[Openstack-devel] Bug#726373: Bug#726373: local_settings.py use realpath instead of abspath
Thomas Goirand
zigo at debian.org
Tue Oct 15 05:12:41 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 10/15/2013 12:09 PM, YunQiang Su wrote:
> Package: horizon
> Version: 2013.2~rc1-1
>
> I installed the 2013.2 version of openstack from sid/experimental, it
> was a amazing experience.
Thanks, I'm very happy to see that some people did test it! :)
> While I met a problem that horizon try to lock create secret key in
> /usr/share/openstack-dashboard/openstack_dashboard/local/
> In there, no file is allowed to create.
Hi,
That is correct, and I have raised the issue upstream. They refused to
make something in /var/lib as Horizon default, stating that it wouldn't
work for devstack gate.
> There are several ways to fix it.
>
> 1. In locale_settings.py, there is a line
> LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
> Which will make LOCAL_PATH to be
> /usr/share/openstack-dashboard/openstack_dashboard/local/
> use realpath here will make LOCAL_PATH to be
> /etc/openstack-dashboard/
>
> By this way, /etc/openstack-dashboard should be writable by www-data user
Hum... no! The /etc shouldn't be a place where to write runtime files.
This would be a serious (or RC) bug in Debian. For this, we have
/var/lib, which is where the FSHS recommends to write runtime files.
> 2. Use
> SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join('/var/lib/horizon',
> '.secret_key_store'))
> instead of
> SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join(LOCALPATH,
> '.secret_key_store'))
> and make /var/lib/horizon is writable by www-data
Yes, that's what I want to implement, and that's the way to go. How did
you make /var/lib/horizon writable by www-data? Did you add the
www-data to the horizon group?
> 3. Don't make /etc/openstack-dashboard or /var/lib/horizon writable by
> www-data by start
> wsgi as horizon:horizon, while by change
> line in openstack-dashboard.conf
> WSGIDaemonProcess horizon user=www-data group=www-data
> to
> WSGIDaemonProcess horizon user=horizon group=horizon
> It doesn't work. After restart apache2,
>
> root at manager:~# ps aux |grep apache
> root 15355 0.0 0.2 84064 3048 ? Ss 03:59 0:00
> /usr/sbin/apache2 -k start
> horizon 15358 0.0 0.3 290992 5816 ? Sl 03:59 0:00
> /usr/sbin/apache2 -k start
> www-data 15359 0.1 0.4 375396 6168 ? Sl 03:59 0:00
> /usr/sbin/apache2 -k start
> www-data 15360 0.0 0.4 375396 6168 ? Sl 03:59 0:00
> /usr/sbin/apache2 -k start
> root 15458 0.0 0.0 10352 912 pts/0 S+ 03:59 0:00 grep apache
>
> Only one apache process is running as horizon.
I don't think that's the way to go either, unfortunately. Though if you
have a setup where it would, that'd be best, so we have privilege
separation.
Cheers,
Thomas Goirand (zigo)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQIcBAEBCAAGBQJSXM7HAAoJENQWrRWsa0P++p8P/23IHIkRXm14hDK0jFobqFW5
SckckQCIhdz8qdMcobqUf7zcyQdm/mlae6htv8KCZtfuwikNNslqbXmglQY8rS2S
vYisJ7ECeVlhnzzPrhO7xPF/ermXguJ6Ym8z0eipwG09VWK9IfIK16GAXJiPA9aP
jQ3k4MWeZiwIK5GULkesRRVEO8sNfXF+2YLc26+rW24viOyxvFyecJ8AI+YHjp98
nWUg8FREUQjLNXKEEmNyZIzHwVXz8oFZ/mLmxkb+1GZMzrq/+Ou3JhAmzGS+bnD8
ge5bkj3leqcv1nWFrEMdSjJ06M+wJoBELh+U5Mufb3d7T8a5GrO653LBtGSEkFGq
raoUShdWjwwGnLHUl19fV5XgnQFMmj8KI+seWllIYa45vwdcMWdwXOQRTvDVcvz/
seJ3VPCdvXJSyptnHAK198Z99Re4CvzvD5R9zoy00j1ejgYVaFNfAy59IjwWW+OJ
nfI9+7ljRuEgh2c30Wiqaz6029ssNvax+42ZKuc+mOQ6Tqcun+8MnbMQbmnHM993
e3Clsnic3rRXBzvYi8rpU0WRsvtPsR+PXFOhTNwTROoVUlOZSdCTOiYEoehy0UAd
HmaMu3Iy5ps3d4xCfMKWY4uwUHLWBwoCpM9PVCIOOJuKB1L/pOjLHhIl7JwuvhEz
nLWcdtCIq0pUOYnSwh6e
=bE7N
-----END PGP SIGNATURE-----
More information about the Openstack-devel
mailing list