Issue running uWsgi using pid/gid

0
votes

I'm trying to run uWsgi using uid/gid parameters in my wsgi ini file, so that it drops privileged access after starting.

Note: Everything works fine as expected when I remove these two parameters from my ini file. Also, there are no issues with my socket. However, when I run with a specified uid and gid (nginx user and group), I get an error that is indicative of having a problem with my virtual env loading,

Traceback (most recent call last): File "wsgi.py", line 14, in <module> from app import app as application File "/var/www/wsgi/flask-appbuilder/peds_registry/app/__init__.py", line 1, in <module> import logging ImportError: No module named logging

Again, this work fine when running without gid/pid. Also, note that the user and group nginx both exist and both have ownership on the python project's directory structure.

My Nginx config's server/location directives are as follows:

server {
    listen 80;
    server_name  hostname.domain;
    return 301 https://$host$request_uri;
}
server {
    listen        443 ssl;
    server_name  hostname.domain;
    ssl_certificate /etc/ssl/certs/host.chained.crt;
    ssl_certificate_key /etc/ssl/certs/host.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

location /test {
            include uwsgi_params;
            uwsgi_pass unix:/tmp/uwsgi.sock;
    }
}

My uwsgi startup is:

#!/bin/sh
# chkconfig: - 99 10
FLASK_HOME=/var/www/wsgi/flask-appbuilder
export PEDS_HOME
ACTIVATE_CMD=/var/www/wsgi/flask-appbuilder/venv/bin/activate
case "$1" in
start)
    cd $FLASK_HOME
    source $ACTIVATE_CMD
    uwsgi  -s /tmp/uwsgi.sock -H ./venv/ --ini /var/www/wsgi/flask-appbuilder/test.ini --virtualenv /var/www/wsgi/flask-appbuilder/venv --chmod-socket=666  --manage-script-name --mount /test=run:app --wsgi-file wsgi.py --logto test.log &
    ;;
stop)
    pkill uwsgi
    ;;
restart)
    $0 stop
    $0 start
    ;;
*)
    echo "usage: $0 (start|stop|restart|help)"
esac

And my uWsgi startup ini is:

[uwsgi]
socket = /tmp/uwsgi.sock
chdir = /var/www/wsgi/flask-appbuilder/peds_registry
wsgi-file = wsgi.py
pyhome = /var/www/wsgi/flask-appbuilder/venv
callable = app
manage-script-name = true
mount: /test=run.py

As stated, this loads fine without the gid/uid parameters, but when I add

uid = nginx
gid = nginx

to the ini file, I get the error noted above.

All my searches yield permissions with the socket, but my problem seems to be loading modules from within the virtual environment.

On a side note: I am using uWsgi installed from pip into my virtual environment.

1
pythonnginxflaskuwsgipython-venv
check that the nginx user has access rights to all files and subdirectories within your venv and the parent directories leading up to itmata
I had previously done a chown on the whole directory structure from the parent on down.horcle_buzz

1 Answers

0
votes

This was completely not obvious. As a test, I tried using my own uid/gid to run the app, and lo' and behold, it worked!

So, with "I must have ownership on something that the app uid/gid does not have permission to run" in mind, I grepped the venv on my username, and voila the answer appeared: One of the requirements for the app was that I needed to run python 2.7.6, which I had installed as per this Gist: Python Deployment. So, changing ownership of the DEPLOY directory structure (which is outside of the venv's directory structure) to the app's user/group was the ticket.