[Openstack-devel] Bug#726373: Bug#726373: local_settings.py use realpath instead of abspath

YunQiang Su wzssyqa at gmail.com
Tue Oct 15 06:23:47 UTC 2013 

On Tue, Oct 15, 2013 at 1:12 PM, Thomas Goirand <zigo at debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/15/2013 12:09 PM, YunQiang Su wrote:
>> Package: horizon
>> Version: 2013.2~rc1-1
>>
>> I installed the 2013.2 version of openstack from sid/experimental, it
>> was a amazing experience.
>
> Thanks, I'm very happy to see that some people did test it! :)
>
>> While I met a problem that horizon try to lock create secret key in
>>    /usr/share/openstack-dashboard/openstack_dashboard/local/
>> In there, no file is allowed to create.
>
> Hi,
>
> That is correct, and I have raised the issue upstream. They refused to
> make something in /var/lib as Horizon default, stating that it wouldn't
> work for devstack gate.
>
>> There are several ways to fix it.
>>
>> 1.  In locale_settings.py, there is a line
>> LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
>> Which will make LOCAL_PATH to be
>>     /usr/share/openstack-dashboard/openstack_dashboard/local/
>> use realpath here will make LOCAL_PATH to be
>>     /etc/openstack-dashboard/
>>
>> By this way, /etc/openstack-dashboard should be writable by www-data user
>
> Hum... no! The /etc shouldn't be a place where to write runtime files.
> This would be a serious (or RC) bug in Debian. For this, we have
> /var/lib, which is where the FSHS recommends to write runtime files.
>
>> 2. Use
>>   SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join('/var/lib/horizon',
>> '.secret_key_store'))
>>    instead of
>>   SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join(LOCALPATH,
>> '.secret_key_store'))
>>    and make /var/lib/horizon is writable by www-data
>
> Yes, that's what I want to implement, and that's the way to go. How did
> you make /var/lib/horizon writable  by www-data? Did you add the
> www-data to the horizon group?
Yes, I add www-data to horizon group and chmod /var/lib/horzion as +s.
It works now.
>
>> 3. Don't make /etc/openstack-dashboard or /var/lib/horizon writable by
>> www-data by start
>>     wsgi as horizon:horizon, while by change
>>     line in openstack-dashboard.conf
>>            WSGIDaemonProcess horizon user=www-data group=www-data
>>     to
>>            WSGIDaemonProcess horizon user=horizon group=horizon
>>     It doesn't work. After restart apache2,
>>
>> root at manager:~# ps aux |grep apache
>> root     15355  0.0  0.2  84064  3048 ?        Ss   03:59   0:00
>> /usr/sbin/apache2 -k start
>> horizon  15358  0.0  0.3 290992  5816 ?        Sl   03:59   0:00
>> /usr/sbin/apache2 -k start
>> www-data 15359  0.1  0.4 375396  6168 ?        Sl   03:59   0:00
>> /usr/sbin/apache2 -k start
>> www-data 15360  0.0  0.4 375396  6168 ?        Sl   03:59   0:00
>> /usr/sbin/apache2 -k start
>> root     15458  0.0  0.0  10352   912 pts/0    S+   03:59   0:00 grep apache
>>
>> Only one apache process is running as horizon.
>
> I don't think that's the way to go either, unfortunately. Though if you
> have a setup where it would, that'd be best, so we have privilege
> separation.
It does start a apache with horzion:horizon, while the secret file is still
write by www-data:www-data, there must be something wrong.
>
> Cheers,
>
> Thomas Goirand (zigo)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Icedove - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSXM7HAAoJENQWrRWsa0P++p8P/23IHIkRXm14hDK0jFobqFW5
> SckckQCIhdz8qdMcobqUf7zcyQdm/mlae6htv8KCZtfuwikNNslqbXmglQY8rS2S
> vYisJ7ECeVlhnzzPrhO7xPF/ermXguJ6Ym8z0eipwG09VWK9IfIK16GAXJiPA9aP
> jQ3k4MWeZiwIK5GULkesRRVEO8sNfXF+2YLc26+rW24viOyxvFyecJ8AI+YHjp98
> nWUg8FREUQjLNXKEEmNyZIzHwVXz8oFZ/mLmxkb+1GZMzrq/+Ou3JhAmzGS+bnD8
> ge5bkj3leqcv1nWFrEMdSjJ06M+wJoBELh+U5Mufb3d7T8a5GrO653LBtGSEkFGq
> raoUShdWjwwGnLHUl19fV5XgnQFMmj8KI+seWllIYa45vwdcMWdwXOQRTvDVcvz/
> seJ3VPCdvXJSyptnHAK198Z99Re4CvzvD5R9zoy00j1ejgYVaFNfAy59IjwWW+OJ
> nfI9+7ljRuEgh2c30Wiqaz6029ssNvax+42ZKuc+mOQ6Tqcun+8MnbMQbmnHM993
> e3Clsnic3rRXBzvYi8rpU0WRsvtPsR+PXFOhTNwTROoVUlOZSdCTOiYEoehy0UAd
> HmaMu3Iy5ps3d4xCfMKWY4uwUHLWBwoCpM9PVCIOOJuKB1L/pOjLHhIl7JwuvhEz
> nLWcdtCIq0pUOYnSwh6e
> =bE7N
> -----END PGP SIGNATURE-----



-- 
YunQiang Su

More information about the Openstack-devel mailing list