Bug #5355: On RHEL system, ncf-builder hangs on a page with only ncf header with "Unable to connect to WSGI daemon process 'ncf_api_flask_app'[...]" in /var/log/rudder/apache2/error.log - Rudder - Issue Tracker

Actions

Copy link

Bug #5355

closed

On RHEL system, ncf-builder hangs on a page with only ncf header with "Unable to connect to WSGI daemon process 'ncf_api_flask_app'[...]" in /var/log/rudder/apache2/error.log

Added by Nicolas PERRON over 10 years ago. Updated over 10 years ago.

Status:

Released

Priority:

1 (highest)

Assignee:

Jonathan CLARKE

Category:

System integration

Target version:

2.11.2

Pull Request:

https://github.com/Normation/rudder-p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

On RHEL system, ncf-builder does not work since it hangs on a empty page except a ncf header.
Errors appeared in /var/log/rudder/apache2/error.log:

[...]
[Tue Aug 05 17:06:23 2014] [error] [client 10.0.2.2] (13)Permission denied: mod_wsgi (pid=4376): Unable to connect to WSGI daemon process 'ncf_api_flask_app' on '/etc/httpd/logs/wsgi.3417.1.1.sock' after multiple attempts., referer: https://server.rudder.local:8081/ncf-builder/?path=%2Fvar%2Frudder%2Fconfiguration-repository%2Fncf
[...]

On RHEL, the socket is by default located in /etc/httpd/logs/ which is only writable to root:

[vagrant@server ~]$ sudo ls -lh /etc/httpd/logs/
total 8,0K
-rw-r--r-- 1 root   root    0 22 juil. 15:57 access_log
-rw-r--r-- 1 root   root 2,7K  5 août  16:50 error_log
-rw-r--r-- 1 root   root    0 22 juil. 15:57 ssl_access_log
-rw-r--r-- 1 root   root 1,2K  5 août  16:50 ssl_error_log
-rw-r--r-- 1 root   root    0 22 juil. 15:57 ssl_request_log
srwx------ 1 apache root    0  5 août  16:50 wsgi.1315.0.1.sock

On most Linux OS, socket are located int /var/run/ then a workaround is to add in /etc/httpd/conf.d/ncf-api-virtualenv.conf:

WSGISocketPrefix run/wsgi

After this modification, a restart of Apache and the socket will be into /var/run/httpd:

[vagrant@server ~]$ sudo ls -lh /var/run/httpd/
total 4,0K
-rw-r--r-- 1 root   root 5  5 août  17:12 httpd.pid
srwx------ 1 apache root 0  5 août  17:12 wsgi.4454.1.1.sock

Actions

Copy link

Updated by Nicolas PERRON over 10 years ago

In fact, using WSGISocketPrefix run/wsgi will determine the use of socket at /etc/{httpd|apache2}/var/run/ which is correspond to /var/run/httpd on RHEL:

[root@server ~]# ls -lh /etc/httpd/
total 8,0K
drwxr-xr-x 2 root root 4,0K  5 août  17:03 conf
drwxr-xr-x 2 root root 4,0K  5 août  17:49 conf.d
lrwxrwxrwx 1 root root   19  5 août  17:03 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root   29  5 août  17:03 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   19  5 août  17:03 run -> ../../var/run/httpd

The use of it on others OS will not work since /etc/{httpd|apache2}/run is not a symlink. Example on Debian7:

# ls -lh /etc/apache2/
total 72K
-rw-r--r-- 1 root root 9,5K juil. 23 22:56 apache2.conf
drwxr-xr-x 2 root root 4,0K août   6 13:54 conf.d
-rw-r--r-- 1 root root 1,5K juil. 23 22:56 envvars
-rw-r--r-- 1 root root  31K mai   25 17:34 magic
drwxr-xr-x 2 root root 4,0K août   5 17:19 mods-available
drwxr-xr-x 2 root root 4,0K août   5 17:19 mods-enabled
-rw-r--r-- 1 root root  750 juil. 23 22:56 ports.conf
drwxr-xr-x 2 root root 4,0K août   5 15:41 sites-available
drwxr-xr-x 2 root root 4,0K juil. 29 13:53 sites-enabled

The use of WSGISocketPrefix /var/run/wsgi will force on all OS to have the socket file in /var/run/ instead of /var/run/{apache2|httpd}:

# ls -lh /var/run/*sock
srw-rw-rw- 1 root     root 0 juil. 30 14:39 /var/run/rpcbind.sock
srwx------ 1 www-data root 0 août   6 12:41 /var/run/wsgi.15492.0.1.sock

I suppose that this is a good compromise.

Actions

Copy link