tripleo

logrotate must be able to access container_file_t

Bug #1836000 reported by Cédric Jeanneret
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Cédric Jeanneret
tripleo train-2

Bug Description

Hello,

Since we write logs directly from within containers, logrotate (on the host) might get some AVC like this one:

type=AVC msg=audit(1562679002.041:11010): avc: denied { read } for pid=147158 comm="logrotate" name="openvswitch" dev="sda2" ino=4743218 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0

The easiest way is to use the logrotate_read_inside_containers boolean, directly when we create the logrotate job.

Note: currently, the "real" logrotate is running from within a container, meaning the content of /var/log/containers is properly managed. Apparently we have some other logs in /var/log that are written by containerized service, making the host logrotate cough.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/669987

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/669987
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b81bec56f27f08cc4a6f81416aad422a15bd3ce7
Submitter: Zuul
Branch: master

commit b81bec56f27f08cc4a6f81416aad422a15bd3ce7
Author: Cédric Jeanneret <email address hidden>
Date: Wed Jul 10 08:09:10 2019 +0200

    Allow logrotate to access container_file_t files

    Since we write logs directly from within containers, logrotate must be
    able to access them.

    Change-Id: I2a06cdcda92b2839d74373d6978ef65e7b4dedbd
    Related-Bug: #1836000

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/670249

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/670249
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=c8ad086ba15d7a3b757662d03e74a05b49f43a39
Submitter: Zuul
Branch: stable/stein

commit c8ad086ba15d7a3b757662d03e74a05b49f43a39
Author: Cédric Jeanneret <email address hidden>
Date: Wed Jul 10 08:09:10 2019 +0200

    Allow logrotate to access container_file_t files

    Since we write logs directly from within containers, logrotate must be
    able to access them.

    Change-Id: I2a06cdcda92b2839d74373d6978ef65e7b4dedbd
    Related-Bug: #1836000
    (cherry picked from commit b81bec56f27f08cc4a6f81416aad422a15bd3ce7)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/670451

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/670451
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=0d991c9e1c180a7bd55267a02d8821fda1efb459
Submitter: Zuul
Branch: stable/rocky

commit 0d991c9e1c180a7bd55267a02d8821fda1efb459
Author: Cédric Jeanneret <email address hidden>
Date: Wed Jul 10 08:09:10 2019 +0200

    Allow logrotate to access container_file_t files

    Since we write logs directly from within containers, logrotate must be
    able to access them.

    Change-Id: I2a06cdcda92b2839d74373d6978ef65e7b4dedbd
    Closes-Bug: #1836000
    (cherry picked from commit b81bec56f27f08cc4a6f81416aad422a15bd3ce7)
    (cherry picked from commit c8ad086ba15d7a3b757662d03e74a05b49f43a39)

tags: added: in-stable-rocky
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-3 → train-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/671313

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.opendev.org/671313
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=0f51fab0c2ba1357be6c502809fec4636ed61ad5
Submitter: Zuul
Branch: stable/queens

commit 0f51fab0c2ba1357be6c502809fec4636ed61ad5
Author: Cédric Jeanneret <email address hidden>
Date: Wed Jul 10 08:09:10 2019 +0200

    Allow logrotate to access container_file_t files

    Since we write logs directly from within containers, logrotate must be
    able to access them.

    Change-Id: I2a06cdcda92b2839d74373d6978ef65e7b4dedbd
    Closes-Bug: #1836000
    (cherry picked from commit b81bec56f27f08cc4a6f81416aad422a15bd3ce7)
    (cherry picked from commit c8ad086ba15d7a3b757662d03e74a05b49f43a39)
    (cherry picked from commit 0d991c9e1c180a7bd55267a02d8821fda1efb459)

tags: added: in-stable-queens
Alex Schultz (alex-schultz)
Changed in tripleo:
status: Triaged → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.4.1

This issue was fixed in the openstack/tripleo-heat-templates 9.4.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.4.1

This issue was fixed in the openstack/tripleo-heat-templates 8.4.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.