Bug 1285424 - apache lacks permission to access openshift-node-web-proxy log files that it writes
apache lacks permission to access openshift-node-web-proxy log files that it ...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Vu Dinh
Meng Bo
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-25 09:54 EST by Andy Grimm
Modified: 2016-11-07 22:48 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-29 11:25:38 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andy Grimm 2015-11-25 09:54:26 EST
Last year the node-web-proxy logs were moved under /var/log/openshift/node in this change:

https://github.com/openshift/origin-server/pull/5264

The problem is that /var/log/openshift/node is owned my root with 0750 mode, while the node-web-proxy logs are written by an apache-owned process.  For the most part, this ends up working because the logs are opened before the node-web-proxy process changes its uid from root to apache.  However, what we are seeing in OpenShift Online is that there must be some code path where the Logger object is reinitialized, causing the apache-owned process to try to reopen the log files.  When this happens, the following errors occur:

ERROR: Could not open logfile '/var/log/openshift/node/node-web-proxy/access.log', log dir does not exist - using stderr ...
ERROR: Could not open logfile '/var/log/openshift/node/node-web-proxy/error.log', log dir does not exist - using stderr ...
ERROR: Could not open logfile '/var/log/openshift/node/node-web-proxy/websockets.log', log dir does not exist - using stderr ...

"stderr" in this case is redirected by the parent (root-owned) supervisor process to /var/log/openshift/node/node-web-proxy/supervisor.log

After these errors, all of the traffic that goes through node-web-proxy is logged to supervisor.log instead of access.log or websocket.log.  The ramifications of this are that oo-last-access does not see these entries, and so the idler may incorrectly idle applications with active websocket connections.

Changing the file mode on /var/log/openshift/node to 0751 would allow apache the traverse this path and open the log files as needed.
Comment 1 openshift-github-bot 2015-12-03 14:29:36 EST
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/bd5ed268170e3e2d59dbcd7b6490fb98f935b629
Bug 1285424 - apache lacks permission to access openshift-node-web-proxy log files

The directory /var/log/openshift/node is currently owned by root under 750 node.
As a result, any other processes will not be able to access that directory which
will cause permission failure.

This commit changes the directory permission to 751 which allows users such as
apache-owned processes to traverse the directory and access to sub-directory
/node-web-proxy which is owned by apache.

Bug 1285424
Link <https://bugzilla.redhat.com/show_bug.cgi?id=1285424>

Signed-off-by: Vu Dinh <vdinh@redhat.com>
Comment 2 Meng Bo 2015-12-04 04:35:28 EST
Checked on devenv_5729, the log dir has correct permission now.


# ls -ld /var/log/openshift/node
drwxr-x--x. 3 root root 4096 Dec  3 19:14 /var/log/openshift/node
Comment 3 Andy Grimm 2016-01-29 11:25:38 EST
This was hotfixed in Online.

Note You need to log in before you can comment on or make changes to this bug.