On Tue, Oct 15, 2013 at 1:12 PM, Thomas Goirand <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 10/15/2013 12:09 PM, YunQiang Su wrote: >> Package: horizon >> Version: 2013.2~rc1-1 >> >> I installed the 2013.2 version of openstack from sid/experimental, it >> was a amazing experience. > > Thanks, I'm very happy to see that some people did test it! :) > >> While I met a problem that horizon try to lock create secret key in >> /usr/share/openstack-dashboard/openstack_dashboard/local/ >> In there, no file is allowed to create. > > Hi, > > That is correct, and I have raised the issue upstream. They refused to > make something in /var/lib as Horizon default, stating that it wouldn't > work for devstack gate. > >> There are several ways to fix it. >> >> 1. In locale_settings.py, there is a line >> LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) >> Which will make LOCAL_PATH to be >> /usr/share/openstack-dashboard/openstack_dashboard/local/ >> use realpath here will make LOCAL_PATH to be >> /etc/openstack-dashboard/ >> >> By this way, /etc/openstack-dashboard should be writable by www-data user > > Hum... no! The /etc shouldn't be a place where to write runtime files. > This would be a serious (or RC) bug in Debian. For this, we have > /var/lib, which is where the FSHS recommends to write runtime files. > >> 2. Use >> SECRET_KEY = >> secret_key.generate_or_read_from_file(os.path.join('/var/lib/horizon', >> '.secret_key_store')) >> instead of >> SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join(LOCALPATH, >> '.secret_key_store')) >> and make /var/lib/horizon is writable by www-data > > Yes, that's what I want to implement, and that's the way to go. How did > you make /var/lib/horizon writable by www-data? Did you add the > www-data to the horizon group? Yes, I add www-data to horizon group and chmod /var/lib/horzion as +s. It works now. > >> 3. Don't make /etc/openstack-dashboard or /var/lib/horizon writable by >> www-data by start >> wsgi as horizon:horizon, while by change >> line in openstack-dashboard.conf >> WSGIDaemonProcess horizon user=www-data group=www-data >> to >> WSGIDaemonProcess horizon user=horizon group=horizon >> It doesn't work. After restart apache2, >> >> root@manager:~# ps aux |grep apache >> root 15355 0.0 0.2 84064 3048 ? Ss 03:59 0:00 >> /usr/sbin/apache2 -k start >> horizon 15358 0.0 0.3 290992 5816 ? Sl 03:59 0:00 >> /usr/sbin/apache2 -k start >> www-data 15359 0.1 0.4 375396 6168 ? Sl 03:59 0:00 >> /usr/sbin/apache2 -k start >> www-data 15360 0.0 0.4 375396 6168 ? Sl 03:59 0:00 >> /usr/sbin/apache2 -k start >> root 15458 0.0 0.0 10352 912 pts/0 S+ 03:59 0:00 grep apache >> >> Only one apache process is running as horizon. > > I don't think that's the way to go either, unfortunately. Though if you > have a setup where it would, that'd be best, so we have privilege > separation. It does start a apache with horzion:horizon, while the secret file is still write by www-data:www-data, there must be something wrong. > > Cheers, > > Thomas Goirand (zigo) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with Icedove - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSXM7HAAoJENQWrRWsa0P++p8P/23IHIkRXm14hDK0jFobqFW5 > SckckQCIhdz8qdMcobqUf7zcyQdm/mlae6htv8KCZtfuwikNNslqbXmglQY8rS2S > vYisJ7ECeVlhnzzPrhO7xPF/ermXguJ6Ym8z0eipwG09VWK9IfIK16GAXJiPA9aP > jQ3k4MWeZiwIK5GULkesRRVEO8sNfXF+2YLc26+rW24viOyxvFyecJ8AI+YHjp98 > nWUg8FREUQjLNXKEEmNyZIzHwVXz8oFZ/mLmxkb+1GZMzrq/+Ou3JhAmzGS+bnD8 > ge5bkj3leqcv1nWFrEMdSjJ06M+wJoBELh+U5Mufb3d7T8a5GrO653LBtGSEkFGq > raoUShdWjwwGnLHUl19fV5XgnQFMmj8KI+seWllIYa45vwdcMWdwXOQRTvDVcvz/ > seJ3VPCdvXJSyptnHAK198Z99Re4CvzvD5R9zoy00j1ejgYVaFNfAy59IjwWW+OJ > nfI9+7ljRuEgh2c30Wiqaz6029ssNvax+42ZKuc+mOQ6Tqcun+8MnbMQbmnHM993 > e3Clsnic3rRXBzvYi8rpU0WRsvtPsR+PXFOhTNwTROoVUlOZSdCTOiYEoehy0UAd > HmaMu3Iy5ps3d4xCfMKWY4uwUHLWBwoCpM9PVCIOOJuKB1L/pOjLHhIl7JwuvhEz > nLWcdtCIq0pUOYnSwh6e > =bE7N > -----END PGP SIGNATURE-----
-- YunQiang Su -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
