cluster-relation-changed runs as 'www-sync' user causing permissions issues with rendering configs

Bug #1835136 reported by Haw Loeung on 2019-07-03
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu Repository Cache Charm
Undecided
Haw Loeung

Bug Description

Hi,

| root 1728 0.0 1.0 558812 72204 ? Sl Jul02 0:00 \_ /var/lib/juju/tools/unit-ubuntu-repository-cache-6/jujud unit --data-dir /var/lib/juju --unit-name ubuntu-repository-cache/6 --debug
| www-sync 16493 0.0 0.2 72592 16144 ? S Jul02 0:00 \_ /usr/bin/python3 /var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/hooks/cluster-relation-changed
| www-sync 17210 0.0 0.0 8644 796 ? S Jul02 0:00 \_ timeout rsync ...

As far as I can see in the charm, only ubuntu_repository_cache_sync() should be running as www-sync per below:

| @HOOKS.hook('ubuntu_repository_cache_sync')
| @util.run_as_user('www-sync')
| def ubuntu_repository_cache_sync():
| ...

But this does not appear to be the case, likely to do with implementation of util.run_as_user() or it's usage. Anyways, the cluster-relation-changed hook can fail per below:

| 2019-07-02 23:38:26 INFO juju-log cluster:1: Rendering configuration templates
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Rendering apache2 configuration templates
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Writing file /etc/apache2/sites-available/archive_ubuntu_com.conf root:root 444
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Writing file /etc/apache2/conf-available/000mpm-worker.conf root:root 444
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed Conf 000mpm-worker already enabled
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Writing file /etc/apache2/conf-available/security.conf root:root 444
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed Conf security already enabled
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Rendering squid configuration templates
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Writing file /etc/squid-deb-proxy/squid-deb-proxy.conf root:root 444
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Writing file /etc/squid-deb-proxy/allowed-networks-src.acl root:root 444
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Writing file /etc/squid-deb-proxy/mirror-dstdomain.acl.d/99-ubuntu-repository-cache root:root 444
| 2019-07-02 23:38:26 INFO juju-log cluster:1: Writing file /etc/logrotate.d/apache2 root:root 444
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed Traceback (most recent call last):
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed File "/var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/hooks/cluster-relation-changed", line 265, in <module>
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed HOOKS.execute(sys.argv)
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed File "/var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/lib/charmhelpers/core/hookenv.py", line 715, in execute
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed self._hooks[hook_name]()
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed File "/var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/hooks/cluster-relation-changed", line 197, in cluster_relation_changed
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed service.render_configs()
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed File "/var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/lib/ubuntu_repository_cache/service.py", line 224, in wrapped_f
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed function(*args)
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed File "/var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/lib/ubuntu_repository_cache/service.py", line 256, in render_configs
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed logrotate_filename, logrotate_context)
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed File "/var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/lib/charmhelpers/core/templating.py", line 83, in render
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed host.write_file(target, content.encode(encoding), owner, group, perms)
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed File "/var/lib/juju/agents/unit-ubuntu-repository-cache-6/charm/lib/charmhelpers/core/host.py", line 360, in write_file
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed with open(path, 'wb') as target:
| 2019-07-02 23:38:26 DEBUG cluster-relation-changed PermissionError: [Errno 13] Permission denied: '/etc/logrotate.d/apache2'
| 2019-07-02 23:38:26 ERROR juju.worker.uniter.operation runhook.go:132 hook "cluster-relation-changed" failed: exit status 1
| 2019-07-02 23:38:26 INFO juju.worker.uniter resolver.go:124 awaiting error resolution for "relation-changed" hook

Related branches

Haw Loeung (hloeung) on 2020-06-02
Changed in ubuntu-repository-cache:
status: New → In Progress
assignee: nobody → Haw Loeung (hloeung)
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers