Red Hat Bugzilla – Bug 1285424
apache lacks permission to access openshift-node-web-proxy log files that it writes
Last modified: 2016-11-07 22:48:17 EST
Last year the node-web-proxy logs were moved under /var/log/openshift/node in this change:
The problem is that /var/log/openshift/node is owned my root with 0750 mode, while the node-web-proxy logs are written by an apache-owned process. For the most part, this ends up working because the logs are opened before the node-web-proxy process changes its uid from root to apache. However, what we are seeing in OpenShift Online is that there must be some code path where the Logger object is reinitialized, causing the apache-owned process to try to reopen the log files. When this happens, the following errors occur:
ERROR: Could not open logfile '/var/log/openshift/node/node-web-proxy/access.log', log dir does not exist - using stderr ...
ERROR: Could not open logfile '/var/log/openshift/node/node-web-proxy/error.log', log dir does not exist - using stderr ...
ERROR: Could not open logfile '/var/log/openshift/node/node-web-proxy/websockets.log', log dir does not exist - using stderr ...
"stderr" in this case is redirected by the parent (root-owned) supervisor process to /var/log/openshift/node/node-web-proxy/supervisor.log
After these errors, all of the traffic that goes through node-web-proxy is logged to supervisor.log instead of access.log or websocket.log. The ramifications of this are that oo-last-access does not see these entries, and so the idler may incorrectly idle applications with active websocket connections.
Changing the file mode on /var/log/openshift/node to 0751 would allow apache the traverse this path and open the log files as needed.
Commit pushed to master at https://github.com/openshift/origin-server
Bug 1285424 - apache lacks permission to access openshift-node-web-proxy log files
The directory /var/log/openshift/node is currently owned by root under 750 node.
As a result, any other processes will not be able to access that directory which
will cause permission failure.
This commit changes the directory permission to 751 which allows users such as
apache-owned processes to traverse the directory and access to sub-directory
/node-web-proxy which is owned by apache.
Signed-off-by: Vu Dinh <email@example.com>
Checked on devenv_5729, the log dir has correct permission now.
# ls -ld /var/log/openshift/node
drwxr-x--x. 3 root root 4096 Dec 3 19:14 /var/log/openshift/node
This was hotfixed in Online.