Chameleon cache file permissions: IOError: [Errno 13] Permission denied

ramonski · February 1, 2021, 7:59am

Hi everyone,

we are using the plone/ansible-playbook to deploy Plone on Debian.

Since we changed to WSGI, we noticed permission issues to files of the Chameleon cache directory (located at data/<instance-name>/cache) when starting instances directly via e.g. bin/client_reserved fg vs. starting it via supervisor.

Chameleon cache files created from the first command are owned by root, while the files from the latter are owned by the Plone daemon user user (effective-user):

-rw-------  1 root           senaite  25K Feb  1 02:48 b384147b0740f9744a8fa25c14e9c175.py
-rw-r--r--  1 root           senaite  11K Feb  1 02:48 b384147b0740f9744a8fa25c14e9c175.pyc
-rw-------  1 senaite_daemon senaite  93K Feb  1 02:48 cdc9792daf150c47a740599229798c87.py
-rw-r--r--  1 senaite_daemon senaite  37K Feb  1 02:48 cdc9792daf150c47a740599229798c87.pyc

Therefore, it might happen that we get permission in Plone errors like this:

Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 371, in publish_module
  Module ZPublisher.WSGIPublisher, line 274, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module ZPublisher.WSGIPublisher, line 63, in call_object
  Module senaite.core.browser.dashboard.dashboard, line 203, in __call__
  Module Products.Five.browser.pagetemplatefile, line 126, in __call__
  Module Products.Five.browser.pagetemplatefile, line 61, in __call__
  Module zope.pagetemplate.pagetemplate, line 129, in pt_render
   - Warning: Compilation failed
   - Warning: exceptions.IOError: [Errno 13] Permission denied: '/home/senaite/data/senaitelims/cache/d78336088ed981f57685f55025db474c.py'
PTRuntimeError: ['Compilation failed', "exceptions.IOError: [Errno 13] Permission denied: '/home/senaite/data/senaitelims/cache/d78336088ed981f57685f55025db474c.py'"]

This seem to also happen when supervisor started instances are directly accessed, e.g. http://localhost:8081.

Our permissions on this directory are as follows:

drwxrws---  2 senaite_daemon senaite  40K Feb  1 02:48 cache

Where senaite_daemon is the effective-user and senaite the buildout-user:

[buildout]
...
effective-user = senaite_daemon
buildout-user = senaite
...

Any hints why this is happening?

Thanks and best regards

ramonski · February 1, 2021, 8:06am

Correction:

it seems like in fact this only happens for instances that are not started via supervisor.

This is our supervisor config:

[program:senaitelims_zeoserver]
command=/home/senaite/senaitelims/bin/zeoserver fg
directory=/home/senaite/senaitelims
redirect_stderr=false
autostart=true
autorestart=unexpected
user=senaite_daemon
startsecs=1
stopwaitsecs=10

[program:senaitelims_zeoclient1]
command=/home/senaite/senaitelims/bin/client1 console
directory=/home/senaite/senaitelims
redirect_stderr=false
autostart=true
autorestart=unexpected
user=senaite_daemon
startsecs=1
stopwaitsecs=10

[program:senaitelims_zeoclient2]
command=/home/senaite/senaitelims/bin/client2 console
directory=/home/senaite/senaitelims
redirect_stderr=false
autostart=true
autorestart=unexpected
user=senaite_daemon
startsecs=1
stopwaitsecs=10

So for me it looks like the effective-user is not changed when starting instances directly, e.g. with bin/client1 fg.