :

https://github.com/juju/charm-helpers/pull/195

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charms.openstack (master)

Reviewed: https://review.openstack.org/582755
Committed: https://git.openstack.org/cgit/openstack/charms.openstack/commit/?id=51d00c45e2e3b1f25513ce4f90f35007bac15fc9
Submitter: Zuul
Branch: master

commit 51d00c45e2e3b1f25513ce4f90f35007bac15fc9
Author: James Page <email address hidden>
Date: Sun Jul 15 11:41:48 2018 +0100

    Ensure config files rendered with sane permissions

    All configuration files are being rendered with root.root ownership
    with mask 0444 (including global read!). Render configuration files
    as owner root, with a group read permission appropriate to the
    consuming charm. This can be configured by setting the group
    attribute of the Charm subclass, but will default to 'root' if
    not supplied (preserving the previous behaviour).

    Change-Id: Ib1e2d3801b171e5c7ea79d058fb36dfc532d5d20
    Closes-Bug: 1780490

Changed in charms.openstack:
status: In Progress → Fix Released
James Page (james-page)
Changed in charm-gnocchi:
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-gnocchi (master)

Fix proposed to branch: master
Review: https://review.openstack.org/583345

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-gnocchi (master)

Reviewed: https://review.openstack.org/583345
Committed: https://git.openstack.org/cgit/openstack/charm-gnocchi/commit/?id=bc1745115b6a9c7837075a4353d60a1e5a1e2ca9
Submitter: Zuul
Branch: master

commit bc1745115b6a9c7837075a4353d60a1e5a1e2ca9
Author: James Page <email address hidden>
Date: Tue Jul 17 15:28:40 2018 -0400

    Update WSGI process group

    Ensure WSGI processes run under the 'gnocchi' group to
    support restriction in permissions to /etc/gnocchi/* to
    root or members of the gnocchi group.

    This change also picks up changes in charms.openstack
    to support this functionality, as well as fixing
    misc issues with upgrades.

    Change-Id: I14d865cd96b7c250ad92c8bdee74693a6eccc769
    Closes-Bug: 1780490
    Closes-Bug: 1779062
    Related-Bug: 1781468

Changed in charm-gnocchi:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-gnocchi (stable/18.05)

Fix proposed to branch: stable/18.05
Review: https://review.openstack.org/583544

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-gnocchi (stable/18.05)

Reviewed: https://review.openstack.org/583544
Committed: https://git.openstack.org/cgit/openstack/charm-gnocchi/commit/?id=83fd1606e1561c45623b981eaf37f434a9524296
Submitter: Zuul
Branch: stable/18.05

commit 83fd1606e1561c45623b981eaf37f434a9524296
Author: James Page <email address hidden>
Date: Tue Jul 17 15:28:40 2018 -0400

    Update WSGI process group

    Ensure WSGI processes run under the 'gnocchi' group to
    support restriction in permissions to /etc/gnocchi/* to
    root or members of the gnocchi group.

    This change also picks up changes in charms.openstack
    to support this functionality, as well as fixing
    misc issues with upgrades.

    Change-Id: I14d865cd96b7c250ad92c8bdee74693a6eccc769
    Closes-Bug: 1780490
    Closes-Bug: 1779062
    Related-Bug: 1781468
    (cherry picked from commit bc1745115b6a9c7837075a4353d60a1e5a1e2ca9)

David Ames (thedac)
Changed in charm-gnocchi:
milestone: none → 18.08
James Page (james-page)
Changed in charm-gnocchi:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.