我正在用Debian Jessie和Django 1.8一起工作,试图build立Gunicorn来运行我的Django站点。 我build立了一个名为opuser的用户,并且让这个用户成为gunicorn.sock文件和包含目录的所有者:
$ ls -lash /webapps/myapp/run/ total 8.0K 4.0K drwxrwxrwx 2 opuser users 4.0K Sep 1 12:24 . 4.0K drwxrwxrwx+ 7 opuser users 4.0K Sep 1 10:37 ..
现在,如果我试图运行gunicorn作为opuser :
gunicorn myapp.wsgi:application --name myapp_prod --workers 3 --bind=unix:/webapps/myapp/run/gunicorn.sock --user opuser --group webapps --log-level=debug
我得到:
OSError: [Errno 13] Permission denied: '/webapps/myapp/run/gunicorn.sock'
当opuser是包含目录的所有者时,为什么我得到权限被拒绝?
如果我运行ls -lash /webapps/myapp/run再次ls -lash /webapps/myapp/run ,请参阅以下内容:
0 srwxrwxrwx 1 anna anna 0 Sep 1 12:24 gunicorn.sock
它看起来像gunicorn.sock文件具有真正宽容的权限,虽然它不是与我期望的所有者创build的。
这是完整的输出:
[2015-09-01 11:18:36 +0000] [9439] [DEBUG] Current configuration: proxy_protocol: False worker_connections: 1000 statsd_host: None max_requests_jitter: 0 post_fork: <function post_fork at 0x7efebefd2230> pythonpath: None enable_stdio_inheritance: False worker_class: sync ssl_version: 3 suppress_ragged_eofs: True syslog: False syslog_facility: user when_ready: <function when_ready at 0x7efebefc6ed8> pre_fork: <function pre_fork at 0x7efebefd20c8> cert_reqs: 0 preload_app: False keepalive: 2 accesslog: None group: 999 graceful_timeout: 30 do_handshake_on_connect: False spew: False workers: 3 proc_name: myapp_prod sendfile: True pidfile: None umask: 0 on_reload: <function on_reload at 0x7efebefc6d70> pre_exec: <function pre_exec at 0x7efebefd27d0> worker_tmp_dir: None post_worker_init: <function post_worker_init at 0x7efebefd2398> limit_request_fields: 100 on_exit: <function on_exit at 0x7efebefd2e60> config: None secure_scheme_headers: {'X-FORWARDED-PROTOCOL': 'ssl', 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'} proxy_allow_ips: ['127.0.0.1'] pre_request: <function pre_request at 0x7efebefd2938> post_request: <function post_request at 0x7efebefd2a28> user: 999 forwarded_allow_ips: ['127.0.0.1'] worker_int: <function worker_int at 0x7efebefd2500> threads: 1 max_requests: 0 limit_request_line: 4094 access_log_format: %(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s" certfile: None worker_exit: <function worker_exit at 0x7efebefd2b90> chdir: /webapps/myapp/myapp paste: None default_proc_name: myapp.wsgi:application errorlog: - loglevel: debug logconfig: None syslog_addr: udp://localhost:514 syslog_prefix: None daemon: False ciphers: TLSv1 on_starting: <function on_starting at 0x7efebefc6c08> worker_abort: <function worker_abort at 0x7efebefd2668> bind: ['unix:/webapps/myapp/run/gunicorn.sock'] raw_env: [] reload: False check_config: False limit_request_field_size: 8190 nworkers_changed: <function nworkers_changed at 0x7efebefd2cf8> timeout: 30 ca_certs: None django_settings: None tmp_upload_dir: None keyfile: None backlog: 2048 logger_class: gunicorn.glogging.Logger statsd_prefix: [2015-09-01 11:18:36 +0000] [9439] [INFO] Starting gunicorn 19.3.0 Traceback (most recent call last): File "/home/anna/.virtualenvs/myapp/bin/gunicorn", line 11, in <module> sys.exit(run()) File "/home/anna/.virtualenvs/myapp/local/lib/python2.7/site-packages/gunicorn/app/wsgiapp.py", line 74, in run WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]").run() File "/home/anna/.virtualenvs/myapp/local/lib/python2.7/site-packages/gunicorn/app/base.py", line 189, in run super(Application, self).run() File "/home/anna/.virtualenvs/myapp/local/lib/python2.7/site-packages/gunicorn/app/base.py", line 72, in run Arbiter(self).run() File "/home/anna/.virtualenvs/myapp/local/lib/python2.7/site-packages/gunicorn/arbiter.py", line 171, in run self.start() File "/home/anna/.virtualenvs/myapp/local/lib/python2.7/site-packages/gunicorn/arbiter.py", line 130, in start self.LISTENERS = create_sockets(self.cfg, self.log) File "/home/anna/.virtualenvs/myapp/local/lib/python2.7/site-packages/gunicorn/sock.py", line 211, in create_sockets sock = sock_type(addr, conf, log) File "/home/anna/.virtualenvs/myapp/local/lib/python2.7/site-packages/gunicorn/sock.py", line 104, in __init__ os.remove(addr) OSError: [Errno 13] Permission denied: '/webapps/myapp/run/gunicorn.sock'
更新:这些是父目录(这是/webapps和/webapps/myapp的权限:
$ ls -lash /webapps/ total 12K 4.0K drwxrwxrwx 3 anna root 4.0K Aug 29 18:21 . 4.0K drwxrwxrwx+ 7 opuser users 4.0K Sep 1 10:37 myapp
更新2:如果我su到opuser ,我可以创build新的文件在/webapps/myapp/run没关系,但我无法打开vi中gunicorn.sock文件没有得到权限错误:
sudo su - opuser touch /webapps/myapp/run/testfile vi /webapps/myapp/run/gunicorn.sock
在vi我看到~/run/gunicorn.sock" [Permission Denied] 。
我想这是问题的核心 – 但为什么我不能打开它呢? 即使我做sudo chown opuser:webapps /webapps/myapp/run/gunicorn.sock ,然后尝试再次打开它,问题仍然存在。
更新3:文件和所有包含目录的getfacl输出。
$ getfacl /webapps/myapp/run/gunicorn.sock getfacl: Removing leading '/' from absolute path names # file: webapps/myapp/run/gunicorn.sock # owner: opuser # group: webapps user::rwx group::rwx other::rwx $ getfacl /webapps/myapp/run/ getfacl: Removing leading '/' from absolute path names # file: webapps/myapp/run/ # owner: opuser # group: users user::rwx group::rwx other::rwx $ getfacl /webapps/myapp/ getfacl: Removing leading '/' from absolute path names # file: webapps/myapp/ # owner: opuser # group: users user::rwx user:anna:rwx group::rx mask::rwx other::rwx $ getfacl /webapps/ getfacl: Removing leading '/' from absolute path names # file: webapps/ # owner: anna # group: root user::rwx group::rwx other::rwx