[ovs-dev] [PATCH] rhel: Use openvswitch user in the logrotate configuration file

Timothy Redaelli tredaelli at redhat.com
Tue Aug 7 18:01:11 UTC 2018


On Tue,  7 Aug 2018 16:18:13 +0300
Markos Chandras <mchandras at suse.de> wrote:

> The /var/log/openvswitch directory is owned by the openvswitch user
> but logrotate could be running as root or as another user. As a
> result of which, rpmlint prints the following warning when building
> the spec file on SUSE Linux Enterprise:
> 
> openvswitch.x86_64: W:
> suse-logrotate-user-writable-log-dir /var/log/openvswitch
> openvswitch:openvswitch 0750 The log directory is writable by
> unprivileged users. Please fix the permissions so only root can write
> there or add the 'su' option to your logrotate config
> 
> In order to fix that, we should run the logrotate script as the
> openvswitch user which ensures that the correct user is processing
> the Open vSwitch log files.
> 
> Cc: Aaron Conole <aconole at redhat.com>
> Cc: Timothy Redaelli <tredaelli at redhat.com>
> Signed-off-by: Markos Chandras <mchandras at suse.de>

Hi Markos,
I agree with you that running logrotate as root is probably bad.

The problem is that, for backward compatibility, we keep OVS as "root"
user if you upgrade OVS from an old version (older than the non-root
user support).

This means that, with this patch and when you launch OVS as root
(after an upgrade or by commenting the OVS_USER_ID
in /etc/sysconfig/openvswitch), the logs are owned by root:root and
so logrotate, as openvswitch:openvswitch, cannot work correctly.

If it's only to avoid the warning, we could change the spec file in
order to do "chown -R openvswitch:openvswitch /var/log/openvswitch",
when it's an upgrade, in %post, instead of using %attr in the spec file.

As alternative we may to do something more complex. For example by
generating another file in /var/run/openvswitch that contains the "su"
line (using OVS_USER_ID) and including it from
/etc/logrotate.d/openvswitch (we already use a similar approach to
set --ovs-user ONLY if OVS_USER_ID is not root, in
/var/run/openvswitch/useropts).

Probably there is a better way to do that, but I can't think of
anything else.

Thank you


More information about the dev mailing list