haproxy log mount point error
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack-Ansible |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Reported by hamburgler in IRC:
# NOTE(jrosser) The next task fails on Centos without this,
# an empty directory rather than a file is made and the bind mount fails
- name: Ensure empty file is availble to bind mount log socket
file:
state: touch
path: "{{ haproxy_
access_time: preserve
modificatio
owner: haproxy
group: root
mode: "0775"
- name: Make log socket available to chrooted filesystem
mount:
src: "{{ haproxy_log_socket }}"
path: "{{ haproxy_
opts: bind
state: mounted
fstype: none
On a fresh install, once the second task mounts w/ bind we get permissions:
root@openstack-
total 8.0K
drwxr-xr-x 2 haproxy haproxy 4.0K Feb 26 13:06 .
drwxr-x--- 3 haproxy haproxy 4.0K Feb 26 13:06 ..
srw-rw-rw- 1 root root 0 Feb 26 13:20 log
where haproxy can write to file because rw on other group
when haproxy-config is ran again, it will change the permissions, because of touch, as touch doesn't check to see if the file exists, we now get:
root@openstack-
total 8.0K
drwxr-xr-x 2 haproxy haproxy 4.0K Feb 26 13:06 .
drwxr-x--- 3 haproxy haproxy 4.0K Feb 26 13:06 ..
srwxrwxr-x 1 root root 0 Feb 26 13:20 log
and haproxy can no longer log to file
Feb 26 13:24:26 openstack-
so two ways we could go about fixing:
Add a precheck:
- name: Check if haporxy log file exists
stat:
path: "{{ haproxy_
register: haproxy_log_file
# NOTE(jrosser) The next task fails on Centos without this,
# an empty directory rather than a file is made and the bind mount fails
- name: Ensure empty file is availble to bind mount log socket
file:
state: touch
path: "{{ haproxy_
access_time: preserve
modificatio
mode: "0775"
when: not haproxy_
we could also add owner:group as well
- name: Ensure empty file is availble to bind mount log socket
file:
state: touch
path: "{{ haproxy_
access_time: preserve
modificatio
owner: haproxy
group: root
mode: "0775"
But I think the stat makes more sense, because the "Make log socket available to chrooted filesystem" mounts with 0666 permissions, and we will always show a changed on the "Ensure empty file is available to bind mount log socket" task.
| Dmitriy Rabotyagov (noonedeadpunk) wrote | #1 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to openstack-ansible-haproxy_server (master) | #2 |
| Changed in openstack-ansible: | |
| status: | New → In Progress |
| OpenStack Infra (hudson-openstack) wrote Fix merged to openstack-ansible-haproxy_server (master) | #3 |
| Changed in openstack-ansible: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to openstack-ansible-haproxy_server (stable/2023.2) | #4 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to openstack-ansible-haproxy_server (stable/2023.2) | #5 |
So, adding haproxy as an owner does very nasty thing, as it changes also ownership of /dev/log directly (as it's a bind-mount), so way more services would be affected.
To have that said, current mode change also breaks more then just haproxy...