Bug #14613
closeddaemon logfiles potentially created with root:root ownership
0%
Description
With a recent ceph/master build (up to and including commit 60d0df5), radosgw creates it's logfile with root:root ownership.
Included in the report is a snippet of an strace log showing the open() call occurring before the permissions drop made in
global_init(). Then another open() is performed after setgid()/setuid() which fails with EACCESS. From here, logging does not
work until the logfile is manually chown'd to ceph:ceph.
Files
Updated by Anonymous about 8 years ago
After a bit of instrumentation of global_init()/global_pre_init(), it appears the first attempt at opening/creating the logfile is done as a result of:
global_pre_init(): ... conf->apply_changes(NULL); ...
I'm not familiar with this code path, so I need to investigate this further... but I suspect Log.cc:void Log::reopen_log_file() is being invoked.
Updated by Anonymous about 8 years ago
Digging a bit deeper into this, it appears to only happen when "log_file" is explicitly set in ceph.conf.
During global_pre_init() (ie. before setuid()/setgid() is called), md_config_t::apply_changes() is
invoked, running all configuration observers. Specifically, LogObs::handle_conf_change() is invoked
as "log_file" has been set in ceph.conf.
class LogObs : public md_config_obs_t { ... void handle_conf_change() ... if (changed.count("log_file")) { log->set_log_file(conf->log_file); log->reopen_log_file(); } ...
Finally
void Log::reopen_log_file() { ... if (m_log_file.length()) { m_fd = ::open(m_log_file.c_str(), O_CREAT|O_WRONLY|O_APPEND, 0644); ... }
Since the above is invoked before radosgw has been dropped to the appropriate
user and group, our logfile is created with "root:root" ownership.
The immediate workaround is to not explicitly set "log_file" in the ceph.conf
and allow the defaults to be created. This should affect any daemon that tries
to explicitly set it's logfile location.
Updated by Anonymous about 8 years ago
- Project changed from rgw to Ceph
- Subject changed from RGW logfile created with root:root ownership to daemon logfiles potentially created with root:root ownership
Updated by Anonymous about 8 years ago
- Status changed from New to Resolved
- Release set to firefly
- ceph-qa-suite ceph-deploy added
Updated by Anonymous about 8 years ago
- Release deleted (
firefly) - Release set to jewel
- ceph-qa-suite rgw added
- ceph-qa-suite deleted (
ceph-deploy)