Task #8363 (closed)
Opened 12 years ago
Closed 12 years ago
Bug: nginx configuration doesn't work as root user
Reported by: | cmacleod-x | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | OMERO-4.4 |
Component: | Deployment | Version: | n.a. |
Keywords: | n.a. | Cc: | cmacleod-x |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description
Running
omero config web nginx
generates a config that is fine when fun by a non-privileged user (usually omero). But if you try to run it as root (replacing /etc/nginx/nginx.conf) it will cause problems that stop omero.web from starting.
Namely the fastcgi tmp paths will be created nginx:root mode 750 and omero.web will not start.
It's not really accurate to generate a full root config for nginx in this context. The apache configuration generates a config that suitable to drop into apache's included configuration directory . Nginx should follow suit.
If the existing config is generated only what is between the server { } tags and the hostname is filled in the hostname or the value of the omero.web.application_host (minus the port). It would then be suitable to drop into the conf.d directory of nginx (or added to the main config)
for example:
server { listen 80; server_name localhost; fastcgi_temp_path /opt/omero/var/nginx_tmp; proxy_temp_path /opt/omero/var/nginx_tmp; # weblitz django apps serve media from here location /appmedia { alias /opt/omero/lib/python/omeroweb/media; } # django's admin media location /media { alias /opt/omero/lib/python/omeroweb/media/django_admin_media; } location / { if (-f /opt/omero/var/maintenance.html) { error_page 503 /maintenance.html; return 503; } fastcgi_pass 0.0.0.0:4080; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param QUERY_STRING $query_string; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SERVER_NAME $server_name; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param SERVER_PORT $server_port; fastcgi_pass_header Authorization; fastcgi_intercept_errors on; fastcgi_read_timeout 300; } location /maintenance.html { root /opt/omero/var; } }
would be suitable for drop into /etc/nginx/conf.d/omero.conf (for example) and communicate via localhost.
Additionally it should be communicated somewhere (documentation or in comments of command output) that the design intention of omero web config nginx is that of a standalone install of an unprivileged user.
Change History (9)
comment:1 Changed 12 years ago by jmoore
- Component changed from General to Deployment
- Milestone set to OMERO-Beta4.4
- Priority changed from minor to major
- Summary changed from nginx configuration doesn't work as root user to Bug: nginx configuration doesn't work as root user
- Type changed from Bug to Task
comment:3 Changed 12 years ago by cmacleod-x
My suggestion is:
- update omero web config nginx (or perhaps more appropriately the template) to contain comments that indicate that the config is for standalone non-root users.
- add an option --system or something that generates a config more appropriate for dropping into /etc/nginx/conf.d or similar (see example above).
comment:4 Changed 12 years ago by jmoore
You ok to take initial steps on that? If not, pass back to me.
comment:5 Changed 12 years ago by cmacleod-x
- Resolution set to fixed
- Status changed from new to closed
Fixed in PR146
comment:6 Changed 12 years ago by drussell-x
I don't believe this is a complete fix. While the --system option does generate a suitable server side configuration, once nginx is started and thus writes its nginx_tmp directory, the permissions are those of the system nginx user and thus this can happen:
omero@omero:~$ omero admin start FATAL: Cannot access /home/omero/OMERO.server/var/nginx_tmp, a required file/directory for OMERO
omero@omero:~$ ls -al /home/omero/OMERO.server/var/ total 24 drwxrwxr-x 6 omero omero 4096 Aug 23 15:11 . drwxr-xr-x 9 omero omero 4096 Aug 20 13:47 .. drwxrwxr-x 2 omero omero 4096 Aug 20 14:02 log drwxrwxr-x 5 omero omero 4096 Aug 20 14:01 master drwx------ 2 www-data root 4096 Aug 20 14:02 nginx_tmp drwxrwxr-x 3 omero omero 4096 Aug 20 14:01 registry
comment:7 Changed 12 years ago by drussell-x
- Resolution fixed deleted
- Status changed from closed to reopened
comment:8 Changed 12 years ago by cmacleod-x
fixed in PR320
comment:9 Changed 12 years ago by cmacleod-x
- Resolution set to fixed
- Status changed from reopened to closed
Changing to type "task" and adding "bug" prefix.