1

I'm trying to set up 2 Django web apps on the same machine using uWSGI emperor and nginx and have supervisord manage the starting and restarting of the emperor process. I have finally after a lot of searching on the internet managed to get a working deployment. However, during all the hair-pulling, I found something weird and I'd appreciate it if someone could explain to me why this is happening.

So I run my uWSGI process in emperor mode as root. The vassal ini config files take care of dropping privileges to my uid and creating a socket file owned by my user with the group as www-data (so that nginx can write to it) and permissions 660. Here is a sample vassal config:

[uwsgi]
uid = xxxx

chdir = %(project_dir)/%(project)
home = %(venv_base)/%(venv)
module = %(project).wsgi:application

master = true
processes = 4

socket = /tmp/%(project).sock
chown-socket = %(uid):www-data
chmod-socket = 660
stats = /tmp/%(project)_stat.sock
logto = %(project_dir)/logs/uwsgi.log
# Cleans up when the process is killed (includes deleting the socket file)
vacuum = true

This works just fine but if I try to create the socket in /run instead of /tmp, I start getting permission denied errors for the socket bind() call. The socket is created just fine with the appropriate ownership and permissions but the vassal is unable to call bind() or unlink() on it. Why does this happen? What is the difference between /tmp and /run and when should I use them? Any help or pointers will be appreciated.

EDIT: I just tried setting the permissions of the socket to 777 and uwsgi still gives me a permission denied error :(

krypto07
  • 113
  • 3

1 Answers1

0

I don't have enough reputation on serverfault to comment, so I have to give an "answer":

The bind() call binds the socket to a node in the filesystem so probably your user does not have write permissions in /run!? On my system /tmp has og+w while /run has og-w. Try to create the socket in a subfolder of /run that has write permissions.

What do you mean by "the socket is created just fine"? Can you connect to it with another process? It sounds like the socket is there. But according to what I wrote above I don't expect it to show up in the filesystem.

staxyz
  • 126
  • 5
  • Thanx for the answer. The socket shows up when I do `ls -l` and the owner, group and permissions are also set correctly (possibly beacuse the emperor running as root has permissions on `/run`). I guess you are right though that `/run` is the issue. I did some further digging and found that unprivileged programs should use `$XDG_RUNTIME_DIR` instead of `/run`. The real question then is "Can I use supervisor to create and cleanup the runtime directory in `/run` or `$XDG_RUNTIME_DIR` automatically eg. how systemd allows you to specify a `RuntimeDir` in the unit file for a service" – krypto07 Dec 08 '16 at 05:51
  • Sorry, it's `RuntimeDirectory` in systemd [ref from uwsgi docs](http://uwsgi-docs.readthedocs.io/en/latest/Systemd.html) – krypto07 Dec 08 '16 at 08:00
  • With no other answers, I'm going to mark your answer as accepted soon. As you said, I should create a subdirectory of /run with appropriate permissions. Do you know what is the canonical way of creating and cleaning up a subdirectory of /run using supervisor or do I have to do it manually? – krypto07 Dec 10 '16 at 10:48
  • I am sorry I can not help you with your actual services. I am just a little bit familiar with Linux. (This is why my "answer" should have been a comment.) What do you mean by creating and cleaning up? I guess your service will create the directory itself if it is not present yet. I don't see why it should be deleted though. – staxyz Dec 11 '16 at 22:37
  • Well, thanx anyway. The idea is for the service to clean up after itself so if it is stopped, no vestigial directories are left lying around the file system. Also the directory is not actually created by the process manager under which the service is running (supervisord in this case), or rather I do not now of a way to do it in supervisor but I do know of a way in systemd. I just wanted to know if there was an equivalent for supervisor but that is a different question anyway. – krypto07 Dec 14 '16 at 08:34