Ubuntu
horizon package

Apache2 needs access to /var/lib/openstack-dashboard/

Bug #1871640 reported by Albert Damen on 2020-04-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	horizon (Ubuntu)	Fix Released	High	James Page

Bug Description

After a fresh install of an openstack cluster in focal, dd 8 April, horizon does not show details on images and network topology and does not allow to launch a new instance.

From cli, using openstack-client, everything works fine.

Apache error log shows many errors, like:
[Wed Apr 08 12:52:48.448760 2020] [core:error] [pid 28261:tid 140243827123968] (13)Permission denied: [client 10.64.255.1:52426] AH00035: access to /horizon/static/dashboard/js/acfe932256c2.js denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path, referer: http://10.64.255.172/horizon/project/network_topology/

[Wed Apr 08 12:53:00.234704 2020] [core:error] [pid 28261:tid 140243801945856] (13)Permission denied: [client 10.64.255.1:52434] AH00035: access to /horizon/static/dashboard/js/acfe932256c2.js denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path, referer: http://10.64.255.172/horizon/admin/floating_ips/

[Wed Apr 08 12:53:32.028277 2020] [core:error] [pid 28260:tid 140244018087680] (13)Permission denied: [client 10.64.255.1:52494] AH00035: access to /horizon/static/dashboard/js/acfe932256c2.js denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path, referer: http://10.64.255.172/horizon/project/images/

/var/lib/openstack-dashboard/ does not have execute rights for others:

~# ls -la /var/lib/openstack-dashboard/
total 24
drwxr-x--- 5 horizon horizon 4096 Apr 8 12:07 .
drwxr-xr-x 35 root root 4096 Apr 8 12:05 ..
drwxr-xr-x 3 horizon horizon 4096 Apr 8 12:07 .novaclient
drwxr-xr-x 2 horizon horizon 4096 Mar 27 13:29 secret-key
-rw------- 1 horizon horizon 64 Apr 8 12:05 secret_key
drwxr-xr-x 10 horizon horizon 4096 Apr 8 12:05 static
-rw-r--r-- 1 horizon horizon 0 Apr 8 12:05 _var_lib_openstack-dashboard_secret_key.lock

chmod 751 /var/lib/openstack-dashboard/ and restarting apache2 solves this issue.

openstack-dashboard:
Installed: 3:18.2.1~git2020032709.2c4470272-0ubuntu1

Revision history for this message

Albert Damen (albrt) wrote on 2020-04-17:

openstack-dashboard:
Installed: 3:18.2.1~git2020041013.754804667-0ubuntu1

Situation got worse now.
Package does: find /var/lib/openstack-dashboard -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

which makes all directories under /var/lib/openstack-dashboard/static unreachable for apache and gives "Insecure permissions on key file /var/lib/openstack-dashboard/secret_key, should be 0600".

(static files are served by apache directly, due to:
Alias /horizon/static /var/lib/openstack-dashboard/static/
in /etc/apache2/conf-available/openstack-dashboard.conf)

James Page (james-page) on 2020-04-17

Changed in horizon (Ubuntu):
importance:	Undecided → High
status:	New → In Progress
assignee:	nobody → James Page (james-page)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-04-17:

This bug was fixed in the package horizon - 3:18.2.1~git2020041013.754804667-0ubuntu2

---------------
horizon (3:18.2.1~git2020041013.754804667-0ubuntu2) focal; urgency=medium

  * d/openstack-dashboard.postinst: Ensure static assets can be read by
    the apache user including the full path to the static directory
    (LP: #1871640).

-- James Page <email address hidden> Fri, 17 Apr 2020 12:14:33 +0100

Changed in horizon (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Albert Damen (albrt) wrote on 2020-04-20:

openstack-dashboard:
Installed: 3:18.2.1~git2020041013.754804667-0ubuntu2

sudo ls -la /var/lib/openstack-dashboard/
total 20
drwxr-x--- 4 horizon horizon 4096 Apr 20 09:37 .
drwxr-xr-x 23 root root 4096 Apr 20 09:36 ..
drwxr-x--- 2 horizon horizon 4096 Apr 17 11:14 secret-key
-rw------- 1 horizon horizon 64 Apr 20 09:37 secret_key
drwxr-xr-x 10 horizon horizon 4096 Apr 20 09:37 static
-rw-r----- 1 horizon horizon 0 Apr 20 09:37 _var_lib_openstack-dashboard_secret_key.lock

apache error log contains many errors like:
[Mon Apr 20 09:40:42.117326 2020] [core:error] [pid 11212:tid 140550892140288] (13)Permission denied: [client 10.64.255.1:43256] AH00035: access to /horizon/static/dashboard/js/acfe932256c2.js denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path, referer: http://10.64.255.182/horizon/auth/login/
[Mon Apr 20 09:40:43.558078 2020] [core:error] [pid 11213:tid 140550850176768] (13)Permission denied: [client 10.64.255.1:43252] AH00035: access to /horizon/static/dashboard/js/05a9ee382ec9.js denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path, referer: http://10.64.255.182/horizon/auth/login/
[Mon Apr 20 09:40:43.567465 2020] [core:error] [pid 11213:tid 140550841784064] (13)Permission denied: [client 10.64.255.1:43252] AH00035: access to /horizon/static/dashboard/js/acfe932256c2.js denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path, referer: http://10.64.255.182/horizon/auth/login/

openstack-dashboard.postinst contains:
  find /var/lib/openstack-dashboard -exec chown horizon:horizon "{}" +
  find /var/lib/openstack-dashboard -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
  find /var/lib/openstack-dashboard/static -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +

chmod 0750 /var/lib/openstack-dashboard

but /var/lib/openstack-dashboard must be at least 751

openstack-dashboard:
  Installed: 3:18.2.1~git2020041013.754804667-0ubuntu2

sudo ls -la /var/lib/openstack-dashboard/
total 20
drwxr-x---  4 horizon horizon 4096 Apr 20 09:37 .
drwxr-xr-x 23 root    root    4096 Apr 20 09:36 ..
drwxr-x---  2 horizon horizon 4096 Apr 17 11:14 secret-key
-rw-------  1 horizon horizon   64 Apr 20 09:37 secret_key
drwxr-xr-x 10 horizon horizon 4096 Apr 20 09:37 static
-rw-r-----  1 horizon horizon    0 Apr 20 09:37 _var_lib_openstack-dashboard_secret_key.lock

chmod 0750 /var/lib/openstack-dashboard

but /var/lib/openstack-dashboard must be at least 751

Changed in horizon (Ubuntu):
status:	Fix Released → New

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-04-21:

This bug was fixed in the package horizon - 3:18.2.1~git2020041013.754804667-0ubuntu3

---------------
horizon (3:18.2.1~git2020041013.754804667-0ubuntu3) focal; urgency=medium

  * d/openstack-dashboard.postinst: Ensure static assets can be read by
    the apache user including the full path to the static directory. This
    changes the mode bits of /var/lib/openstack-dashboard to 755.
    (LP: #1871640).

-- Corey Bryant <email address hidden> Mon, 20 Apr 2020 13:47:07 -0400

Changed in horizon (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuhorizon package

Apache2 needs access to /var/lib/openstack-dashboard/

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
horizon package