Open Microscopy Environment

[crawley]

I'm trying to use configure Omero.Web with Nginx as the front end, and fastcgi. I've put the "--system" stanza generated by the omero configurator into /etc/nginx/sites.enabled. Ngnix is starting up OK.

When I sent a request to the Nginx server, I got a 502 bad gateway response from nginx. The nginx error.log file said:

Code: Select all

2014/06/29 23:35:16 [crit] 957#0: *1 connect() to unix:/opt/omero/OMERO.server-5.0.1-ice35-b21/var/django_fcgi.sock failed (13: Permission denied) while connecting to upstream, client: nnn.nnn.nnn.nnn, server: vm-nnn-nnn-nnn-nnn, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/opt/omero/OMERO.server-5.0.1-ice35-b21/var/django_fcgi.sock:", host: "nnn.nnn.nnn.nnn"

(IP address obscured ...)

And indeed, the permissions of the unix domain socket were:

Code: Select all

$ ls -l /opt/omero/OMERO.server/var/django_fcgi.sock
srwxr-xr-x 1 omero omero 0 Jun 29 23:34 /opt/omero/OMERO.server/var/django_fcgi.sock

That is: read-only for the www-data account under which the nginx worker runs. So I manually changed the permissions on the socket to "srwxrwxrwx" (after starting the omero-web service) ... and the HTTP requests started going through.

So far, so good. But I need a permanent fix that would work well with scripted installation?

• My research suggests that the domain socket has to be created on the fly by the server; i.e. django. I can't just precreate it with appropriate permissions.
  
• I could (try to) get nginx to run its worker thread with user 'omero' ... but that seems like a bad idea from a security perspective.
  
• It seems like I should try to get django to create the socket with permissions "srwxrwxrwx" for itself. And it looks like django's "manage.py runfcgi" subcommand allows me to add a "umask" option which could do that. But ... it looks like "bin/omero web start" doesn't allow me to pass a "umask".

So for now, I have to choose between hacking "lib/python/omero/plugins/web.py" to inject a "umask" option into the "manage.py" command, or ... tweaking my "/etc/init.d/omero-web" script to "chmod" the domain socket. (I'm dismissing the code change approach for now because that is really awkward for chef-based installation.)

Am I missing a better solution?

(I'm using Omero 5.0.1. Nginx 1.4.6 is being installed by the Chef "nginx" cookbook, recipe "nginx::default". The OS is Ubuntu 14.04.)

[manics]

Hi

The easiest way to avoid any permissions problems is by using the default fastcgi-tcp instead of fastcgi. If you unset omero.web.application_server and regenerate your nginx configuration everything should work.

Were you following our docs at https://www.openmicroscopy.org/site/sup ... uick-start ?
I'll see if I can make them clearer.

Simon

[crawley]

Thanks. Using "fastcgi-tcp" solved the problem.

I was using https://www.openmicroscopy.org/site/sup ... uick-start

If you wanted to improve the instructions, you could add some material somewhere to say why fastcgi is "advanced"; i.e. describe or hint at the issues that make it "advanced".

You could also modify "lib/python/omero/plugins/web.py" so that it was possible to inject a umask parameter.

[manics]

Thanks for your feedback, I've added it to our todo list.

Simon