Wrong socket permission since 1.6.27

[weirdan]

Ever since Jan 14 google-fluentd fails to set proper permission on unix socket created by @type unix source:

$ ls -l /var/run/google-fluentd/google-fluentd.sock
srwxr-xr-x 1 root root 0 Jan 14 04:28 /var/run/google-fluentd/google-fluentd.sock

$ cat /etc/google-fluentd/config.d/socket.conf
<source>
  @type unix
  path /var/run/google-fluentd/google-fluentd.sock
</source>

This looks similar to fluent/fluentd#1019

[GLStephen]

We are also seeing this issue. This is a pretty fundamental issue. It looks like chumask: 0 here https://github.com/fluent/fluentd/blob/9c577a78e69fb3bc1fc1faf0ef425091b9180987/lib/fluent/supervisor.rb#L314 may only be set when the supervisor runs and it Google FluentD runs without supervisor.

[GLStephen]

@jkohen & @igorpeshansky & @davidbtucker I can confirm that manually rolling back this change resolves the issue with permissions on the socket file.

#225

[qingling128]

Took a quick look.

It seems like that for standalone worker mode, Fluentd is setting chuser and chgroup, but not chumask.

https://github.com/fluent/fluentd/blob/c9dde7104ea8dfc2442fd73615bddac2d8c5f6c1/lib/fluent/supervisor.rb#L596

Filed a bug with the upstream Fluentd repo: fluent/fluentd#2984.

For the workaround, we can run the agent in supervisor mode.

[qingling128]

Looks like the upstream issue has been fixed by fluent/fluentd#2987.

Next step: Wait for a Fluentd release and upgrade to that version.

[nicolaiskogheim]

The fix was released in v1.10.4 btw.

[jkschulz]

This is fixed by the upgrade to fluentd v1.11.2 in #283, which will be released in google-fluentd 1.8.0:

$ ls -l /var/run/google-fluentd/google-fluentd.sock
srwxrwxrwx 1 root root 0 Aug 12 16:36 /var/run/google-fluentd/google-fluentd.sock

[jkschulz]

This fix was released in 1.8.0 on Aug 17.