On Wednesday, December 10, 2014 6:13:56 PM UTC-8, Graham Dumpleton wrote: > > Wow. Surprised you got that far. The chroot feature of mod_wsgi pretty > well has no documentation. At best there might be some comments about it > buried in the release notes somewhere. > > Before we try and sort out the issue, I might say that the better way of > trying to isolate an application these days would be to use Docker. I > realise this means learning a bit about how to install and manage Docker, > but as far as running Apache/mod_wsgi under Docker, the experience is much > much better as I provide a prebuilt Docker image for doing it. > > This Docker image is something I don't think I have mentioned here on the > mod_wsgi mailing list as it has only been out there for a week or so. > > I have recently started blogging about it and have two posts up about it: > > Hosting Python WSGI applications using Docker. > <http://blog.dscpl.com.au/2014/12/hosting-python-wsgi-applications-using.html> > Deferred build actions for Docker images. > <http://blog.dscpl.com.au/2014/12/deferred-build-actions-for-docker-images.html> > > The actual Docker Hub entry is: > > https://registry.hub.docker.com/u/grahamdumpleton/mod-wsgi-docker/ >
Thanks for this info - I may look into this if the chroot proves too difficult. > > Anyway, for chroot, can you confirm a few things. > > First is whether the Python version outside of the chroot is the default > operating system Python installation for 2.7 and that the mod_wsgi is also > the operating system binary package also. > > Double check what version of Python mod_wsgi is installed for. I would > imagine it should be Python 2.7, but want to make sure isn't 2.6. > > > > http://code.google.com/p/modwsgi/wiki/CheckingYourInstallation#Python_Installation_In_Use > It shows: sys.version = '2.7.6 (default, Mar 22 2014, 23:03:41) \n[GCC 4.8.2]' sys.prefix = '/usr' > > Now inside of the chroot, did you also use the default operating system > Python installation for 2.7. > > Inside of the chroot, run the 'python' command line and see if datetime > can imported. > > $ python > Python 2.7.2 (default, Oct 11 2012, 20:14:37) > [GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on > darwin > Type "help", "copyright", "credits" or "license" for more information. > >>> import datetime > >>> datetime.__file__ > '/Users/graham/Python/docker/lib/python2.7/lib-dynload/datetime.so' > Here's my result from inside the chroot: Python 2.7.6 (default, Mar 22 2014, 22:59:38) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import datetime >>> datetime.__file__ '/usr/lib/python2.7/lib-dynload/datetime.i386-linux-gnu.so' Do you think I should I try to compile a different version of mod_wsgi from source? --Jennifer > > Graham > > On 11/12/2014, at 11:54 AM, Jennifer Mehl <[email protected] > <javascript:>> wrote: > > Hello, > > I'm new to mod_wsgi (and I am not a programmer, so please bear with me). > I have a Django/Python application that was written by someone else that I > have deployed using mod_wsgi 3.4 on Ubuntu 14.04LTS with Apache 2.4.7, > using the following in my apache config: > > #Django WSGI > > WSGIScriptAlias / /var/www/transfergateway/myproject/wsgi.py > > WSGIPythonPath /var/www/transfergateway > > <VirtualHost *:443> > > ServerName *redacted* > > <Directory /var/www/transfergateway> > > <Files wsgi.py> > > Order deny,allow > > Allow from all > > </Files> > > </Directory> > The application is running fine using mod_wsgi and apache. > > However, I want to make this application more secure, so I would like to > have mod_wsgi run in a chroot jail. I created a chroot jail using the > instructions here: https://help.ubuntu.com/community/BasicChroot and > copied the application into /var/chroot/var/www/transfergateway . Then, in > the chroot, I installed python2.7 and used pip install to install the > python packages used in the project (as far as I can tell). > > I have created a new Apache config: > > #test chroot jail for Django WSGI > > WSGISocketPrefix /var/run/wsgi > > <VirtualHost *:443> > > ServerName *redacted* > > WSGIScriptAlias / /var/chroot/var/www/transfergateway/myproject/wsgi.py > > WSGIProcessGroup chroot > > WSGIDaemonProcess chroot user=daemon group=daemon processes=2 threads=25 > chroot=/var/chroot > > <Directory /var/chroot/var/www/transfergateway/myproject/> > > <Files wsgi.py> > > Order deny,allow > > Allow from all > > </Files> > > </Directory> > > > But I am getting the following errors in the Apache error log upon startup: > > Target WSGI script '/var/www/transfergateway/myproject/wsgi.py' cannot be > loaded as Python module. > > Exception occurred processing WSGI script > '/var/www/transfergateway/myproject/wsgi.py'. > > Traceback (most recent call last): > > File "/var/www/transfergateway/myproject/wsgi.py", line 29, in <module> > > from django.core.wsgi import get_wsgi_application > > File "/usr/local/lib/python2.7/dist-packages/django/core/wsgi.py", line 1, > in <module> > > from django.core.handlers.wsgi import WSGIHandler > > File > "/usr/local/lib/python2.7/dist-packages/django/core/handlers/wsgi.py", line > 9, in <module> > > from django import http > > File "/usr/local/lib/python2.7/dist-packages/django/http/__init__.py", > line 1, in <module> > > from django.http.cookie import SimpleCookie, parse_cookie > > File "/usr/local/lib/python2.7/dist-packages/django/http/cookie.py", line > 3, in <module> > > from django.utils.encoding import force_str > > File "/usr/local/lib/python2.7/dist-packages/django/utils/encoding.py", > line 4, in <module> > > import datetime > > ImportError: No module named datetime > > > I appreciate any advice on what I am doing wrong here. Do I have my > chroot set up properly? Do I need to do anything with permissions on > /var/chroot or /var/chroot/var/www/transfergateway? Do I need to run > mod_wsgi as a different user than daemon? > > > thanks in advance for any help! > > --Jennifer > > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:> > . > Visit this group at http://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
