Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #8363 (closed)

Opened 12 years ago

Closed 12 years ago

Bug: nginx configuration doesn't work as root user

Reported by: cmacleod-x Owned by:
Priority: major Milestone: OMERO-4.4
Component: Deployment Version: n.a.
Keywords: n.a. Cc: cmacleod-x
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

Running

omero config web nginx

generates a config that is fine when fun by a non-privileged user (usually omero). But if you try to run it as root (replacing /etc/nginx/nginx.conf) it will cause problems that stop omero.web from starting.

Namely the fastcgi tmp paths will be created nginx:root mode 750 and omero.web will not start.

It's not really accurate to generate a full root config for nginx in this context. The apache configuration generates a config that suitable to drop into apache's included configuration directory . Nginx should follow suit.

If the existing config is generated only what is between the server { } tags and the hostname is filled in the hostname or the value of the omero.web.application_host (minus the port). It would then be suitable to drop into the conf.d directory of nginx (or added to the main config)

for example:

    server {
        listen       80;
        server_name  localhost;
        fastcgi_temp_path /opt/omero/var/nginx_tmp;
        proxy_temp_path /opt/omero/var/nginx_tmp;

         # weblitz django apps serve media from here
        location /appmedia {
            alias /opt/omero/lib/python/omeroweb/media;
        }

        # django's admin media
        location /media {
            alias /opt/omero/lib/python/omeroweb/media/django_admin_media;
        }

        location / {
            if (-f /opt/omero/var/maintenance.html) {
               error_page 503 /maintenance.html;
               return 503;
            }
            fastcgi_pass 0.0.0.0:4080;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            fastcgi_param REQUEST_METHOD $request_method;
            fastcgi_param QUERY_STRING $query_string;
            fastcgi_param CONTENT_TYPE $content_type;
            fastcgi_param CONTENT_LENGTH $content_length;
            fastcgi_param SERVER_NAME $server_name;
            fastcgi_param SERVER_PROTOCOL $server_protocol;
            fastcgi_param SERVER_PORT $server_port;
            fastcgi_pass_header Authorization;
            fastcgi_intercept_errors on;
            fastcgi_read_timeout 300;
        }

        location /maintenance.html {
            root /opt/omero/var;
        }

    }

would be suitable for drop into /etc/nginx/conf.d/omero.conf (for example) and communicate via localhost.

Additionally it should be communicated somewhere (documentation or in comments of command output) that the design intention of omero web config nginx is that of a standalone install of an unprivileged user.

Change History (9)

comment:1 Changed 12 years ago by jmoore

  • Component changed from General to Deployment
  • Milestone set to OMERO-Beta4.4
  • Priority changed from minor to major
  • Summary changed from nginx configuration doesn't work as root user to Bug: nginx configuration doesn't work as root user
  • Type changed from Bug to Task

Changing to type "task" and adding "bug" prefix.

comment:2 Changed 12 years ago by jmoore

  • Cc cmacleod-x added

Stick, what's the next step here?

comment:3 Changed 12 years ago by cmacleod-x

My suggestion is:

  1. update omero web config nginx (or perhaps more appropriately the template) to contain comments that indicate that the config is for standalone non-root users.
  2. add an option --system or something that generates a config more appropriate for dropping into /etc/nginx/conf.d or similar (see example above).

comment:4 Changed 12 years ago by jmoore

You ok to take initial steps on that? If not, pass back to me.

comment:5 Changed 12 years ago by cmacleod-x

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in PR146

comment:6 Changed 12 years ago by drussell-x

I don't believe this is a complete fix. While the --system option does generate a suitable server side configuration, once nginx is started and thus writes its nginx_tmp directory, the permissions are those of the system nginx user and thus this can happen:

omero@omero:~$ omero admin start
FATAL: Cannot access /home/omero/OMERO.server/var/nginx_tmp, a required file/directory for OMERO

omero@omero:~$ ls -al /home/omero/OMERO.server/var/
total 24
drwxrwxr-x 6 omero    omero 4096 Aug 23 15:11 .
drwxr-xr-x 9 omero    omero 4096 Aug 20 13:47 ..
drwxrwxr-x 2 omero    omero 4096 Aug 20 14:02 log
drwxrwxr-x 5 omero    omero 4096 Aug 20 14:01 master
drwx------ 2 www-data root  4096 Aug 20 14:02 nginx_tmp
drwxrwxr-x 3 omero    omero 4096 Aug 20 14:01 registry

comment:7 Changed 12 years ago by drussell-x

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:8 Changed 12 years ago by cmacleod-x

fixed in PR320

comment:9 Changed 12 years ago by cmacleod-x

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.65813 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!