** Description changed: + [Impact] + When upgrading from mitaka to pike horizon stops working because Apache can't read the static assets anymore [Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid 140071592240896] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path In xenial the home for the horizon user is /usr/share/openstack- dashboard, and /var/lib/openstack-dashboard permissions are changed to 700 to secure the secret_key, while in artful/pike only the secret_key file is set to 700 # ls -ld /var/lib/openstack-dashboard/ drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/ - # ls -ld /var/lib/openstack-dashboard/secret_key + # ls -ld /var/lib/openstack-dashboard/secret_key -rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key # apt-cache policy openstack-dashboard openstack-dashboard: - Installed: 3:12.0.2-0ubuntu1 - Candidate: 3:12.0.2-0ubuntu1 - Version table: - *** 3:12.0.2-0ubuntu1 500 - 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages - 100 /var/lib/dpkg/status - 3:12.0.0-0ubuntu2.1 500 - 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages + Installed: 3:12.0.2-0ubuntu1 + Candidate: 3:12.0.2-0ubuntu1 + Version table: + *** 3:12.0.2-0ubuntu1 500 + 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 3:12.0.0-0ubuntu2.1 500 + 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages So during the upgrade of the package /var/lib/openstack-dashboard is left to 700 xenial -> debian/openstack-dashboard.postinst ... if [ -d /var/lib/openstack-dashboard ] ; then # Generated secret storage for single node use - see local_settings.py # for more details of SECRET_KEY chmod 0700 /var/lib/openstack-dashboard if [ -f /etc/openstack-dashboard/secret_key ]; then mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard fi chown -R horizon:horizon /var/lib/openstack-dashboard fi .... - artful -> debian/openstack-dashboard.postinst ... if ! getent passwd horizon > /dev/null 2>&1 ; then adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \ --no-create-home --shell /bin/false horizon fi ... + + [Test Case] + + * deploy openstack + juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/ + + * upgrade openstack-dashboard to ocata, pike or queens + juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata" + + Expected result: + + http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is + displayed with all the correct css/js/etc assets + + Actual result: + + http://`juju-deployer -f openstack-dashboard`/horizon/auth/login cannot + load the static assets (javascript/css/etc) + + [Regression Potential] + + * Users who may have customized /var/lib/openstack-dashboard permissions + to comply with some specific security policy will see changes in the + permissions when they upgrade, but this is a common situation when + packages are upgraded. + + [Other Info] + N/A
** Description changed: [Impact] When upgrading from mitaka to pike horizon stops working because Apache can't read the static assets anymore [Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid 140071592240896] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path In xenial the home for the horizon user is /usr/share/openstack- dashboard, and /var/lib/openstack-dashboard permissions are changed to 700 to secure the secret_key, while in artful/pike only the secret_key file is set to 700 # ls -ld /var/lib/openstack-dashboard/ drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/ # ls -ld /var/lib/openstack-dashboard/secret_key -rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key # apt-cache policy openstack-dashboard openstack-dashboard: Installed: 3:12.0.2-0ubuntu1 Candidate: 3:12.0.2-0ubuntu1 Version table: *** 3:12.0.2-0ubuntu1 500 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages 100 /var/lib/dpkg/status 3:12.0.0-0ubuntu2.1 500 500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages So during the upgrade of the package /var/lib/openstack-dashboard is left to 700 xenial -> debian/openstack-dashboard.postinst ... if [ -d /var/lib/openstack-dashboard ] ; then # Generated secret storage for single node use - see local_settings.py # for more details of SECRET_KEY chmod 0700 /var/lib/openstack-dashboard if [ -f /etc/openstack-dashboard/secret_key ]; then mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard fi chown -R horizon:horizon /var/lib/openstack-dashboard fi .... artful -> debian/openstack-dashboard.postinst ... if ! getent passwd horizon > /dev/null 2>&1 ; then adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \ --no-create-home --shell /bin/false horizon fi ... [Test Case] * deploy openstack - juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/ + juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/ * upgrade openstack-dashboard to ocata, pike or queens - juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata" + juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata" # for -proposed use "cloud:xenial-ocata/proposed" Expected result: http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is displayed with all the correct css/js/etc assets Actual result: http://`juju-deployer -f openstack-dashboard`/horizon/auth/login cannot load the static assets (javascript/css/etc) [Regression Potential] * Users who may have customized /var/lib/openstack-dashboard permissions to comply with some specific security policy will see changes in the permissions when they upgrade, but this is a common situation when packages are upgraded. [Other Info] N/A ** Summary changed: - (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path + [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1765191 Title: [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib /openstack-dashboard/static') because search permissions are missing on a component of the path To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1765191/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
