juju-core

Merge lp:~thumper/juju-core/all-machines-trusty into lp:~go-bot/juju-core/trunk

  1. all-machines-trusty
  2. Merge into trunk
Proposed by Tim Penhey
Status: Merged
Approved by: Tim Penhey
Approved revision: no longer in the source branch.
Merged at revision: 2283
Proposed branch: lp:~thumper/juju-core/all-machines-trusty
Merge into: lp:~go-bot/juju-core/trunk
Diff against target: 127 lines (+43/-5)
5 files modified
environs/cloudinit/cloudinit.go (+1/-1)
environs/cloudinit/cloudinit_test.go (+2/-2)
log/syslog/config.go (+26/-1)
log/syslog/config_test.go (+5/-1)
provider/local/environ.go (+9/-0)
To merge this branch: bzr merge lp:~thumper/juju-core/all-machines-trusty
Reviewer Review Type Date Requested Status
Juju Engineering Pending
Review via email: mp+204106@code.launchpad.net

Commit message

Fix the local provider all-machines.log

There were a number of problems with this as it was, which failed more in trusty as I think the apparmor profile for rsyslogd may have changed or got bugs fixed.

The rsyslog config file was being written by root with 0600 perms. The rsyslog process does a setuid to become the syslog user. The syslog user couldn't read the config file. Now this is written with 0644 so it can be read.

The apparmor profile is quite strict about where rsyslog can write files. Instead of poking with the profile, the local provider now logs to /var/log/juju-{{user}}-{{env name}}/all-machines.log, and a symlink is made in the local provider log dir to point to that file. The file is also created with 0644 so the user can read it without poking permissions. By default rsyslog creates files with 0644, but in the ubuntu package, the setting is changed to 0640, which means normal users can't read the log file. Using a new action directive (new as in not-legacy), we can specify the file create mode so it doesn't use the default.

Also, when a local environment is destroyed, the normal dir is removed, but the all-machines.log is left around (which I find handy) until the environment is bootstrapped again, then it is removed.

Description of the change

Fix the local provider all-machines.log

There were a number of problems with this as it was, which failed more in trusty as I think the apparmor profile for rsyslogd may have changed or got bugs fixed.

The rsyslog config file was being written by root with 0600 perms. The rsyslog process does a setuid to become the syslog user. The syslog user couldn't read the config file. Now this is written with 0644 so it can be read.

The apparmor profile is quite strict about where rsyslog can write files. Instead of poking with the profile, the local provider now logs to /var/log/juju-{{user}}-{{env name}}/all-machines.log, and a symlink is made in the local provider log dir to point to that file. The file is also created with 0644 so the user can read it without poking permissions. By default rsyslog creates files with 0644, but in the ubuntu package, the setting is changed to 0640, which means normal users can't read the log file. Using a new action directive (new as in not-legacy), we can specify the file create mode so it doesn't use the default.

Also, when a local environment is destroyed, the normal dir is removed, but the all-machines.log is left around (which I find handy) until the environment is bootstrapped again, then it is removed.

To post a comment you must log in.
Revision history for this message
Nate Finch (natefinch) wrote :

LGTM

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'environs/cloudinit/cloudinit.go'
--- environs/cloudinit/cloudinit.go 2014-01-28 03:30:11 +0000
+++ environs/cloudinit/cloudinit.go 2014-01-30 22:13:12 +0000
@@ -401,7 +401,7 @@
401 if err != nil {401 if err != nil {
402 return err402 return err
403 }403 }
404 c.AddFile(cfg.RsyslogConfPath, string(content), 0600)404 c.AddFile(cfg.RsyslogConfPath, string(content), 0644)
405 c.AddRunCmd("restart rsyslog")405 c.AddRunCmd("restart rsyslog")
406 return nil406 return nil
407}407}
408408
=== modified file 'environs/cloudinit/cloudinit_test.go'
--- environs/cloudinit/cloudinit_test.go 2014-01-26 23:28:43 +0000
+++ environs/cloudinit/cloudinit_test.go 2014-01-30 22:13:12 +0000
@@ -111,7 +111,7 @@
111tar zxf \$bin/tools.tar.gz -C \$bin111tar zxf \$bin/tools.tar.gz -C \$bin
112rm \$bin/tools\.tar\.gz && rm \$bin/juju1\.2\.3-precise-amd64\.sha256112rm \$bin/tools\.tar\.gz && rm \$bin/juju1\.2\.3-precise-amd64\.sha256
113printf %s '{"version":"1\.2\.3-precise-amd64","url":"http://foo\.com/tools/releases/juju1\.2\.3-precise-amd64\.tgz","sha256":"1234","size":10}' > \$bin/downloaded-tools\.txt113printf %s '{"version":"1\.2\.3-precise-amd64","url":"http://foo\.com/tools/releases/juju1\.2\.3-precise-amd64\.tgz","sha256":"1234","size":10}' > \$bin/downloaded-tools\.txt
114install -D -m 600 /dev/null '/etc/rsyslog\.d/25-juju\.conf'114install -D -m 644 /dev/null '/etc/rsyslog\.d/25-juju\.conf'
115printf '%s\\n' '.*' > '/etc/rsyslog.d/25-juju.conf'115printf '%s\\n' '.*' > '/etc/rsyslog.d/25-juju.conf'
116restart rsyslog116restart rsyslog
117mkdir -p '/var/lib/juju/agents/machine-0'117mkdir -p '/var/lib/juju/agents/machine-0'
@@ -236,7 +236,7 @@
236tar zxf \$bin/tools.tar.gz -C \$bin236tar zxf \$bin/tools.tar.gz -C \$bin
237rm \$bin/tools\.tar\.gz && rm \$bin/juju1\.2\.3-linux-amd64\.sha256237rm \$bin/tools\.tar\.gz && rm \$bin/juju1\.2\.3-linux-amd64\.sha256
238printf %s '{"version":"1\.2\.3-linux-amd64","url":"http://foo\.com/tools/releases/juju1\.2\.3-linux-amd64\.tgz","sha256":"1234","size":10}' > \$bin/downloaded-tools\.txt238printf %s '{"version":"1\.2\.3-linux-amd64","url":"http://foo\.com/tools/releases/juju1\.2\.3-linux-amd64\.tgz","sha256":"1234","size":10}' > \$bin/downloaded-tools\.txt
239install -D -m 600 /dev/null '/etc/rsyslog\.d/25-juju\.conf'239install -D -m 644 /dev/null '/etc/rsyslog\.d/25-juju\.conf'
240printf '%s\\n' '.*' > '/etc/rsyslog\.d/25-juju\.conf'240printf '%s\\n' '.*' > '/etc/rsyslog\.d/25-juju\.conf'
241restart rsyslog241restart rsyslog
242mkdir -p '/var/lib/juju/agents/machine-99'242mkdir -p '/var/lib/juju/agents/machine-99'
243243
=== modified file 'log/syslog/config.go'
--- log/syslog/config.go 2013-11-25 03:36:49 +0000
+++ log/syslog/config.go 2014-01-30 22:13:12 +0000
@@ -19,6 +19,29 @@
1919
20// The rsyslog conf for state server nodes.20// The rsyslog conf for state server nodes.
21// Messages are gathered from other nodes and accumulated in an all-machines.log file.21// Messages are gathered from other nodes and accumulated in an all-machines.log file.
22//
23// The apparmor profile is quite strict about where rsyslog can write files.
24// Instead of poking with the profile, the local provider now logs to
25// /var/log/juju-{{user}}-{{env name}}/all-machines.log, and a symlink is made
26// in the local provider log dir to point to that file. The file is also
27// created with 0644 so the user can read it without poking permissions. By
28// default rsyslog creates files with 0644, but in the ubuntu package, the
29// setting is changed to 0640, which means normal users can't read the log
30// file. Using a new action directive (new as in not-legacy), we can specify
31// the file create mode so it doesn't use the default.
32//
33// I would dearly love to write the filtering action as follows to avoid setting
34// and resetting the global $FileCreateMode, but alas, precise doesn't support it
35//
36// if $syslogtag startswith "juju{{namespace}}-" then
37// action(type="omfile"
38// File="/var/log/juju{{namespace}}/all-machines.log"
39// Template="JujuLogFormat{{namespace}}"
40// FileCreateMode="0644")
41// & stop
42//
43// Instead we need to mess with the global FileCreateMode. We set it back
44// to the ubuntu default after defining our rule.
22const stateServerRsyslogTemplate = `45const stateServerRsyslogTemplate = `
23$ModLoad imfile46$ModLoad imfile
2447
@@ -36,8 +59,10 @@
36# so add one in for local messages too if needed.59# so add one in for local messages too if needed.
37$template JujuLogFormat{{namespace}},"%syslogtag:{{tagStart}}:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"60$template JujuLogFormat{{namespace}},"%syslogtag:{{tagStart}}:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
3861
39:syslogtag, startswith, "juju{{namespace}}-" {{logDir}}/all-machines.log;JujuLogFormat{{namespace}}62$FileCreateMode 0644
63:syslogtag, startswith, "juju{{namespace}}-" /var/log/juju{{namespace}}/all-machines.log;JujuLogFormat{{namespace}}
40& ~64& ~
65$FileCreateMode 0640
41`66`
4267
43// The rsyslog conf for non-state server nodes.68// The rsyslog conf for non-state server nodes.
4469
=== modified file 'log/syslog/config_test.go'
--- log/syslog/config_test.go 2013-11-21 03:17:02 +0000
+++ log/syslog/config_test.go 2014-01-30 22:13:12 +0000
@@ -57,8 +57,10 @@
57# so add one in for local messages too if needed.57# so add one in for local messages too if needed.
58$template JujuLogFormat,"%syslogtag:6:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"58$template JujuLogFormat,"%syslogtag:6:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
5959
60$FileCreateMode 0644
60:syslogtag, startswith, "juju-" /var/log/juju/all-machines.log;JujuLogFormat61:syslogtag, startswith, "juju-" /var/log/juju/all-machines.log;JujuLogFormat
61& ~62& ~
63$FileCreateMode 0640
62`64`
6365
64func (s *SyslogConfigSuite) TestAccumulateConfigRender(c *gc.C) {66func (s *SyslogConfigSuite) TestAccumulateConfigRender(c *gc.C) {
@@ -95,8 +97,10 @@
95# so add one in for local messages too if needed.97# so add one in for local messages too if needed.
96$template JujuLogFormat-namespace,"%syslogtag:16:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"98$template JujuLogFormat-namespace,"%syslogtag:16:$%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
9799
98:syslogtag, startswith, "juju-namespace-" /var/log/juju/all-machines.log;JujuLogFormat-namespace100$FileCreateMode 0644
101:syslogtag, startswith, "juju-namespace-" /var/log/juju-namespace/all-machines.log;JujuLogFormat-namespace
99& ~102& ~
103$FileCreateMode 0640
100`104`
101105
102func (s *SyslogConfigSuite) TestAccumulateConfigRenderWithNamespace(c *gc.C) {106func (s *SyslogConfigSuite) TestAccumulateConfigRenderWithNamespace(c *gc.C) {
103107
=== modified file 'provider/local/environ.go'
--- provider/local/environ.go 2014-01-24 14:52:58 +0000
+++ provider/local/environ.go 2014-01-30 22:13:12 +0000
@@ -151,6 +151,15 @@
151 mcfg.AptProxySettings = osenv.ProxySettings{}151 mcfg.AptProxySettings = osenv.ProxySettings{}
152 mcfg.ProxySettings = osenv.ProxySettings{}152 mcfg.ProxySettings = osenv.ProxySettings{}
153 cloudcfg := coreCloudinit.New()153 cloudcfg := coreCloudinit.New()
154 // Since rsyslogd is restricted by apparmor to only write to /var/log/**
155 // we now provide a symlink to the written file in the local log dir.
156 // Also, we leave the old all-machines.log file in
157 // /var/log/juju-{{namespace}} until we start the environment again. So
158 // potentially remove it at the start of the cloud-init.
159 logfile := fmt.Sprintf("/var/log/juju-%s/all-machines.log", env.config.namespace())
160 cloudcfg.AddScripts(
161 fmt.Sprintf("[ -f %s ] && rm %s", logfile, logfile),
162 fmt.Sprintf("ln -s %s %s/", logfile, env.config.logDir()))
154 if err := cloudinit.ConfigureJuju(mcfg, cloudcfg); err != nil {163 if err := cloudinit.ConfigureJuju(mcfg, cloudcfg); err != nil {
155 return err164 return err
156 }165 }

Subscribers

People subscribed via source and target branches

to status/vote changes: