Problems installing Sunstone with Apache Passenger

Hi:
I am working with ON 4.14, and i am trying to setup the Large Scale Deployment, following : http://docs.opennebula.org/4.14/advanced_administration/scalability/suns_advance.html
After following all the steps when i try to start Passenger , i got the following error in Sunstone:
Sat Oct 03 04:26:33 2015 [E]: Permission denied - /var/lib/one/.one/sunstone_auth

I have sunstone server running, and i am able to connect to Sunstone using the default port (9869)…

Probably i missed some step in the installation. These are the steps i did in the installation:
-Install opennebula-sunstone
-Install-gems
-Start opennebula-sunstone
-Copy the credentials from oned server (/var/lib/one/.one)
-Login succesfully to sunstone with the usual port (9869).
-Install apache and passenger
-Check configuration OK in Passenger and Apache

  • Create the virtual host as described in opennebula documentation
    -Restart everything…
  • Test…: permission denied

==> Can you help me??
Thanks
M.Loureiro

This is the sample of /etc/one/sunstone-server.conf: # Directory to store temp files when uploading images # :tmpdir: /var/tmp # OpenNebula sever contact information # :one_xmlrpc: http://10.0.2.27:2633/RPC2 # Server Configuration # :host: 0.0.0.0 :port: 9869 # Place where to store sessions, this value can be memory, memcache or memcache-dalli # Use memcache when starting multiple server processes, for example, # with passenger # # NOTE. memcache needs a separate memcached server to be configured. Refer # to memcached documentation to configure the server. :sessions: memory # Memcache configuration :memcache_host: localhost :memcache_port: 11211 :memcache_namespace: opennebula.sunstone # Excution environment for Sunstone # dev, Instead of pulling the minified js all the files will be pulled (app/main.js) # Check the Building from Source guide in the docs, for details on how to run # Sunstone in development # prod, the minified js will be used (dist/main.js) :env: ‘prod’ ################################################################################ # Log ################################################################################ # Log debug level # 0 = ERROR, 1 = WARNING, 2 = INFO, 3 = DEBUG # :debug_level: 3 ################################################################################ # Auth ################################################################################ # Authentication driver for incomming requests # sunstone, for OpenNebula’s user-password scheme # x509, for x509 certificates based authentication # opennebula, the authentication will be done by the opennebula core using the # driver defined for the user # :auth: opennebula # Authentication driver to communicate with OpenNebula core # cipher, for symmetric cipher encryption of tokens # x509, for x509 certificate encryption of tokens # :core_auth: cipher # For LDAP auth. Encode credentials sent to OpenNebula. Turns espaces into %20. # This only works with “opennebula” auth. # #:encode_user_password: true

Sorry for stating the obvious - but this looks like the Apache-user is not allowed to access the file sunstone_auth ?

Roland:
No. I have followed the instructions in Opennebula, and i changed group to Apache… I have even changed the user to apache, too… This is /var/lib/one/.one directory:
4 d-wx–x--x. 2 oneadmin oneadmin 4096 oct 1 23:00 .
0 drwxr-xr-x. 4 oneadmin oneadmin 96 oct 2 22:57 …
4 -rwx–x--x. 1 oneadmin oneadmin 53 oct 1 23:00 ec2_auth
4 -rwx–x--x. 1 oneadmin oneadmin 53 oct 1 23:00 occi_auth
4 -rwx–x--x. 1 oneadmin oneadmin 18 oct 1 22:59 one_auth
4 -rwx–x--x. 1 oneadmin oneadmin 53 oct 1 23:00 oneflow_auth
4 -rwx–x--x. 1 oneadmin oneadmin 53 oct 1 23:00 onegate_auth
4 -rwx–x--x. 1 oneadmin oneadmin 41 oct 1 23:00 one_key
4 -rwx–x--x. 1 apache apache 53 oct 1 23:00 sunstone_auth
[root@localhost .one]#

When i access the Virtual Host Page of Passenger, i get this in /var/log/httpd/error_log:

App 22549 stdout:
App 22549 stdout: --------------------------------------
App 22549 stdout: Server configuration
App 22549 stdout: --------------------------------------
App 22549 stdout: {:tmpdir=>"/var/tmp",
App 22549 stdout: :one_xmlrpc=>“http://10.0.2.27:2633/RPC2”,
App 22549 stdout: :host=>“0.0.0.0”,
App 22549 stdout: :port=>8080,
App 22549 stdout: :sessions=>“memory”,
App 22549 stdout: :memcache_host=>“localhost”,
App 22549 stdout: :memcache_port=>11211,
App 22549 stdout: :memcache_namespace=>“opennebula.sunstone”,
App 22549 stdout: :env=>“prod”,
App 22549 stdout: :debug_level=>3,
App 22549 stdout: :auth=>“opennebula”,
App 22549 stdout: :core_auth=>“cipher”,
App 22549 stdout: :vnc_proxy_port=>29876,
App 22549 stdout: :vnc_proxy_support_wss=>false,
App 22549 stdout: :vnc_proxy_cert=>nil,
App 22549 stdout: :vnc_proxy_key=>nil,
App 22549 stdout: :vnc_proxy_ipv6=>false,
App 22549 stdout: :lang=>“en_US”,
App 22549 stdout: :table_order=>“desc”,
App 22549 stdout: :marketplace_url=>“http://marketplace.opennebula.systems/”,
App 22549 stdout: :oneflow_server=>“http://localhost:2474/”,
App 22549 stdout: :instance_types=>
App 22549 stdout: [{:name=>“small-x1”,
App 22549 stdout: :cpu=>1,
App 22549 stdout: :vcpu=>1,
App 22549 stdout: :memory=>128,
App 22549 stdout: :description=>“Very small instance for testing purposes”},
App 22549 stdout: {:name=>“small-x2”,
App 22549 stdout: :cpu=>2,
App 22549 stdout: :vcpu=>2,
App 22549 stdout: :memory=>512,
App 22549 stdout: :description=>“Small instance for testing multi-core applications”},
App 22549 stdout: {:name=>“medium-x2”,
App 22549 stdout: :cpu=>2,
App 22549 stdout: :vcpu=>2,
App 22549 stdout: :memory=>1024,
App 22549 stdout: :description=>“General purpose instance for low-load servers”},
App 22549 stdout: {:name=>“medium-x4”,
App 22549 stdout: :cpu=>4,
App 22549 stdout: :vcpu=>4,
App 22549 stdout: :memory=>2048,
App 22549 stdout: :description=>“General purpose instance for medium-load servers”},
App 22549 stdout: {:name=>“large-x4”,
App 22549 stdout: :cpu=>4,
App 22549 stdout: :vcpu=>4,
App 22549 stdout: :memory=>4096,
App 22549 stdout: :description=>“General purpose instance for servers”},
App 22549 stdout: {:name=>“large-x8”,
App 22549 stdout: :cpu=>8,
App 22549 stdout: :vcpu=>8,
App 22549 stdout: :memory=>8192,
App 22549 stdout: :description=>“General purpose instance for high-load servers”}],
App 22549 stdout: :routes=>[“oneflow”, “vcenter”, “support”]}
App 22549 stdout: --------------------------------------
App 22549 stdout:
App 22549 stdout:
[ 2015-10-03 17:05:36.5865 22522/7fb4042a2700 age/Cor/App/Implementation.cpp:303 ]: Could not spawn process for application /usr/lib/one/sunstone: An error occured while starting up the preloader.
Error ID: 478e65b1
Error details saved to: /tmp/passenger-error-oeeafH.html
Message from application: exit (SystemExit)
/usr/lib/one/sunstone/sunstone-server.rb:134:in exit' /usr/lib/one/sunstone/sunstone-server.rb:134:inrescue in <top (required)>’
/usr/lib/one/sunstone/sunstone-server.rb:127:in <top (required)>' /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:inrequire’
/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in require' /usr/lib/one/sunstone/config.ru:9:inblock in ‘
/usr/local/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in instance_eval' /usr/local/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:ininitialize’
/usr/lib/one/sunstone/config.ru:1:in new' /usr/lib/one/sunstone/config.ru:1:in
/usr/share/passenger/helper-scripts/rack-preloader.rb:107:in eval' /usr/share/passenger/helper-scripts/rack-preloader.rb:107:inpreload_app’
/usr/share/passenger/helper-scripts/rack-preloader.rb:153:in <module:App>' /usr/share/passenger/helper-scripts/rack-preloader.rb:29:inmodule:PhusionPassenger
/usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `’

[ 2015-10-03 17:05:36.6218 22522/7fb404aa3700 age/Cor/Req/CheckoutSession.cpp:252 ]: [Client 1-1] Cannot checkout session because a spawning error occurred. The identifier of the error is 478e65b1. Please see earlier logs for details about the error.

And as i mentioned in /var/log/one/sunstone-server.log:

Sat Oct 03 17:09:50 2015 [E]: Error initializing authentication system
Sat Oct 03 17:09:50 2015 [E]: Permission denied - /var/lib/one/.one/sunstone_auth

It seems that there is a general in the authentication system…This is the contents of sunstone_auth:
[root@localhost .one]# cat /var/lib/one/.one/sunstone_auth
serveradmin:1f4fbdb43b3648684d2080fad27fa3541732609a

==> Any idea if what can be wrong??

Thanks in advance:
M.Loureiro

Sat Oct 03 17:09:50 2015 [E]: Error initializing authentication system
Sat Oct 03 17:09:50 2015 [E]: Permission denied - /var/lib/one/.one/sunstone_auth

This error message is generated by Sunstone, not apache. Seems like the sunstone_auth file cant be read by Sunstone on starting. Looking at the rights, oneadmin cant use the file, only apache can. Make sure oneadmin can still read the file as well.

The docs contains this part:
Another thing you have to take into account is the user on which the server will run. The installation sets the permissions for oneadmin user and group and files like the Sunstone configuration and credentials can not be read by other users. Apache usually runs as www-data user and group so to let the server run as this user the group of these files must be changed, for example:
$ chgrp www-data /etc/one/sunstone-server.conf
$ chgrp www-data /etc/one/sunstone-plugins.yaml
$ chgrp www-data /var/lib/one/.one/sunstone_auth
$ chmod a+x /var/lib/one
$ chmod a+x /var/lib/one/.one
$ chgrp www-data /var/log/one/sunstone*
$ chmod g+w /var/log/one/sunstone*

so, only the group is changed for sunstone_auth, if I interpret the above correctly, the file should be owned by user oneadmin and group should be www-data (if on ubu/deb).

chmod oneadmin:www-data /var/lib/one/.one/sunstone_auth

maybe that works ?