I have Django setup in NGINX + uWSGI. I'm able to get it running fine under my current logged in user (with help from a question I asked few days back) but now I want to run uwsgi --ini uwsgi.ini as a limited-access user.
Here is what I've done so far:
1. Created a user djangouser without login access and without a home directory.
2. Added user nginx into group djangouser
3. Placed my django files into /mnt/django directory and changed file permissions of django to drwxrwx--- djangouser djangouser (recursive)
4. Changed the conf files to match the file locations
uwsgi.ini file
[uwsgi]
chdir=/mnt/django/project/awssite
module=awssite.wsgi
home=/mnt/django/project
master=true
processes=2
uid=djangouser
gid=djangouser
socket=/mnt/django/djangosocket/awssite.socket
chmod-socket
vacuum=true
When I try to run uwsgi --ini uwsgi.ini, this is the error I get
[uWSGI] getting INI configuration from uwsgi.ini
*** Starting uWSGI 2.0.12 (64bit) on [Thu Feb 18 00:18:25 2016] ***
compiled with version: 4.8.3 20140911 (Red Hat 4.8.3-9) on 01 February 2016 04:17:11
os: Linux-4.1.13-19.31.amzn1.x86_64 #1 SMP Wed Jan 20 00:25:47 UTC 2016
nodename: ip-10-200-1-89
machine: x86_64
clock source: unix
detected number of CPU cores: 1
current working directory: /home/ec2-user
detected binary path: /usr/local/bin/uwsgi
!!! no internal routing support, rebuild with pcre support !!!
chdir() to /mnt/django/project/awssite
chdir(): Permission denied [core/uwsgi.c line 2586]
chdir(): Permission denied [core/uwsgi.c line 1608]
Note: When I added my logged in user to djangouser group, uwsgi --ini uwsgi.ini ran fine and I was able to load the django pages.
I'm not sure where else to add permissions to allow this to work. Adding sudo chown-socket=djangouser:djangouser in uwsgi.ini didn't work either.
I appreciate the help :)
If you want to run uWSGI as particular user, there are only 2 options:
run uWSGI server directly from this user
run uWSGI as root and add uid and gid options.
You can create a user and set the uid/gid properties in your uwsgi ini file.
[uwsgi]
...
uid=myuser
gid=mygroup
I tested this with uwsgi version 2.0.12-debian and it worked for a simple cgi app using a python3 virtualenv.
http://uwsgi-docs.readthedocs.io/en/latest/Options.html#uid
Related
I am following a tutorial on configuring Django, nginx and uwsgi.
https://gist.github.com/evildmp/3094281
The first part of which involves configuring uwsgi to run this python file
/home/ofey/djangoenv/bin/test.py
def application(env, start_response):
start_response('200 OK', [('Content-Type','text/html')])
return "Hello world"
djangoenv is the virtualenv directory.
It contains the binary uwsgi, which was installed to this environment using
$ pip install uwsgi
Just to note, I have stopped nginx with,
$ sudo systemctl stop nginx
and also stopped uwsgi which was running as a service with systemd.
$ sudo systemctl stop uwsgi
Running test.py and the output,
(djangoenv) [ofey#ofeyspi bin]$ uwsgi --http :8000 --master --wsgi-file test.py
*** Starting uWSGI 2.0.14 (64bit) on [Tue Nov 29 21:54:09 2016] ***
compiled with version: 6.2.1 20160916 (Red Hat 6.2.1-2) on 28 November 2016 14:39:40
os: Linux-4.8.6-x86_64-linode78 #1 SMP Tue Nov 1 14:51:21 EDT 2016
nodename: ofeyspi
machine: x86_64
clock source: unix
detected number of CPU cores: 1
current working directory: /home/ofey/djangoenv/bin
detected binary path: /home/ofey/djangoenv/bin/uwsgi
!!! no internal routing support, rebuild with pcre support !!!
your processes number limit is 7982
your memory page size is 4096 bytes
detected max file descriptor number: 1024
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uWSGI http bound on :8000 fd 4
uwsgi socket 0 bound to TCP address 127.0.0.1:41335 (port auto-assigned) fd 3
Python version: 2.7.12 (default, Sep 29 2016, 13:30:34) [GCC 6.2.1 20160916 (Red Hat 6.2.1-2)]
*** Python threads support is disabled. You can enable it with --enable-threads ***
Python main interpreter initialized at 0xb72990
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 145520 bytes (142 KB) for 1 cores
*** Operational MODE: single process ***
WSGI app 0 (mountpoint='') ready in 0 seconds on interpreter 0xb72990 pid: 11493 (default app)
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 11493)
spawned uWSGI worker 1 (pid: 11494, cores: 1)
spawned uWSGI http 1 (pid: 11495)
I would expect to see 'hello world' at http://qqiresources.com:8000
but nothing.
I do know that qqiresources.com is working because I see the nginx default homepage when I turn on nginx.
This is running on Linode with a virtual deployment of Fedora 24.
I did previously post a question trying to configure Django, wsgi and nginx on Linode but I think I need to figure out the above simpler situation first.
Linode Django uwsgi Nginx
Any help would be greatly appreciated,
Thanks
I'm trying to run a Flask app with uwsgi + supervisor + nginx.
uwsgi is installed in a conda env, and I can run my app with no issue without supervisor, i.e. if I run (with my conda env activated):
uwsgi --ini /home/me/Development/flask/myflaskapp/myflaskapp.ini
with the following config:
/home/me/Development/flask/myflaskapp/myflaskapp.ini
[uwsgi]
chmod-socket = 666
socket = /home/me/Development/flask/myflaskapp/run/myflaskapp.sock
module = wsgi
callable = app
vim /etc/nginx/sites-available/myflaskapp
server {
listen 8000;
server_name localhost;
client_max_body_size 50M;
location / {
include uwsgi_params;
uwsgi_pass unix:/home/me/Development/flask/myflaskapp/run/myflaskapp.sock;
}
}
Now I create a supervisor config file:
/etc/supervisor/conf.d/uwsgi-myflaskapp.conf
[program:uwsgi-myflaskapp]
command=/home/me/Development/miniconda/envs/myflaskapp/bin/uwsgi /home/me/Development/flask/myflaskapp/myflaskapp.ini
autostart=true
autorestart=true
stdout_logfile=/home/me/Development/flask/myflaskapp/log/uwsgi-myflaskapp.log
redirect_stderr=true
exitcodes=0
I start supervisor (installed system-wide) with
sudo service supervisor start
and load the conf file with
sudo supervisorctl reload
but I get the following error in the log file:
ImportError: No module named wsgi
Any suggestion?
Here's the complete log:
[uWSGI] getting INI configuration from /home/me/Development/flask/myflaskapp/myflaskapp.ini
*** Starting uWSGI 2.0.12 (64bit) on [Mon Jan 11 19:12:14 2016] ***
compiled with version: 4.8.4 on 11 January 2016 10:54:59
os: Linux-3.13.0-74-generic #118-Ubuntu SMP Thu Dec 17 22:52:10 UTC 2015
nodename: roquefort
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 4
current working directory: /
detected binary path: /home/me/Development/miniconda/envs/myflaskapp/bin/uwsgi
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
*** WARNING: you are running uWSGI without its master process manager ***
your processes number limit is 63047
your memory page size is 4096 bytes
detected max file descriptor number: 1024
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to UNIX address /home/me/Development/flask/myflaskapp/run/myflaskapp.sock fd 3
Python version: 2.7.11 |Continuum Analytics, Inc.| (default, Dec 6 2015, 18:08:32) [GCC 4.4.7 20120313 (Red Hat 4.4.7-1)]
*** Python threads support is disabled. You can enable it with --enable-threads ***
Python main interpreter initialized at 0x18001e0
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 72760 bytes (71 KB) for 1 cores
*** Operational MODE: single process ***
ImportError: No module named wsgi
unable to load app 0 (mountpoint='') (callable not found or import error)
*** no app loaded. going in full dynamic mode ***
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI worker 1 (and the only) (pid: 24671, cores: 1)
I added the the path of the wsgi.py file in /home/me/Development/flask/myflaskapp/myflaskapp.ini with
chdir = /home/me/Development/flask/myflaskapp
so that it can now find wsgi.
I'm having a problem which is driving me nuts. I'm trying to create an Ubuntu 15.04 Upstart job, which would start uWSGI server (uWSGI version 2.0.7-debian) running a Django application.
I've configured the service as a follows and try to start the job by issuing command $ sudo service uwsgi start. There is no output in log files, no socket file created and no error.
# file: /etc/init/uwsgi.conf
description "uWSGI server"
start on runlevel [2345]
stop on runlevel [!2345]
exec /usr/bin/uwsgi --ini /srv/configs/uwsgi.ini
service uwsgi status says
● uwsgi.service - LSB: Start/stop uWSGI server instance(s)
Loaded: loaded (/etc/init.d/uwsgi)
Active: active (exited) since Tue 2015-05-05 09:40:08 EEST; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 21405 ExecStop=/etc/init.d/uwsgi stop (code=exited, status=0/SUCCESS)
Process: 21460 ExecStart=/etc/init.d/uwsgi start (code=exited, status=0/SUCCESS)
May 05 09:40:08 web-2 systemd[1]: Starting LSB: Start/stop uWSGI server instance(s)...
May 05 09:40:08 web-2 uwsgi[21460]: * Starting app server(s) uwsgi
May 05 09:40:08 web-2 uwsgi[21460]: ...done.
May 05 09:40:08 web-2 systemd[1]: Started LSB: Start/stop uWSGI server instance(s).
The uWSGI app is configured as
[uwsgi]
uid = www-data
gid = www-data
socket = /srv/sockets/uwsgi.sock
chmod-socket = 666
master = true
processes = 4
enable-threads = true
plugins = python
chdir = /srv/sites/current
module = wsgi:application
virtualenv = /srv/environments/current
logto = /srv/logs/uwsgi.log
logfile-chown = true
touch-reload = /srv/sites/current/wsgi.py
The service starts fine and everything works ok if the service is started directly, e.g. by issuing command:
sudo -u www-data /usr/bin/uwsgi --ini /srv/configs/uwsgi.ini
For the socket dir and log files directories I've set the most relaxed permissions.
So, I'm at a loss. What to do next?
Thanks to nmgeeks comment, I started looking at other places where uWSGI is configured.
While trying to move everything our own app related under /srv I deleted /run/uwsgi directory, where uWSGI is trying to create a PID file.
You can find the reference at /usr/share/uwsgi/conf/default.ini.
Too bad uWSGI doesn't produce any error in this situation, which left me frustrated for a day.
I just want to put some additional details. In my case I didn't delete anything, but, for some reasons, systemd was not able to create /run/uwsgi directory. So, I did echo "/run/uwsgi 0755 www-data www-data -" > /etc/tmpfiles.d/uwsgi.conf. After that I restarted my VM (I didn't find a way to apply this changes without restarting) and uwsgi started to work!
Yes, it's too bad that uWSGI doesn't produce any error in this situation.
I'm trying to deploy my Flask app using uWSGI, but I can't seem to do it without sudo.
Here is my start script:
#!/bin/bash
set -v
set -e
cd /var/hpit/hpit_services
/var/hpit/hpit_services/env/bin/uwsgi --http [::]:80 --master --module wsgi --callable app --processes 4 --daemonize ../log/uwsgi.log --pidfile ../server_pid_file.pid
echo server started
Here is what I get in the logs:
*** Starting uWSGI 2.0.9 (64bit) on [Mon Jan 26 15:53:26 2015] ***
compiled with version: 4.8.2 on 23 January 2015 20:35:44
os: Linux-3.18.1-x86_64-linode50 #1 SMP Tue Jan 6 12:14:10 EST 2015
nodename: <<blocked out>>
machine: x86_64
clock source: unix
detected number of CPU cores: 2
current working directory: /var/hpit/hpit_services
writing pidfile to ../server_pid_file.pid
detected binary path: /var/hpit/hpit_services/env/bin/uwsgi
!!! no internal routing support, rebuild with pcre support !!!
your processes number limit is 7962
your memory page size is 4096 bytes
detected max file descriptor number: 1024
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
bind(): Permission denied [core/socket.c line 764]
Core/socket.c line 764 has this:
if (bind(serverfd, (struct sockaddr *) &uws_addr, addr_len) != 0) {
if (errno == EADDRINUSE) {
uwsgi_log("probably another instance of uWSGI is running on the same address (%s).\n", socket_name);
}
uwsgi_error("bind()");
uwsgi_nuclear_blast();
return -1;
}
But I don't have instances of uWSGI running. This seems to be a permissions issue. My permissions for /var/hpit, /var/hpit/hpit_services (the location of the app) and /var/hpit/log are bsauer:www-data. My user us bsauer.
If I append sudo -E to the line in my start script that calls the uWSGI binary, it seems to start fine, but I read that a server should not be started as sudo. I inherited this sysadmin role at work and am a little new to all of this.
Here are my hunches/musings:
I know that uWSGI can start as one user and drop into another user role, but I don't really understand this process, so perhaps that's the problem.
uWSGI is trying to access something on the system I'm not aware of
Thanks for your help, I can provide more details if necessary.
EDIT
Oddly, my /var/hpit/log/uwsgi.log file is owned by bsauer:bsauer, not bsauer:www-data or www-data:www-data as I would have expected...
EDIT2
Ok, from looking at http://projects.unbit.it/uwsgi/wiki/Example at the bottom of the page, it looks like the problem is running on port 80. I changed it to 8080, but its still running as bsauer, which I don't think I want.
This is what I came up with as far as I understand it, if anyone wants to put this is clearer sysadmin language I'll be happy to edit.
The solution had nothing to do with the logs after all. The problem was that port 80, the default HTTP port, is protected by the system, and only root can bind to that port. Without sudo, it won't let you bind. Binding to another port, like port 8080, worked fine.
I wanted to bind to port 80 but still run the server as www-data, so I ended up following the very bottom of this page: http://projects.unbit.it/uwsgi/wiki/Example . Basically, the socket to port 80 is shared, and uWSGI can access it first as sudo, and then drop down into www-data to run the server.
I still had to use sudo -E before calling the uWSGI binary, because it needs root permissions to change uWSGI's user and group ID, but it's ok because the end result is the server then runs in the very restricted www-data user.
In the end, my server start line was:
sudo -E /var/hpit/hpit_services/env/bin/uwsgi --shared-socket [::]:80 --http =0 --uid 33 --gid 33 --master --module wsgi --callable app --processes 4 --daemonize ../log/uwsgi.log --pidfile ../server_pid_file.pid
I am trying to follow the steps in this guide: http://uwsgi-docs.readthedocs.org/en/latest/tutorials/Django_and_nginx.html
Before I even get to the nginx part I am trying to make sure that uWSGI works correctly
my folder structure is srv/www/domain/projectdatabank/
the project databank folder contains my manage.py file
my wsgi.py file looks like this:
import os
import sys
from django.core.wsgi import get_wsgi_application
application = get_wsgi_application()
do you need to see my settings.py?
i get the following error when i point myself to the browser:
-- no python application found, check your startup logs for errors ---
[pid: 10165|app: -1|req: -1/1] 66.56.35.151 () {38 vars in 681 bytes} [Tue Jul 9 18:19:46 2013] GET /admin/ => generated 21 bytes in 0 msecs (HTTP/1.1 500) 1 headers in 57 bytes (0 switches on core 0)
--- no python application found, check your startup logs for errors ---
[pid: 10165|app: -1|req: -1/2] 66.56.35.151 () {36 vars in 638 bytes} [Tue Jul 9 18:19:49 2013] GET / => generated 21 bytes in 0 msecs (HTTP/1.1 500) 1 headers in 57 bytes (0 switches on core 0)
Now when I check my uWGI log it is just the same as above.
I have solved this
in my original command line did not include full path to the wsgi.py file to run uWSGI
uwsgi --http :8000 --chdir /srv/www/databankinfo.com/projectdatabank/ --wsgi-file wsgi.py
to this
uwsgi --http :8000 --chdir /srv/www/databankinfo.com/projectdatabank/ --wsgi-file full/path/wsgi.py
and it worked
For others debugging this same error, there is another possibility: an exception is being thrown by your uwsgi.py. To test this, open a django shell in your app directly with python manage.py shell and import your uwsgi.py (use the same path as in your uwsgi.ini).
Check out my blog post on deploying Django behind uwsgi http://blog.johannesklug.de/2012/11/27/deploying-django-behind-nginx-with-uwsgi-and-virtualenv/. I created an ini-File to setup uwsgi, which points to the app callable with the parameter module=project.wsgi:application.
The whole file reads something like this:
(env)[project#host ~]$ cat uwsgi.ini
[uwsgi]
# path to where you put your project code
chdir=/home/project/project
# python path to the wsgi module, check if you have one
module=project.wsgi:application
# this switch tells uwsgi to spawn a master process,
# that will dynamically spawn new child processes for
# server requests
master=True
# uwsgi stores the pid of your master process here
pidfile=/home/project/master.pid
vacuum=True
# path to your virtual environment
home=/home/project/env/
# path to log file
daemonize=/home/project/log
# this is where you need to point nginx to,
# if you chose to put this in project home make
# sure the home dir is readable and executable by
# nginx
socket=/tmp/uwsgi.sock
### SEE UPDATE NOTICE FOR THIS ONE
env = DJANGO_SETTINGS_MODULE=project.settings
Please note that I'm using virtualenv.
You might also be missing the lines
import os
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "project.settings")
in your wsgi.py
Check if u deleted any init.py file from the Djano apps. As django uses them to know which folders are apps, so they are kind of important.
I got this error because my /etc/uwsgi/vassals/ ini file for the site I was running had the word "module" misspelled as "modeule". Check that file carefully if you see htis ereror.
In uwsgi.ini
Make sure you have set the right module.
[uwsgi]
module = yourapp.wsgi:application
...