-
Notifications
You must be signed in to change notification settings - Fork 350
Consider allowing ownership of container log files by config #613
Comments
The directory Which one do you need to set the permission? |
I can use a sticky bit for the
Its the log files themselves that require root to be read:
So it's the |
We set @lachlanmunro How do you solve the problem for Docker? Do you have a solution for Docker already? I'm fine with making this configurable, but I'd like to see whether there is any other solution. :) |
Within docker we "solve" this by running our logging agents (fluentd/logstash etc) as root. This is not really a solution, and would prefer not to do this. The file permissions are fine. A solution on Linux would probably be pretty Linux specific. Perhaps: Split out Example Linux only version: // +build linux
// SetLogGroup tries to set the group ID that logs will be logged as to the provided group name. If it
// fails the group ID will not be changed.
func SetLogGroup(group string) error {
grp, err := user.LookupGroup(group)
if err != nil {
return err
}
if grp == nil {
return fmt.Errorf("group retrieved by name '%s' was nil, cannot retrieve group id", group)
}
gid, err := strconv.Atoi(grp.Gid)
if err != nil {
return err
}
if gid < 0 {
return fmt.Errorf("group retrieved by name '%s' has a negative group ID, this is an indication of using groups on windows", group)
}
logGroupID = gid
return nil
}
// initialise the group and user ID's to match the current running user
func init() {
logGroupID = os.Getgid()
logUserID = os.Geteuid()
}
// the group ID to log as, on posix systems this is an int
var logGroupID int
// the user ID to log as
var logUserID int
// NewCRILogger returns a write closer which redirect container log into
// log file, and decorate the log line into CRI defined format.
func NewCRILogger(path string, stream StreamType) (io.WriteCloser, error) {
logrus.Debugf("Start writing log file %q", path)
prc, pwc := io.Pipe()
f, err := os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0640)
if err != nil {
return nil, fmt.Errorf("failed to open log file: %v", err)
}
err = f.Chown(logUserID, logGroupID)
if err != nil {
logrus.WithError(err).Errorf("Could not correctly change file ownership of %q", path)
}
go redirectLogs(path, prc, f, stream)
return pwc, nil
} |
It is fine to only have linux implementation for now. We are going to support other OS, especially Windows later. However, we may want to make the flag a string, so that we can extend it for Windows later. Probably Both @containerd/containerd-maintainers WDYT? |
How is the progress on this problem? Docker people have showed animosity to this option, as it is not the docker way (tm). I am not sufficiently familiar with Windows' permissions to comment on a feasibility, but I figure that there this is less of an issue than on linux and unix, where everything should be a file and hence access of the logs as files readable by non-root-users would be the preferable option. |
On debian for example, it is common for log files to have the group
adm
. This allows us to run our logging agents as non-root.I have tried using something like:
But since the logs are stored within the structure
/var/log/pods/<idhere>/<log>
this approach only works for containers running at that time. I could cron/something else but such an approach feels pretty hacky.I did a little source-diving and hit https://github.com/containerd/cri-containerd/blob/master/pkg/server/container_start.go#L143 where container logs are created/reopened. Would you consider allowing some way to add groups or set users to influence this? I can have a fiddle if that suits?
The text was updated successfully, but these errors were encountered: