Change ownership to apm-server user/group for deb/rpm installs #1833
Conversation
assuming targets are always 64-bit
|
jenkins, run package tests please |
| // update config file Owner | ||
| pf := args.Spec.Files["/etc/{{.BeatName}}/{{.BeatName}}.yml"] | ||
| pf.Owner = mage.BeatUser | ||
| args.Spec.Files["/etc/{{.BeatName}}/{{.BeatName}}.yml"] = pf |
There was a problem hiding this comment.
fields.yml is still owned by root, that is not a problem, right? but maybe would be better that the etc/apm-server is also owned by apm-server user?
There was a problem hiding this comment.
good call, will investigate whether that's an issue.
There was a problem hiding this comment.
I wasn't able to trigger any issues with this, even the pipeline registration continues to work with the current permissions. For comparison, elasticsearch leaves /etc/elasticsearch as root user owned, elasticsearch group owned with sticky bit. I don't think we need to do that but could follow up with that separately if we do find it's necessary after beta testers get their hands on this.
| args.Spec.Files["/etc/{{.BeatName}}/{{.BeatName}}.yml"] = pf | ||
|
|
||
| args.Spec.Files["/var/lib/{{.BeatName}}"] = mage.PackageFile{Mode: 0750, Source: emptyDir, Owner: mage.BeatUser} | ||
| args.Spec.Files["/var/log/{{.BeatName}}"] = mage.PackageFile{Mode: 0750, Source: emptyDir, Owner: mage.BeatUser} |
There was a problem hiding this comment.
for some reason var/lib/apm-server is owned by apm-server but var/log/apm-server is owned by root. any idea why? i don't see anything wrong with this
There was a problem hiding this comment.
/var/log/apm-server should be owned by apm-server so that log files can be created/rotated. I see them owned by apm-server in testing, how did you try it out?
There was a problem hiding this comment.
this is what I do:
~/go/src/github.com/elastic/apm-server/build/distributions$ sudo dpkg -i apm-server-oss-7.0.0-amd64.deb
~$ sudo -u apm-server apm-server setup
2019-01-24 16:58:47.967389676 +0100 CET m=+0.019150500 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.968451011 +0100 CET m=+0.020211803 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.96853076 +0100 CET m=+0.020291551 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.968585792 +0100 CET m=+0.020346582 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.968656242 +0100 CET m=+0.020417043 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.970918727 +0100 CET m=+0.022679552 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.971314113 +0100 CET m=+0.023074902 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.971355146 +0100 CET m=+0.023115939 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.971962761 +0100 CET m=+0.023723561 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.972321619 +0100 CET m=+0.024082420 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.972435703 +0100 CET m=+0.024196503 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.972570193 +0100 CET m=+0.024331018 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.975554538 +0100 CET m=+0.027315331 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.977419839 +0100 CET m=+0.029180635 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.97747411 +0100 CET m=+0.029234906 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
Loaded index template
Loading dashboards (Kibana must be running and reachable)
2019-01-24 16:58:47.977678306 +0100 CET m=+0.029439097 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.98763534 +0100 CET m=+0.039396128 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
2019-01-24 16:58:47.9877635 +0100 CET m=+0.039524324 write error: failed to open new file: open /var/log/apm-server/apm-server: permission denied
Skipping loading dashboards, No dashboards to import. Please make sure the /usr/share/apm-server/kibana/7 directory contains a dashboard directory.
~$ sudo ls -la /var/log/apm-server/
total 8
drwxr-xr-x 2 root root 4096 Jan 24 13:53 .
drwxrwxr-x 15 root syslog 4096 Jan 24 16:36 ..
I don't really get how that happens :/
There was a problem hiding this comment.
that is on fresh install, so var/log/apm-server doesn't exist before.
if you think is due to local weirdness, im fine moving on
There was a problem hiding this comment.
I will try to reproduce in a VM, maybe testing under docker is insufficient.
| # $1=configure : is set to 'configure' and if $2 is set, it is an upgrade | ||
|
|
||
| if [ -z "$2" ]; then | ||
| chown -R apm-server:apm-server /var/lib/apm-server /var/log/apm-server /etc/apm-server/apm-server.yml |
There was a problem hiding this comment.
was thinking in case users have already customized this? I don't feel that strongly about it but was trying to be cautious
graphaelli
changed the title
Conflicts: changelogs/head.asciidoc
Some thoughts for reviewers to consider:
runuserrequires thismage -v TestPackagesInstallpasses locally with this branch - it's not hooked up to ci though as it takes >5 minutes to run and might prove flaky with all of theyumandaptinstalls. Happy to discuss.closes #1401