Bug 1286568 - HA Agent and Broker logs have incorrect permissions/ownership
Summary: HA Agent and Broker logs have incorrect permissions/ownership
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-hosted-engine-ha
Classification: oVirt
Component: General
Version: 1.3.3
Hardware: noarch
OS: Linux
low
low
Target Milestone: ovirt-4.2.0
: 2.2.0
Assignee: Denis Chaplygin
QA Contact: Artyom
URL:
Whiteboard: PM-20
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-30 09:23 UTC by Giuseppe Ragusa
Modified: 2017-12-20 11:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: files were created by wrong user due to starting as root Consequence: Fix: he tooling doesn't needs root privileges at all and can be started with correct uid by systemd. Result:
Clone Of:
Environment:
Last Closed: 2017-12-20 11:33:36 UTC
oVirt Team: SLA
rule-engine: ovirt-4.2+
mgoldboi: exception+
mgoldboi: planning_ack+
rule-engine: devel_ack+
mavital: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1376559 0 low CLOSED ovirt hosted agent and broker logs duplicating 2021-02-22 00:41:40 UTC
oVirt gerrit 70133 0 master MERGED he: he agent/broker do not really need root privileges 2017-02-28 11:57:14 UTC
oVirt gerrit 73777 0 master MERGED setup: create /var/run/ovirt-hosted-engine-ha as vdsm:kvm 2017-03-08 16:21:28 UTC
oVirt gerrit 73778 0 master MERGED systemd: use systemd RuntimeDirectory instead of tmpfiles.d 2017-03-08 16:41:01 UTC

Internal Links: 1376559

Description Giuseppe Ragusa 2015-11-30 09:23:29 UTC
Description of problem:
On oVirt (using 3.6 snapshot from 18-19/11/2015) in self-hosted mode, hyperconverged with GlusterFS (3.7.6), all on CentOS 7.1 fully updated, the HA Agent/Broker logs have incorrect permissions/ownership (when automatically rotated too).

Version-Release number of selected component (if applicable):

1.3.3-0.0.master.20151118145556.20151118145552.git71b535e

How reproducible:

Install oVirt in self-hosted mode; after the setup ends, wait for the logs to be generated/rotated.

Steps to Reproduce:
1. Start self-hosted-engine setup
2. Complete Engine vm creation and finish setup
3. Wait some days then list the /var/log/ovirt-hosted-engine-ha/ log directory

Actual results:

-rw-rw-rw-. 1 vdsm kvm   9023997 Nov 30 10:12 agent.log
-rw-r--r--. 1 root root 12121823 Nov 23 15:12 agent.log.2015-11-22
-rw-rw-rw-. 1 vdsm kvm  11997695 Nov 24 15:12 agent.log.2015-11-23
-rw-rw-rw-. 1 vdsm kvm  11892393 Nov 25 15:12 agent.log.2015-11-24
-rw-rw-rw-. 1 vdsm kvm  11788293 Nov 26 15:12 agent.log.2015-11-25
-rw-rw-rw-. 1 vdsm kvm  11685723 Nov 27 15:12 agent.log.2015-11-26
-rw-rw-rw-. 1 vdsm kvm  11587393 Nov 28 15:12 agent.log.2015-11-27
-rw-rw-rw-. 1 vdsm kvm  11481856 Nov 29 15:12 agent.log.2015-11-28
-rw-rw-rw-. 1 vdsm kvm   7531289 Nov 30 10:12 broker.log
-rw-r--r--. 1 root root  6334293 Nov 23 15:12 broker.log.2015-11-22
-rw-rw-rw-. 1 vdsm kvm   6340646 Nov 24 15:12 broker.log.2015-11-23
-rw-rw-rw-. 1 vdsm kvm   6362304 Nov 25 15:12 broker.log.2015-11-24
-rw-rw-rw-. 1 vdsm kvm   8342595 Nov 26 15:12 broker.log.2015-11-25
-rw-rw-rw-. 1 vdsm kvm   9462627 Nov 27 15:12 broker.log.2015-11-26
-rw-rw-rw-. 1 vdsm kvm   9513886 Nov 28 15:12 broker.log.2015-11-27
-rw-rw-rw-. 1 vdsm kvm   9518002 Nov 29 15:12 broker.log.2015-11-28


Expected results:

All logs with permissions 644 (-rw-r--r--) and all owned by vdsm:kvm

Additional info:

Confirmed on users mailing list:
http://lists.ovirt.org/pipermail/users/2015-November/036234.html

As noted by Simone Tiraboschi in the message above, the severity is low since the parent directory has sufficient permissions to block any unwanted disclosure/modification.

Comment 1 Roy Golan 2015-12-16 10:04:18 UTC
the containing directory of the logs has 0600 so no user can access that. 

[root@dev-22 ~]# ls -al /var/log/ovirt-hosted-engine-ha/
celkem 152968
drwx------.  2 vdsm kvm      4096 16. pro 08.54 .
drwxr-xr-x. 14 root root     4096 14. pro 03.32 ..
-rw-rw-rw-.  1 vdsm kvm    319135 16. pro 10.59 agent.log
-rw-rw-rw-.  1 vdsm kvm   3587171 10. pro 08.53 agent.log.2015-12-09
-rw-rw-rw-.  1 vdsm kvm   3586078 11. pro 08.53 agent.log.2015-12-10
-rw-rw-rw-.  1 vdsm kvm   3586001 12. pro 08.53 agent.log.2015-12-11
-rw-rw-rw-.  1 vdsm kvm   3586609 13. pro 08.53 agent.log.2015-12-12
-rw-rw-rw-.  1 vdsm kvm   3585823 14. pro 08.53 agent.log.2015-12-13
-rw-rw-rw-.  1 vdsm kvm   3586226 15. pro 08.53 agent.log.2015-12-14
-rw-rw-rw-.  1 vdsm kvm   3637149 16. pro 08.54 agent.log.2015-12-15
-rw-rw-rw-.  1 vdsm kvm   1689971 16. pro 10.59 broker.log
-rw-rw-rw-.  1 vdsm kvm  18424523 10. pro 08.48 broker.log.2015-12-09
-rw-rw-rw-.  1 vdsm kvm  18411823 11. pro 08.48 broker.log.2015-12-10
-rw-rw-rw-.  1 vdsm kvm  18381747 12. pro 08.48 broker.log.2015-12-11
-rw-rw-rw-.  1 vdsm kvm  18394032 13. pro 08.48 broker.log.2015-12-12
-rw-rw-rw-.  1 vdsm kvm  18402339 14. pro 08.48 broker.log.2015-12-13
-rw-rw-rw-.  1 vdsm kvm  18406039 15. pro 08.48 broker.log.2015-12-14
-rw-rw-rw-.  1 vdsm kvm  18470255 16. pro 08.48 broker.log.2015-12-15

Comment 2 Red Hat Bugzilla Rules Engine 2015-12-16 21:35:47 UTC
This bug is marked for z-stream, yet the milestone is for a major version, therefore the milestone has been reset.
Please set the correct milestone or drop the z stream flag.

Comment 3 Yaniv Lavi 2017-01-16 13:57:22 UTC
Moving to patch owner.

Comment 4 Artyom 2017-07-16 10:21:49 UTC
Verified on ovirt-hosted-engine-ha-2.2.0-0.0.master.20170616124434.20170616124430.git18dac95.el7.centos.noarch
All logs have correct permissions:
# ll
total 620548
-rw-r--r--. 1 vdsm kvm 42195126 Jul 16 13:20 agent.log
-rw-r--r--. 1 vdsm kvm 43819703 Jul  8 13:53 agent.log.2017-07-07
-rw-r--r--. 1 vdsm kvm 82848397 Jul 10 11:34 agent.log.2017-07-09
-rw-r--r--. 1 vdsm kvm 44136076 Jul 11 11:34 agent.log.2017-07-10
-rw-r--r--. 1 vdsm kvm 44025500 Jul 12 11:34 agent.log.2017-07-11
-rw-r--r--. 1 vdsm kvm 46349756 Jul 13 14:09 agent.log.2017-07-12
-rw-r--r--. 1 vdsm kvm 44081483 Jul 14 14:09 agent.log.2017-07-13
-rw-r--r--. 1 vdsm kvm 43871293 Jul 15 14:09 agent.log.2017-07-14
-rw-r--r--. 1 vdsm kvm 23042560 Jul 16 13:20 broker.log
-rw-r--r--. 1 vdsm kvm 25205005 Jul  8 12:28 broker.log.2017-07-07
-rw-r--r--. 1 vdsm kvm 48691256 Jul 10 11:42 broker.log.2017-07-09
-rw-r--r--. 1 vdsm kvm 25164420 Jul 11 11:42 broker.log.2017-07-10
-rw-r--r--. 1 vdsm kvm 25035386 Jul 12 11:42 broker.log.2017-07-11
-rw-r--r--. 1 vdsm kvm 27139952 Jul 13 15:10 broker.log.2017-07-12
-rw-r--r--. 1 vdsm kvm 25047145 Jul 14 15:11 broker.log.2017-07-13
-rw-r--r--. 1 vdsm kvm 25080459 Jul 15 15:11 broker.log.2017-07-14

Comment 5 Sandro Bonazzola 2017-12-20 11:33:36 UTC
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.