Incorrect permissions on django_fcgi.sock
Posted: Mon Jun 30, 2014 1:03 amI'm trying to use configure Omero.Web with Nginx as the front end, and fastcgi. I've put the "--system" stanza generated by the omero configurator into /etc/nginx/sites.enabled. Ngnix is starting up OK.
When I sent a request to the Nginx server, I got a 502 bad gateway response from nginx. The nginx error.log file said:
(IP address obscured ...)
And indeed, the permissions of the unix domain socket were:
That is: read-only for the www-data account under which the nginx worker runs. So I manually changed the permissions on the socket to "srwxrwxrwx" (after starting the omero-web service) ... and the HTTP requests started going through.
So far, so good. But I need a permanent fix that would work well with scripted installation?
So for now, I have to choose between hacking "lib/python/omero/plugins/web.py" to inject a "umask" option into the "manage.py" command, or ... tweaking my "/etc/init.d/omero-web" script to "chmod" the domain socket. (I'm dismissing the code change approach for now because that is really awkward for chef-based installation.)
Am I missing a better solution?
(I'm using Omero 5.0.1. Nginx 1.4.6 is being installed by the Chef "nginx" cookbook, recipe "nginx::default". The OS is Ubuntu 14.04.)
When I sent a request to the Nginx server, I got a 502 bad gateway response from nginx. The nginx error.log file said:
- Code: Select all
2014/06/29 23:35:16 [crit] 957#0: *1 connect() to unix:/opt/omero/OMERO.server-5.0.1-ice35-b21/var/django_fcgi.sock failed (13: Permission denied) while connecting to upstream, client: nnn.nnn.nnn.nnn, server: vm-nnn-nnn-nnn-nnn, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/opt/omero/OMERO.server-5.0.1-ice35-b21/var/django_fcgi.sock:", host: "nnn.nnn.nnn.nnn"
(IP address obscured ...)
And indeed, the permissions of the unix domain socket were:
- Code: Select all
$ ls -l /opt/omero/OMERO.server/var/django_fcgi.sock
srwxr-xr-x 1 omero omero 0 Jun 29 23:34 /opt/omero/OMERO.server/var/django_fcgi.sock
That is: read-only for the www-data account under which the nginx worker runs. So I manually changed the permissions on the socket to "srwxrwxrwx" (after starting the omero-web service) ... and the HTTP requests started going through.
So far, so good. But I need a permanent fix that would work well with scripted installation?
- My research suggests that the domain socket has to be created on the fly by the server; i.e. django. I can't just precreate it with appropriate permissions.
- I could (try to) get nginx to run its worker thread with user 'omero' ... but that seems like a bad idea from a security perspective.
- It seems like I should try to get django to create the socket with permissions "srwxrwxrwx" for itself. And it looks like django's "manage.py runfcgi" subcommand allows me to add a "umask" option which could do that. But ... it looks like "bin/omero web start" doesn't allow me to pass a "umask".
So for now, I have to choose between hacking "lib/python/omero/plugins/web.py" to inject a "umask" option into the "manage.py" command, or ... tweaking my "/etc/init.d/omero-web" script to "chmod" the domain socket. (I'm dismissing the code change approach for now because that is really awkward for chef-based installation.)
Am I missing a better solution?
(I'm using Omero 5.0.1. Nginx 1.4.6 is being installed by the Chef "nginx" cookbook, recipe "nginx::default". The OS is Ubuntu 14.04.)