search

getsentry / self-hosted

Sentry, feature-complete and packaged up for low-volume deployments and proofs-of-concept
https://develop.sentry.dev/self-hosted/
Other
7.87k stars 1.77k forks source link

Permission denied for sentry.conf.py #2756

Open Benczak opened 9 months ago

Benczak commented 9 months ago

Self-Hosted Version

24.1.1

CPU Architecture

x86_64

Docker Version

24.0.7

Docker Compose Version

2.21.0

Steps to Reproduce

  1. Open "Early features" section in Organiztion settings.
  2. Select "Enable User Feedback v2 UI".
  3. View log "docker compose logs --follow sentry-self-hosted-web-1

Expected Result

Enabling feature "Enable User Feedback v2 UI".

Actual Result

sentry-self-hosted-web-1  |   File "/usr/local/lib/python3.10/site-packages/sentry/api/base.py", line 271, in handle_exception
sentry-self-hosted-web-1  |     response = super().handle_exception(exc)
sentry-self-hosted-web-1  |   File "/usr/local/lib/python3.10/site-packages/rest_framework/views.py", line 469, in handle_exception
sentry-self-hosted-web-1  |     self.raise_uncaught_exception(exc)
sentry-self-hosted-web-1  |   File "/usr/local/lib/python3.10/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
sentry-self-hosted-web-1  |     raise exc
sentry-self-hosted-web-1  |   File "/usr/local/lib/python3.10/site-packages/sentry/api/base.py", line 395, in dispatch
sentry-self-hosted-web-1  |     response = handler(request, *args, **kwargs)
sentry-self-hosted-web-1  |   File "/usr/local/lib/python3.10/site-packages/sentry/api/endpoints/internal/feature_flags.py", line 43, in put
sentry-self-hosted-web-1  |     with open(py, "r+") as file:
sentry-self-hosted-web-1  | PermissionError: [Errno 13] Permission denied: '/etc/sentry/sentry.conf.py'
sentry-self-hosted-web-1  | 13:02:00 [INFO] sentry.access.api: api.access (method='PUT' view='sentry.api.endpoints.internal.feature_flags.InternalFeatureFlagsEndpoint' response=500 user_id='1' is_app='False' token_type='None' is_frontend_request='True' organization_id='None' auth_id='None' path='/api/0/internal/feature-flags/' caller_ip='192.168.200.148' user_agent='Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.023432254791259766 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None')
sentry-self-hosted-web-1  | 13:02:00 [ERROR] django.request: Internal Server Error: /api/0/internal/feature-flags/ (status_code=500 request=<WSGIRequest: PUT '/api/0/internal/feature-flags/'>)

During install script "install.sh" every file is created with root privileges. So the sentry.conf.py. The privileges are 644 on /etc/sentry/sentry.conf.py and the group and user is root:root.

Django server runs as sentry user and the function (/usr/local/lib/python3.10/site-packages/sentry/api/endpoints/internal/feature_flags.py, line 43) that calls the change in the "Early features" tries to open file /etc/sentry/sentry.conf.py but it cannot because of lacking write permission for user sentry.

The issue has been temporary fixed by changing the group owner to sentry group and permission to 664.

Event ID

No response

hubertdeng123 commented 9 months ago

Thanks for reporting, it looks like we may need to create the config file with appropriate permissions.

WithakErik commented 7 months ago

@Benczak

My quick and dirty solution was to: docker exec -it sentry-self-hosted-web-1 /bin/sh chmod 666 /etc/sentry/sentry.conf.py Then I was able to make the changes

(I also ran chmod 664 /etc/sentry/sentry.conf.py to set the permissions back)

Then, on the server I'm hosting Sentry on, I navigated to the root folder of Sentry and ran: docker compose restart web worker cron sentry-cleanup to update the changes

Hope this helps! (for now)

Edit: Just now read the last sentence of your post.

WithakErik commented 7 months ago

Although the user feedback doesn't seem to be showing up (it 200s on the client side. Maybe I have it configured wrong though)

Zerg2000 commented 6 days ago

Everything in /etc/sentry (web container) has unknown uid/gid 1006 which is not present in /etc/passwd. Sentry user has uid/gid 999

root@5b3395f08aa0:/usr/src/sentry# ls -la /etc/sentry/
total 76
drwxr-xr-x 2 1006 1006  4096 Oct 28 22:39 .
drwxr-xr-x 1 root root  4096 Oct 28 22:31 ..
-rw-r--r-- 1 1006 1006   423 Oct 17 21:17 Dockerfile
-rw-r--r-- 1 1006 1006  4494 Oct 17 21:17 config.example.yml
-rw-r--r-- 1 1006 1006  4548 Oct 28 22:39 config.yml
-rwxr-xr-x 1 1006 1006   289 Oct 17 21:17 enhance-image.example.sh
-rwxr-xr-x 1 1006 1006   328 Oct 17 21:17 entrypoint.sh
-rw-r--r-- 1 1006 1006   136 Oct 17 21:17 requirements.example.txt
-rw-r--r-- 1 1006 1006 13443 Oct 17 21:17 sentry.conf.example.py
-rw-r--r-- 1 1006 1006 13443 Oct 28 19:06 sentry.conf.py

root@5b3395f08aa0:/etc/sentry# grep :1006: /etc/passwd
# No result.

root@5b3395f08aa0:/etc/sentry# grep sentry /etc/passwd
sentry:x:999:999::/home/sentry:/bin/sh

After doing

root@5b3395f08aa0:/usr/src/sentry# chgrp sentry /etc/sentry/sentry.conf.py 
root@5b3395f08aa0:/usr/src/sentry# chmod 664 /etc/sentry/sentry.conf.py

"early features" work, so whole /etc/sentry should be probably 999:999 instead 1006:1006, unless any of this files is being executed/used by root process.