juju-core

Merge lp:~thumper/juju-core/all-machines-trusty into lp:~go-bot/juju-core/trunk

  1. all-machines-trusty
  2. Merge into trunk
Proposed by Tim Penhey
Status: Merged
Approved by: Tim Penhey
Approved revision: no longer in the source branch.
Merged at revision: 2283
Proposed branch: lp:~thumper/juju-core/all-machines-trusty
Merge into: lp:~go-bot/juju-core/trunk
Diff against target: 127 lines (+43/-5)
5 files modified
environs/cloudinit/cloudinit.go (+1/-1)
environs/cloudinit/cloudinit_test.go (+2/-2)
log/syslog/config.go (+26/-1)
log/syslog/config_test.go (+5/-1)
provider/local/environ.go (+9/-0)
To merge this branch: bzr merge lp:~thumper/juju-core/all-machines-trusty
Reviewer Review Type Date Requested Status
Juju Engineering Pending
Review via email: mp+204106@code.launchpad.net

Commit message

Fix the local provider all-machines.log

There were a number of problems with this as it was, which failed more in trusty as I think the apparmor profile for rsyslogd may have changed or got bugs fixed.

The rsyslog config file was being written by root with 0600 perms. The rsyslog process does a setuid to become the syslog user. The syslog user couldn't read the config file. Now this is written with 0644 so it can be read.

The apparmor profile is quite strict about where rsyslog can write files. Instead of poking with the profile, the local provider now logs to /var/log/juju-{{user}}-{{env name}}/all-machines.log, and a symlink is made in the local provider log dir to point to that file. The file is also created with 0644 so the user can read it without poking permissions. By default rsyslog creates files with 0644, but in the ubuntu package, the setting is changed to 0640, which means normal users can't read the log file. Using a new action directive (new as in not-legacy), we can specify the file create mode so it doesn't use the default.

Also, when a local environment is destroyed, the normal dir is removed, but the all-machines.log is left around (which I find handy) until the environment is bootstrapped again, then it is removed.

Description of the change

Fix the local provider all-machines.log

There were a number of problems with this as it was, which failed more in trusty as I think the apparmor profile for rsyslogd may have changed or got bugs fixed.

The rsyslog config file was being written by root with 0600 perms. The rsyslog process does a setuid to become the syslog user. The syslog user couldn't read the config file. Now this is written with 0644 so it can be read.

The apparmor profile is quite strict about where rsyslog can write files. Instead of poking with the profile, the local provider now logs to /var/log/juju-{{user}}-{{env name}}/all-machines.log, and a symlink is made in the local provider log dir to point to that file. The file is also created with 0644 so the user can read it without poking permissions. By default rsyslog creates files with 0644, but in the ubuntu package, the setting is changed to 0640, which means normal users can't read the log file. Using a new action directive (new as in not-legacy), we can specify the file create mode so it doesn't use the default.

Also, when a local environment is destroyed, the normal dir is removed, but the all-machines.log is left around (which I find handy) until the environment is bootstrapped again, then it is removed.

To post a comment you must log in.
Revision history for this message
Nate Finch (natefinch) wrote :

LGTM

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'environs/cloudinit/cloudinit.go'
2--- environs/cloudinit/cloudinit.go 2014-01-28 03:30:11 +0000
3+++ environs/cloudinit/cloudinit.go 2014-01-30 22:13:12 +0000
4@@ -401,7 +401,7 @@
5 if err != nil {
6 return err
7 }
8- c.AddFile(cfg.RsyslogConfPath, string(content), 0600)
9+ c.AddFile(cfg.RsyslogConfPath, string(content), 0644)
10 c.AddRunCmd("restart rsyslog")
11 return nil
12 }
13
14=== modified file 'environs/cloudinit/cloudinit_test.go'
15--- environs/cloudinit/cloudinit_test.go 2014-01-26 23:28:43 +0000
16+++ environs/cloudinit/cloudinit_test.go 2014-01-30 22:13:12 +0000
17@@ -111,7 +111,7 @@
18 tar zxf \$bin/tools.tar.gz -C \$bin
19 rm \$bin/tools\.tar\.gz && rm \$bin/juju1\.2\.3-precise-amd64\.sha256
20 printf %s '{"version":"1\.2\.3-precise-amd64","url":"http://foo\.com/tools/releases/juju1\.2\.3-precise-amd64\.tgz","sha256":"1234","size":10}' > \$bin/downloaded-tools\.txt
21-install -D -m 600 /dev/null '/etc/rsyslog\.d/25-juju\.conf'
22+install -D -m 644 /dev/null '/etc/rsyslog\.d/25-juju\.conf'
23 printf '%s\\n' '.*' > '/etc/rsyslog.d/25-juju.conf'
24 restart rsyslog
25 mkdir -p '/var/lib/juju/agents/machine-0'
26@@ -236,7 +236,7 @@
27 tar zxf \$bin/tools.tar.gz -C \$bin
28 rm \$bin/tools\.tar\.gz && rm \$bin/juju1\.2\.3-linux-amd64\.sha256
29 printf %s '{"version":"1\.2\.3-linux-amd64","url":"http://foo\.com/tools/releases/juju1\.2\.3-linux-amd64\.tgz","sha256":"1234","size":10}' > \$bin/downloaded-tools\.txt
30-install -D -m 600 /dev/null '/etc/rsyslog\.d/25-juju\.conf'
31+install -D -m 644 /dev/null '/etc/rsyslog\.d/25-juju\.conf'
32 printf '%s\\n' '.*' > '/etc/rsyslog\.d/25-juju\.conf'
33 restart rsyslog
34 mkdir -p '/var/lib/juju/agents/machine-99'
35
36=== modified file 'log/syslog/config.go'
37--- log/syslog/config.go 2013-11-25 03:36:49 +0000
38+++ log/syslog/config.go 2014-01-30 22:13:12 +0000
39@@ -19,6 +19,29 @@
40
41 // The rsyslog conf for state server nodes.
42 // Messages are gathered from other nodes and accumulated in an all-machines.log file.
43+//
44+// The apparmor profile is quite strict about where rsyslog can write files.
45+// Instead of poking with the profile, the local provider now logs to
46+// /var/log/juju-{{user}}-{{env name}}/all-machines.log, and a symlink is made
47+// in the local provider log dir to point to that file. The file is also
48+// created with 0644 so the user can read it without poking permissions. By
49+// default rsyslog creates files with 0644, but in the ubuntu package, the
50+// setting is changed to 0640, which means normal users can't read the log
51+// file. Using a new action directive (new as in not-legacy), we can specify
52+// the file create mode so it doesn't use the default.
53+//
54+// I would dearly love to write the filtering action as follows to avoid setting
55+// and resetting the global $FileCreateMode, but alas, precise doesn't support it
56+//
57+// if $syslogtag startswith "juju{{namespace}}-" then
58+// action(type="omfile"
59+// File="/var/log/juju{{namespace}}/all-machines.log"
60+// Template="JujuLogFormat{{namespace}}"
61+// FileCreateMode="0644")
62+// & stop
63+//
64+// Instead we need to mess with the global FileCreateMode. We set it back
65+// to the ubuntu default after defining our rule.
66 const stateServerRsyslogTemplate = `
67 $ModLoad imfile
68
69@@ -36,8 +59,10 @@
70 # so add one in for local messages too if needed.
71 $template JujuLogFormat{{namespace}},"%syslogtag:{{tagStart}}:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
72
73-:syslogtag, startswith, "juju{{namespace}}-" {{logDir}}/all-machines.log;JujuLogFormat{{namespace}}
74+$FileCreateMode 0644
75+:syslogtag, startswith, "juju{{namespace}}-" /var/log/juju{{namespace}}/all-machines.log;JujuLogFormat{{namespace}}
76 & ~
77+$FileCreateMode 0640
78 `
79
80 // The rsyslog conf for non-state server nodes.
81
82=== modified file 'log/syslog/config_test.go'
83--- log/syslog/config_test.go 2013-11-21 03:17:02 +0000
84+++ log/syslog/config_test.go 2014-01-30 22:13:12 +0000
85@@ -57,8 +57,10 @@
86 # so add one in for local messages too if needed.
87 $template JujuLogFormat,"%syslogtag:6:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
88
89+$FileCreateMode 0644
90 :syslogtag, startswith, "juju-" /var/log/juju/all-machines.log;JujuLogFormat
91 & ~
92+$FileCreateMode 0640
93 `
94
95 func (s *SyslogConfigSuite) TestAccumulateConfigRender(c *gc.C) {
96@@ -95,8 +97,10 @@
97 # so add one in for local messages too if needed.
98 $template JujuLogFormat-namespace,"%syslogtag:16:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
99
100-:syslogtag, startswith, "juju-namespace-" /var/log/juju/all-machines.log;JujuLogFormat-namespace
101+$FileCreateMode 0644
102+:syslogtag, startswith, "juju-namespace-" /var/log/juju-namespace/all-machines.log;JujuLogFormat-namespace
103 & ~
104+$FileCreateMode 0640
105 `
106
107 func (s *SyslogConfigSuite) TestAccumulateConfigRenderWithNamespace(c *gc.C) {
108
109=== modified file 'provider/local/environ.go'
110--- provider/local/environ.go 2014-01-24 14:52:58 +0000
111+++ provider/local/environ.go 2014-01-30 22:13:12 +0000
112@@ -151,6 +151,15 @@
113 mcfg.AptProxySettings = osenv.ProxySettings{}
114 mcfg.ProxySettings = osenv.ProxySettings{}
115 cloudcfg := coreCloudinit.New()
116+ // Since rsyslogd is restricted by apparmor to only write to /var/log/**
117+ // we now provide a symlink to the written file in the local log dir.
118+ // Also, we leave the old all-machines.log file in
119+ // /var/log/juju-{{namespace}} until we start the environment again. So
120+ // potentially remove it at the start of the cloud-init.
121+ logfile := fmt.Sprintf("/var/log/juju-%s/all-machines.log", env.config.namespace())
122+ cloudcfg.AddScripts(
123+ fmt.Sprintf("[ -f %s ] && rm %s", logfile, logfile),
124+ fmt.Sprintf("ln -s %s %s/", logfile, env.config.logDir()))
125 if err := cloudinit.ConfigureJuju(mcfg, cloudcfg); err != nil {
126 return err
127 }

Subscribers

People subscribed via source and target branches

to status/vote changes: