Uploaded image for project: 'RDO Project'
  1. RDO Project
  2. RDO-310

glance fails to access data directory when run by http + mod_wsgi

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • RDO Dalmatian
    • RDO Dalmatian
    • openstack-selinux
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      When glance-api is run by httpd + mod_wsgi, uploading an image consistently fails with the 500 error.

       

      The following permission error is found in apache error log.

      [Mon Jul 29 14:49:17.850112 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310] mod_wsgi (pid=77566): Failed to exec Python script file '/var/www/cgi-bin/glance/glance-api'.
[Mon Jul 29 14:49:17.850204 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310] mod_wsgi (pid=77566): Exception occurred processing WSGI script '/var/www/cgi-bin/glance/glance-api'.
[Mon Jul 29 14:49:17.862919 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310] Traceback (most recent call last):
[Mon Jul 29 14:49:17.863089 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310]   File "/var/www/cgi-bin/glance/glance-api", line 52, in <module>
[Mon Jul 29 14:49:17.863101 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310]     application = init_app()
[Mon Jul 29 14:49:17.863111 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310]   File "/usr/lib/python3.9/site-packages/glance/common/wsgi_app.py", line 160, in init_app
[Mon Jul 29 14:49:17.863119 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310]     return config.load_paste_app('glance-api')
...
[Mon Jul 29 14:49:17.863752 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310]   File "/usr/lib64/python3.9/os.py", line 225, in makedirs
[Mon Jul 29 14:49:17.863759 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310]     mkdir(name, mode)
[Mon Jul 29 14:49:17.863782 2024] [wsgi:error] [pid 77566:tid 77595] [remote ::1:38310] PermissionError: [Errno 13] Permission denied: '/var/lib/glance/image-cache'

      Also a few permission errors appear in /var/log/glance/api.log as well.

      2024-07-29 14:49:16.633 77566 INFO glance_store._drivers.filesystem [-] Directory to write image files does not exist (/var/lib/glance/os_glance_staging_store). Creating.
2024-07-29 14:49:16.634 77566 ERROR glance_store._drivers.filesystem [-] Unable to create datadir: /var/lib/glance/os_glance_staging_store: PermissionError: [Errno 13] Permission denied: '/var/lib/glance/os_glance_staging_store'
2024-07-29 14:49:16.634 77566 WARNING glance_store.driver [-] Failed to configure store correctly: Store filesystem could not be configured correctly. Reason: Unable to create datadir: /var/lib/glance/os_glance_staging_store Disabling add method.: glance_store.exceptions.BadStoreConfiguration: Store filesystem could not be configured correctly. Reason: Unable to create datadir: /var/lib/glance/os_glance_staging_store 
      2024-07-29 14:49:16.639 77566 INFO glance_store._drivers.filesystem [-] Directory to write image files does not exist (/var/lib/glance/os_glance_tasks_store). Creating. 2024-07-29 14:49:16.640 77566 ERROR glance_store._drivers.filesystem [-] Unable to create datadir: /var/lib/glance/os_glance_tasks_store: PermissionError: [Errno 13] Permission denied: '/var/lib/glance/os_glance_tasks_store' 2024-07-29 14:49:16.640 77566 WARNING glance_store.driver [-] Failed to configure store correctly: Store filesystem could not be configured correctly. Reason: Unable to create datadir: /var/lib/glance/os_glance_tasks_store Disabling add method.: glance_store.exceptions.BadStoreConfiguration: Store filesystem could not be configured correctly. Reason: Unable to create datadir: /var/lib/glance/os_glance_tasks_store

      The following denial logs are found in /var/log/audit/audit.log

      type=AVC msg=audit(1722264721.988:7224): avc:  denied  { write } for  pid=77567 comm="httpd" name="glance" dev="xvda1" ino=6914002 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1722264721.992:7225): avc:  denied  { write } for  pid=77567 comm="httpd" name="glance" dev="xvda1" ino=6914002 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1722264722.259:7226): avc:  denied  { write } for  pid=77567 comm="httpd" name="glance" dev="xvda1" ino=6914002 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=0

       

      Versions of software:

       

      openstack-selinux-0.8.39-0.20240219140649.f618d90.el9.noarch
selinux-policy-38.1.42-1.el9.noarch
selinux-policy-targeted-38.1.42-1.el9.noarch

       

              rhn-engineering-jpichon Julie Pichon
              tkajinami Takashi Kajinami (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: