[SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
High
|
Unassigned | ||
Ocata |
Fix Released
|
High
|
Unassigned | ||
Pike |
Fix Released
|
High
|
Unassigned | ||
Queens |
Fix Released
|
High
|
Unassigned | ||
horizon (Ubuntu) |
Fix Released
|
High
|
Felipe Reyes | ||
Artful |
Fix Released
|
High
|
Felipe Reyes | ||
Bionic |
Fix Released
|
High
|
Felipe Reyes | ||
Cosmic |
Fix Released
|
High
|
Felipe Reyes |
Bug Description
[Impact]
When upgrading from mitaka to pike horizon stops working because Apache can't read the static assets anymore
[Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid 140071592240896] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/
In xenial the home for the horizon user is /usr/share/
# ls -ld /var/lib/
drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/
# ls -ld /var/lib/
-rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/
# apt-cache policy openstack-dashboard
openstack-
Installed: 3:12.0.2-0ubuntu1
Candidate: 3:12.0.2-0ubuntu1
Version table:
*** 3:12.0.2-0ubuntu1 500
500 http://
100 /var/lib/
3:
500 http://
So during the upgrade of the package /var/lib/
xenial -> debian/
...
if [ -d /var/lib/
# Generated secret storage for single node use - see local_settings.py
# for more details of SECRET_KEY
chmod 0700 /var/lib/
if [ -f /etc/openstack-
mv /etc/openstack-
fi
chown -R horizon:horizon /var/lib/
fi
....
artful -> debian/
...
if ! getent passwd horizon > /dev/null 2>&1 ; then
adduser --system --home /var/lib/
--no-create-home --shell /bin/false horizon
fi
...
[Test Case]
* deploy openstack
juju deploy ./xenial-
* upgrade openstack-dashboard to ocata, pike or queens
juju deploy openstack-dashboard openstack-
Expected result:
http://`juju-deployer -f openstack-
Actual result:
http://`juju-deployer -f openstack-
[Regression Potential]
* Users who may have customized /var/lib/
[Other Info]
N/A
Changed in horizon (Ubuntu): | |
assignee: | nobody → Felipe Reyes (freyes) |
Changed in horizon (Ubuntu Artful): | |
assignee: | nobody → Felipe Reyes (freyes) |
tags: | added: patch |
description: | updated |
description: | updated |
summary: |
- (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to + [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path |
Changed in cloud-archive: | |
status: | Triaged → Fix Committed |
Changed in cloud-archive: | |
status: | Fix Committed → Fix Released |
I think the fix should be that in debian/ openstack- dashboard. postinst script for newton, ocata, pike and queens, we should enforce 755 for /var/lib/ openstack- dashboard and 700 for /var/lib/ openstack- dashboard/ secret_ key
thoughts?