logrotate for puppet.log should contain "su" setting

Bug #1581098 reported by Dmitry Burmistrov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
High
Dmitry Burmistrov
Mitaka
Fix Released
High
Dmitry Burmistrov
Newton
Fix Committed
High
Dmitry Burmistrov

Bug Description

Detailed bug description:
 On fuel nodes "logrotate -f /etc/logrotate.d/puppet" fails with error: "error: skipping "/var/log/puppet.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation."
Steps to reproduce:
 ssh to node and run "logrotate -f /etc/logrotate.d/puppet"
Expected results:
 no errors
Actual result:
 error: skipping "/var/log/puppet.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
Reproducibility:
 -
Workaround:
 -
Impact:
 /var/log/puppet.log can grow and "eat" valuable space
Description of the environment:
 Operation system: Ubuntu 16.04
 Versions of components: -
 Reference architecture: -
 Network model: -
 Related projects installed: -
Additional information:
 "su root root" should fix the problem

description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/315652

Changed in fuel:
assignee: nobody → Dmitry Burmistrov (dmburmistrov)
status: New → In Progress
Changed in fuel:
importance: Undecided → High
milestone: none → 10.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/315652
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=9b0dbf488f349d1adf3b6338f22c04d682910591
Submitter: Jenkins
Branch: master

commit 9b0dbf488f349d1adf3b6338f22c04d682910591
Author: dmburmistrov <email address hidden>
Date: Thu May 12 18:56:36 2016 +0300

    set "su" for puppet.log logrotate

    logrotate don't like owner of
    /var/log/ and asks to explicitly
    set user name and group to use
    for rotation.

    Change-Id: I3754b1464b3cb5e8d1566f1eef8628350e3d5d9c
    Closes-bug: #1581098

Changed in fuel:
status: In Progress → Fix Committed
Roman Vyalov (r0mikiam)
tags: added: area-mos
Revision history for this message
Dmitry Burmistrov (dmburmistrov) wrote :

Do we need this patch in 9.0?

Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

It's 16.04 Ubuntu environment, if doesn't affect 9.0

no longer affects: fuel/mitaka
tags: added: ubuntu-xenial
tags: added: mos-xenial
removed: ubuntu-xenial
summary: - logrotate for puppet.log should contain "su" setting
+ [mos-xenial] logrotate for puppet.log should contain "su" setting
Revision history for this message
Dmitry Burmistrov (dmburmistrov) wrote : Re: [mos-xenial] logrotate for puppet.log should contain "su" setting

As we can see here https://github.com/openstack/fuel-library/blob/master/deployment/puppet/openstack/files/logrotate-puppet.conf
We don't rotate "/var/log/puppet-error.log" file. This is about 9.X (ex. 10.0).

The similar issue is in earlier Mitaka release (9.0) - we don't rotate "puppet-error.log" and "su" option is missing.
[root@nailgun ~]# cat /etc/fuel_release
9.0
[root@nailgun ~]# cat /etc/fuel_build_id
395

root@node-27:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
root@node-27:~# ls -l /var/log/puppet*
-rw-r--r-- 1 root root 0 Jul 5 08:39 /var/log/puppet-error.log
-rw------- 1 puppet puppet 416956 Jul 5 11:36 /var/log/puppet.log

/var/log/puppet:
total 0
root@node-27:~# fgrep puppet -R /etc/logr*
/etc/logrotate.d/fuel.nodaily:# managed by puppet
/etc/logrotate.d/puppet:/var/log/puppet.log {
/etc/logrotate.d/puppet: create 0600 puppet puppet
/etc/logrotate.d/apache2:# This file managed via puppet
root@node-27:~# logrotate -f /etc/logrotate.d/puppet
error: skipping "/var/log/puppet.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

summary: - [mos-xenial] logrotate for puppet.log should contain "su" setting
+ logrotate for puppet.log should contain "su" setting
tags: added: 10.0-reviewed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/345369

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/345383

Changed in fuel:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/mitaka)

Reviewed: https://review.openstack.org/345369
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=c52d8566b8c1badb80cc24023ba3c5bbcc558164
Submitter: Jenkins
Branch: stable/mitaka

commit c52d8566b8c1badb80cc24023ba3c5bbcc558164
Author: dmburmistrov <email address hidden>
Date: Thu Jul 21 14:44:15 2016 +0300

    Fix logrotate for puppet logs

    * set "su" option
    * rotate "puppet-error.log"

    Closes-bug: #1581098

    Change-Id: I901ad004e3a09f333531140d6688f0f5771e5de7

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/345383
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=b2af96c9eef5bdb1abc0e0c62c0712a5cc424ec9
Submitter: Jenkins
Branch: master

commit b2af96c9eef5bdb1abc0e0c62c0712a5cc424ec9
Author: dmburmistrov <email address hidden>
Date: Wed Jul 6 12:56:01 2016 +0300

    Rotate puppet-error.log

    Closes-bug: #1581098

    Change-Id: Ie6d3cfa5385b490695080eb873b5c987e36216a8

tags: added: on-verification
Revision history for this message
Kristina Berezovskaia (kkuznetsova) wrote :

Verified on
CUSTOM_VERSION=snapshot #116
MAGNET_LINK=magnet:?xt=urn:btih:bfec808dd71ff42c5613a3527733d9012bb1fabc&dn=MirantisOpenStack-9.0.iso&tr=http%3A%2F%2Ftracker01-bud.infra.mirantis.net%3A8080%2Fannounce&tr=http%3A%2F%2Ftracker01-scc.infra.mirantis.net%3A8080%2Fannounce&tr=http%3A%2F%2Ftracker01-msk.infra.mirantis.net%3A8080%2Fannounce&ws=http%3A%2F%2Fvault.infra.mirantis.net%2FMirantisOpenStack-9.0.iso
FUEL_QA_COMMIT=5279ce17271bc0ac6cefc8c0ac4b9482260531ce
UBUNTU_MIRROR_ID=ubuntu-2016-08-03-174238
CENTOS_MIRROR_ID=centos-7.2.1511-2016-05-31-083834
MOS_UBUNTU_MIRROR_ID=9.0-2016-08-09-160321
MOS_CENTOS_OS_MIRROR_ID=os-2016-06-23-135731
MOS_CENTOS_PROPOSED_MIRROR_ID=proposed-2016-08-09-170321
MOS_CENTOS_UPDATES_MIRROR_ID=updates-2016-06-23-135916
MOS_CENTOS_HOLDBACK_MIRROR_ID=holdback-2016-06-23-140047
MOS_CENTOS_HOTFIX_MIRROR_ID=hotfix-2016-07-18-162958
MOS_CENTOS_SECURITY_MIRROR_ID=security-2016-06-23-140002

tags: removed: on-verification
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-library 10.0.0rc1

This issue was fixed in the openstack/fuel-library 10.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-library 10.0.0

This issue was fixed in the openstack/fuel-library 10.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.