Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2113068

Summary: RHV 4.4 SP1+ logrotate fails for ovn due to incorrect permissions of /var/log/ovn
Product: Red Hat Enterprise Virtualization Manager Reporter: Sean Haselden <shaselde>
Component: openvswitchAssignee: Ales Musil <amusil>
Status: CLOSED ERRATA QA Contact: Michael Burman <mburman>
Severity: low Docs Contact:
Priority: low    
Version: 4.5.0CC: amusil, dfodor, emarcus, eraviv, mburman, mperina
Target Milestone: ovirt-4.5.2   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-openvswitch-2.15-4.el8ev Doc Type: Release Note
Doc Text:
With this release, permissions for the /var/log/ovn directory are updated correctly during the upgrade of OVS/OVN 2.11 to OVS 2.15/OVN 2021.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-08 11:29:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sean Haselden 2022-08-01 20:55:22 UTC 
Description of problem:

Logrotate of /etc/logrotate.d/ovn fails with: 
error: failed to rename /var/log/ovn/ovn-controller.log to /var/log/ovn/ovn-controller.log-20220801: Permission denied

Permissions of /var/log/ovn are set to root:root: 
ls -la /var/log/ | grep ovn
drwxr-xr-x.  2 root        root            32 Jun 22 17:54 ovn

We can see that the installation of the ovn rpm modifies the /etc/logrotate.d/ovn file to first su to openvswitch:openvswitch before attempting to rotate: 

[root@rhevh-25 log]# rpm -qi --scripts ovn-2021-21.12.0-46.el8fdp.x86_64
postinstall scriptlet (using /bin/sh):
if [ $1 -eq 1 ]; then
    sed -i 's:^#OVN_USER_ID=:OVN_USER_ID=:' /etc/sysconfig/ovn
    sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' /etc/logrotate.d/ovn
fi
postuninstall program: /bin/sh


This causes a permissions mismatch because the directory is owned by root:root and doesn't have write permissions.







Version-Release number of selected component (if applicable):


How reproducible:

We have a lab system showing this issue with: 
redhat-release-virtualization-host-4.5.0-5.el8ev.x86_64 with:
ovn-2021-host-21.12.0-46.el8fdp.x86_64
ovn-2021-21.12.0-46.el8fdp.x86_64


Customer environment: 
redhat-release-virtualization-host-4.5.1-1.el8ev.x86_64 with: 
ovn-2021-21.12.0-73.el8fdp.x86_64                           
ovn-2021-host-21.12.0-73.el8fdp.x86_64                     



Steps to Reproduce:
1. /usr/sbin/logrotate  /etc/logrotate.conf --force > /tmp/rotate 2>&1
2. Check /tmp/rotate for error 
3.

Actual results:
error: failed to rename /var/log/ovn/ovn-controller.log to /var/log/ovn/ovn-controller.log-20220801: Permission denied
/var/log/ovn/ovn-controller.log cannot be rotated 


Expected results:
/var/log/ovn/ovn-controller.log should be rotated 

Additional info:

On a lab system we see this process running with the --log-file argument to /var/log/ovn:
openvsw+    1695       1  0 Jun22 ?        00:01:45 ovn-controller unix:/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --private-key=/etc/pki/vdsm/keys/vdsmkey.pem --certificate=/etc/pki/vdsm/certs/vdsmcert.pem --ca-cert=/etc/pki/vdsm/certs/cacert.pem --user openvswitch:openvswitch --no-chdir --log-file=/var/log/ovn/ovn-controller.log --pidfile=/run/ovn/ovn-controller.pid --detach

Suspect the /var/log/ovn directory isn't being created properly with openvswitch:openvswitch 


In our customers case, they ran chown openvswitch:root /var/log/ovn and this allowed the file to be rotated.
Comment 5 Michael Burman 2022-08-07 16:25:18 UTC 
Verified on - ovirt-openvswitch-2.15-4.el8ev.noarch 

Upgraded from:
rhvm-4.4.10.7-0.4.el8ev.noarch
ovirt-openvswitch-2.11-1.el8ev.noarch
vdsm-4.40.100.2-1.el8ev.x86_64

To:
rhvm-4.5.2.1-0.1.el8ev.noarch
ovirt-openvswitch-2.15-4.el8ev.noarch
vdsm-4.50.2.2-1.el8ev.x86_64

After upgrade, the permissions has been fixed:
ls -la /var/log/ | grep ovn
drwxr-xr-x.  2 openvswitch openvswitch     32 Aug  7 19:08 ovn

rpm -q ovirt-openvswitch
ovirt-openvswitch-2.15-4.el8ev.noarch
Comment 7 Casper (RHV QE bot) 2022-09-06 11:30:53 UTC 
This bug has low overall severity and is not going to be further verified by QE. If you believe special care is required, feel free to properly align relevant severity, flags and keywords to raise PM_Score or use one of the Bumps ('PrioBumpField', 'PrioBumpGSS', 'PrioBumpPM', 'PrioBumpQA') in Keywords to raise it's PM_Score above verification threashold (1000).
Comment 10 errata-xmlrpc 2022-09-08 11:29:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV Engine and Host Common Packages update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6394