logrotate for puppet.log should contain "su" setting

Bug #1581098 reported by Dmitry Burmistrov on 2016-05-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Dmitry Burmistrov
Mitaka
High
Dmitry Burmistrov
Newton
High
Dmitry Burmistrov

Bug Description

Detailed bug description:
 On fuel nodes "logrotate -f /etc/logrotate.d/puppet" fails with error: "error: skipping "/var/log/puppet.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation."
Steps to reproduce:
 ssh to node and run "logrotate -f /etc/logrotate.d/puppet"
Expected results:
 no errors
Actual result:
 error: skipping "/var/log/puppet.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
Reproducibility:
 -
Workaround:
 -
Impact:
 /var/log/puppet.log can grow and "eat" valuable space
Description of the environment:
 Operation system: Ubuntu 16.04
 Versions of components: -
 Reference architecture: -
 Network model: -
 Related projects installed: -
Additional information:
 "su root root" should fix the problem

description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/315652

Changed in fuel:
assignee: nobody → Dmitry Burmistrov (dmburmistrov)
status: New → In Progress
Changed in fuel:
importance: Undecided → High
milestone: none → 10.0

Reviewed: https://review.openstack.org/315652
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=9b0dbf488f349d1adf3b6338f22c04d682910591
Submitter: Jenkins
Branch: master

commit 9b0dbf488f349d1adf3b6338f22c04d682910591
Author: dmburmistrov <email address hidden>
Date: Thu May 12 18:56:36 2016 +0300

    set "su" for puppet.log logrotate

    logrotate don't like owner of
    /var/log/ and asks to explicitly
    set user name and group to use
    for rotation.

    Change-Id: I3754b1464b3cb5e8d1566f1eef8628350e3d5d9c
    Closes-bug: #1581098

Changed in fuel:
status: In Progress → Fix Committed
Roman Vyalov (r0mikiam) on 2016-05-16
tags: added: area-mos

Do we need this patch in 9.0?

Ivan Berezovskiy (iberezovskiy) wrote :

It's 16.04 Ubuntu environment, if doesn't affect 9.0

no longer affects: fuel/mitaka
tags: added: ubuntu-xenial
tags: added: mos-xenial
removed: ubuntu-xenial
summary: - logrotate for puppet.log should contain "su" setting
+ [mos-xenial] logrotate for puppet.log should contain "su" setting

As we can see here https://github.com/openstack/fuel-library/blob/master/deployment/puppet/openstack/files/logrotate-puppet.conf
We don't rotate "/var/log/puppet-error.log" file. This is about 9.X (ex. 10.0).

The similar issue is in earlier Mitaka release (9.0) - we don't rotate "puppet-error.log" and "su" option is missing.
[root@nailgun ~]# cat /etc/fuel_release
9.0
[root@nailgun ~]# cat /etc/fuel_build_id
395

root@node-27:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
root@node-27:~# ls -l /var/log/puppet*
-rw-r--r-- 1 root root 0 Jul 5 08:39 /var/log/puppet-error.log
-rw------- 1 puppet puppet 416956 Jul 5 11:36 /var/log/puppet.log

/var/log/puppet:
total 0
root@node-27:~# fgrep puppet -R /etc/logr*
/etc/logrotate.d/fuel.nodaily:# managed by puppet
/etc/logrotate.d/puppet:/var/log/puppet.log {
/etc/logrotate.d/puppet: create 0600 puppet puppet
/etc/logrotate.d/apache2:# This file managed via puppet
root@node-27:~# logrotate -f /etc/logrotate.d/puppet
error: skipping "/var/log/puppet.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

summary: - [mos-xenial] logrotate for puppet.log should contain "su" setting
+ logrotate for puppet.log should contain "su" setting
tags: added: 10.0-reviewed

Fix proposed to branch: master
Review: https://review.openstack.org/345383

Changed in fuel:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/345369
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=c52d8566b8c1badb80cc24023ba3c5bbcc558164
Submitter: Jenkins
Branch: stable/mitaka

commit c52d8566b8c1badb80cc24023ba3c5bbcc558164
Author: dmburmistrov <email address hidden>
Date: Thu Jul 21 14:44:15 2016 +0300

    Fix logrotate for puppet logs

    * set "su" option
    * rotate "puppet-error.log"

    Closes-bug: #1581098

    Change-Id: I901ad004e3a09f333531140d6688f0f5771e5de7

Changed in fuel:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/345383
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=b2af96c9eef5bdb1abc0e0c62c0712a5cc424ec9
Submitter: Jenkins
Branch: master

commit b2af96c9eef5bdb1abc0e0c62c0712a5cc424ec9
Author: dmburmistrov <email address hidden>
Date: Wed Jul 6 12:56:01 2016 +0300

    Rotate puppet-error.log

    Closes-bug: #1581098

    Change-Id: Ie6d3cfa5385b490695080eb873b5c987e36216a8

tags: added: on-verification

Verified on
CUSTOM_VERSION=snapshot #116
MAGNET_LINK=magnet:?xt=urn:btih:bfec808dd71ff42c5613a3527733d9012bb1fabc&dn=MirantisOpenStack-9.0.iso&tr=http%3A%2F%2Ftracker01-bud.infra.mirantis.net%3A8080%2Fannounce&tr=http%3A%2F%2Ftracker01-scc.infra.mirantis.net%3A8080%2Fannounce&tr=http%3A%2F%2Ftracker01-msk.infra.mirantis.net%3A8080%2Fannounce&ws=http%3A%2F%2Fvault.infra.mirantis.net%2FMirantisOpenStack-9.0.iso
FUEL_QA_COMMIT=5279ce17271bc0ac6cefc8c0ac4b9482260531ce
UBUNTU_MIRROR_ID=ubuntu-2016-08-03-174238
CENTOS_MIRROR_ID=centos-7.2.1511-2016-05-31-083834
MOS_UBUNTU_MIRROR_ID=9.0-2016-08-09-160321
MOS_CENTOS_OS_MIRROR_ID=os-2016-06-23-135731
MOS_CENTOS_PROPOSED_MIRROR_ID=proposed-2016-08-09-170321
MOS_CENTOS_UPDATES_MIRROR_ID=updates-2016-06-23-135916
MOS_CENTOS_HOLDBACK_MIRROR_ID=holdback-2016-06-23-140047
MOS_CENTOS_HOTFIX_MIRROR_ID=hotfix-2016-07-18-162958
MOS_CENTOS_SECURITY_MIRROR_ID=security-2016-06-23-140002

tags: removed: on-verification

This issue was fixed in the openstack/fuel-library 10.0.0rc1 release candidate.

This issue was fixed in the openstack/fuel-library 10.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers