6

In what seemed to be a random occurrence, a site went down tonight and after taking a look at the Apache error logs it was this issue:

 (13)Permission denied: mod_wsgi (pid=2751): Unable to connect to WSGI daemon process 'mysite.com-ssl' on '/var/run/apache2/wsgi.2579.0.2.sock' after multiple attempts.

Now I read the ConfigurationIssues wiki for mod_wsgi, and the fix seems reasonable. Couldn't write to that directory so an alternative must be specified with WSGISocketPrefix

So I set:

WSGISocketPrefix /var/run/wsgi

It fixes the issue, and the site can load up after an Apache restart.

However, I'm very curious - Why did this dirctory stop being available for write? Am I missing something? The /var/run/apache2 directory is owned by root:root, but the new sockets that now run under /var/run/wsgi*.sock are www-data:root .. There was a server reboot, but that's it. Maybe something now takes over permissions on that directory on boot?

Any ideas? Thanks!

Bartek
  • 759
  • 2
  • 8
  • 12

1 Answers1

8

The error your saw can also occur as a transient issue if you have done an Apache graceful restart and an Apache worker process had socket connections still alive that hadn't yet called through to mod_wsgi daemon process for initial request or subsequent request due to keep alive on socket.

This will occur because on graceful restart the mod_wsgi daemon process are restarted regardless and in doing that, the path to the socket file is change so different. This means that old worker processes hanging around to handle current and keepalive requests will fail to connect to daemon as they will still be trying to use old path for socket file.

As to the directory where socket files are, the important thing is that the directory is readable to www-data. The sockets will be created as root initially with perms 0600 and then ownership should be changed to www-data so www-data worker processes can connect and nothing else. This is dependent on directory still being accessible to www-data.

The reason for WSGISocketPrefix is that Redhat made the logs directory where Apache config says to put this stuff as default, to not be readable to others so www-data couldn't see sockets in directory. This is why on Redhat one needs to change it to /var/run.

At what point the directory permissions get changed or fixed and whether than can happen without Apache package upgrade, don't know.

Graham Dumpleton
  • 5,990
  • 2
  • 20
  • 19
  • Thank you, I'm still not sure what happened, as you point out yourself, but this is a good explanation of how it all flows. Cheers – Bartek Dec 08 '11 at 14:03
  • @Graham It still tries to connect to /etc/httpd/run/wsgi.sock... Why doesn't the change in config take place to /var/run/wsgi.sock.. ? – Harshdeep Jun 13 '16 at 14:47
  • @Harshdeep Create a new question with all the details of your specific issue. No one can guess how your situation may be different. – Graham Dumpleton Jun 13 '16 at 22:29