Frequent 500s because of permission denied /app/code/tmp/cache
-
-
I think what's happening is that
/tmp/cache
is probably a symlink into /tmp. We have a tmpcleaner which periodically cleans out temporary files inside app containers. We should probably symlink it to /run instead of /tmp . I have to check the package and confirm. -
I'm getting the same errors as @adrw as well.
This is on a fresh install of Ubuntu 20.04 and OpenProject.This is the log:
Dec 24 15:22:40 E, [2020-12-24T08:46:40.026946 #259] ERROR -- : [current_user=Anonymous] Permission denied @ dir_s_mkdir - /app/code/tmp/cache/DD6/B70: Permission denied @ dir_s_mkdir - /app/code/tmp/cache/DD6/B70
And when I checked the permissions:
drwxr-xr-x 21 www-data www-data 4096 Dec 24 08:45 DD5/ drwxr-xr-x 3 root root 4096 Dec 24 06:10 DD6/ drwxr-xr-x 21 www-data www-data 4096 Dec 24 08:48 DD7/
Is it the issue with the directory,
DD6
, being not writable bywww-data
?Edit: There were 3 directories owned by
root
among 49 directories. -
@lolliop that is a good clue. The app should chown those directories on startup, however maybe they get created by some root process during runtime. If you restart the app, does the issue with that specific folder get sorted out (temporarily at least)?
-
So right after I restarted, the cache directory got emptied out and began creating 6 new directories which are all owned by
www-data
.But after a few minutes, more directories appeared, and one of them was owned by
root
. Again, after a few more minutes, more directories were created and anotherroot
owned directory appeared. All these happened without any user interactions (e.g. Clicking a link or logging in to OpenProject). -
@adrw A quick and crude solution I found was to change the permissions of the files and directories under
/app/code/tmp/cache
:docker exec -it OPENPROJECT-CONTAINER_ID chown -R www-data:www-data /app/code/tmp/cache
docier ps
to get the container ID of your OpenProject.However, the issue here is that new
root
owned directories will be arbitrarily created from time to time depending on your usage, so that aforementioned command needs to be executed accordingly. I'm thinking to put it in a cron job and make it run every 5 minutes.Please note that I've had only a few hours of testing of this, and I don't know how it can impact the system in the long run.
We definitely need a proper and permanent solution.
Reference here, but it doesn't really apply to our issues.
-
I have published a new app package with an attempt to fix the issue. Essentially all processes as well as apache2 only run as www-data so they don't have to drop privileges on their own. Especially phusion passenger for ruby gets loaded as root through apache, this is now fixed. Also all rake tasks are now run as www-data.
Please let us know if this indeed fixes the issue or not. I was not able to reliably reproduce the issue.
-
@benoit ah only saw this now after answering your support mail. This is expected since bundler should not run as root and thus should not have access to
/var/www
. In fact that folder is not really being utilized. Bundler anyways falls back to/tmp
.I didn't get the restart issue though, can you explain that one?
-
Oh I see. Since I had access to your instance for fixing the issue anyways, I saw that the app was healthy and running, but the nginx reverse proxy config wasn't correctly updated.
This may actually be a bug in Cloudron. The reason likely is that I've changed the app's internal port from 80 to 8000 to not require apache to run as root.To fix this quickly, I've just submitted the location form of the app configure, which triggers a recreation of the reverse proxy files.
At least for me the app is now reachable.
-
Based on my diagnosis, this is caused by the "worker" scheduler/cron task. Every time that runs (based on the log), I see a new file in /app/code/tmp/cache owned by root. Sometimes this new file is in a new directory (as the cache splits the storage across multiple directories on demand based on the random file name). When this newly created root owned folder is used by the normal process (running as www-data), it fails the permission check and users see the error message.
I've been "fixing" this by manually running
/app/code/tmp/cache# find -user root -exec chown www-data:www-data {} \;
at the terminal.