I think the correct fix here would be to update the ODCS package to add a user with a well-known UID (https://fedoraproject.org/wiki/PackageUserRegistry), and then make sure the mod_wsgi application gets configured to use that uid as well.

Any movement here? Should we file this upstream somewhere?

I am not sure where upstream is. :)

@jkaluza @lsedlar Where can I add a ticket/bug/issue to fix this?

ODCS upstream is at https://pagure.io/odcs/

Thanks, filed https://pagure.io/odcs/issue/302 about this.

However, we should probibly try and fix it sooner in our infra if there's not a desire to fix this upstream...

Can you wait with this after I upgrade ODCS in prod to latest version too? I'm upgrading in staging and I was rewriting the playbooks/roles.

Sure, we have waited this long.

@jkaluza any news here?

Assign this to @jkaluza so it is clear that this is being worked on

I'm working on that right now. Staging should have this fixed later today. it should be part of next prod update which I'm going to do after the freeze.

So, I did series of commits in ansible.git which does following (summary):

• New odcs-server user and group is created with predefined UID/GID 64321.
• All the config files and directories used/created by the ODCS are owned by odcs-server:odcs-server.
• The apache user is member of odcs-server group, so the frontend can access /srv/odcs.
• The /srv/odcs permissions are now 0770. New composes in this directory are created with 0755 permission by ODCS backend.

This is deployed on ODCS staging. I will close this ticket as soon as I deploy this on prod after the freeze.

Cool! Freeze is over now, so deploy at your leasure. ;)

This is fixed.