Apache, Permission denied on mod_wsgi, fixed with WSGISocketPrefix — But why

apache-2.2mod-wsgi

In what seemed to be a random occurrence, a site went down tonight and after taking a look at the Apache error logs it was this issue:

 (13)Permission denied: mod_wsgi (pid=2751): Unable to connect to WSGI daemon process 'mysite.com-ssl' on '/var/run/apache2/wsgi.2579.0.2.sock' after multiple attempts.

Now I read the ConfigurationIssues wiki for mod_wsgi, and the fix seems reasonable. Couldn't write to that directory so an alternative must be specified with WSGISocketPrefix

So I set:

WSGISocketPrefix /var/run/wsgi

It fixes the issue, and the site can load up after an Apache restart.

However, I'm very curious – Why did this dirctory stop being available for write? Am I missing something? The /var/run/apache2 directory is owned by root:root, but the new sockets that now run under /var/run/wsgi*.sock are www-data:root .. There was a server reboot, but that's it. Maybe something now takes over permissions on that directory on boot?

Any ideas? Thanks!

Best Answer

The error your saw can also occur as a transient issue if you have done an Apache graceful restart and an Apache worker process had socket connections still alive that hadn't yet called through to mod_wsgi daemon process for initial request or subsequent request due to keep alive on socket.

This will occur because on graceful restart the mod_wsgi daemon process are restarted regardless and in doing that, the path to the socket file is change so different. This means that old worker processes hanging around to handle current and keepalive requests will fail to connect to daemon as they will still be trying to use old path for socket file.

As to the directory where socket files are, the important thing is that the directory is readable to www-data. The sockets will be created as root initially with perms 0600 and then ownership should be changed to www-data so www-data worker processes can connect and nothing else. This is dependent on directory still being accessible to www-data.

The reason for WSGISocketPrefix is that Redhat made the logs directory where Apache config says to put this stuff as default, to not be readable to others so www-data couldn't see sockets in directory. This is why on Redhat one needs to change it to /var/run.

At what point the directory permissions get changed or fixed and whether than can happen without Apache package upgrade, don't know.

Related Solutions

Ubuntu – WSGI says “permissions denied” on the Ubuntu server, no WSGISocketPrefix setting works

You are using ITK MPM for Apache. You will need to be using mod_wsgi 3.3 or later, which contains fix:

When compiled against ITK MPM for Apache, if using daemon mode, the listener socket for daemon process will be marked as being owned by the same user that daemon process runs. This will at least allow a request handled under ITK MPM to be directed to daemon process owned by same user as script. See issue:

http://code.google.com/p/modwsgi/issues/detail?id=187

You cannot though just use binary supplied by operating system as those available are likely only going to be for worker and prefork MPM. For ITK MPM you will need to compile mod_wsgi from source code and you MUST have the appropriate headers files for the ITK MPM installed and not those for worker or prefork MPM. This is because mod_wsgi source code has:

    if (!geteuid()) {
#if defined(MPM_ITK)
        if (chown(process->socket, process->uid, -1) < 0) {
#else
        if (chown(process->socket, ap_unixd_config.user_id, -1) < 0) {
#endif
            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, wsgi_server,
                         "mod_wsgi (pid=%d): Couldn't change owner of unix "
                         "domain socket '%s'.", getpid(),
                         process->socket);
            return -1;
        }
    }

IOW, it is a compile time choice as to how to setup permissions with it only being set for ITK MPM correctly if ITK MPM headers are installed properly and so MPM_ITK #define found.

In summary, you will need to do the following:

(1) Ensure that ITK MPM header files installed. If using binary package for Apache, see if there is an ITK variant of the Apache dev package.

(2) Compile and install mod_wsgi from source code available in publically downloadable mod_wsgi 3.3 source package

The mod_wsgi source code package and installation instructions are available from:

http://www.modwsgi.org

Nginx – Deploying Django App with Nginx, Apache, mod_wsgi

please note, that you should use www.mysite.com or mysite.com in your requests(as it defined in config file):

server {
  listen 80;
  server_name www.mysite.com mysite.com;

but looks like, You're requesting site by localhost or by IP address

Best Answer

Related Solutions

Ubuntu – WSGI says “permissions denied” on the Ubuntu server, no WSGISocketPrefix setting works

Nginx – Deploying Django App with Nginx, Apache, mod_wsgi

Related Topic