Gluster users - Sep 2017 - [Gluster-devel] Permission for glusterfs logs.

On 09/18/2017 09:22 PM, ABHISHEK PALIWAL wrote:
> Any suggestion would be appreciated...
> 
> On Sep 18, 2017 15:05, "ABHISHEK PALIWAL" <abhishpaliwal at
gmail.com
> <mailto:abhishpaliwal at gmail.com>> wrote:
> 
>     Any quick suggestion.....?
> 
>     On Mon, Sep 18, 2017 at 1:50 PM, ABHISHEK PALIWAL
>     <abhishpaliwal at gmail.com <mailto:abhishpaliwal at
gmail.com>> wrote:
> 
>         Hi Team,
> 
>         As you can see permission for the glusterfs logs in
>         /var/log/glusterfs is 600.
> 
>         drwxr-xr-x 3 root root? 140 Jan? 1 00:00 ..
>         *-rw------- 1 root root??? 0 Jan? 3 20:21 cmd_history.log*
>         drwxr-xr-x 2 root root?? 40 Jan? 3 20:21 bricks
>         drwxr-xr-x 3 root root? 100 Jan? 3 20:21 .
>         *-rw------- 1 root root 2102 Jan? 3 20:21
>         etc-glusterfs-glusterd.vol.log*
> 
>         Due to that non-root user is not able to access these logs
>         files, could you please let me know how can I change these
>         permission. So that non-root user can also access these log files.
>
There is no "quick fix."  Gluster creates the log files with 0600 ?
like
nearly everything else in /var/log.

The admin can chmod the files, but when the logs rotate the new log
files will be 0600 again.

You'd have to patch the source and rebuild to get different permission bits.

You can probably do something with ACLs, but as above, when the logs
rotate the new files won't have the ACLs.



-- 

Kaleb

I have modified the source code and its working fine but only below two
files permission is not getting change even after modification.

1. cli.log
2. file which contains the mounting information for "mount -t
glusterfs"
command

On Wed, Sep 20, 2017 at 5:20 PM, Kaleb S. KEITHLEY <kkeithle at
redhat.com>
wrote:
> On 09/18/2017 09:22 PM, ABHISHEK PALIWAL wrote:
> > Any suggestion would be appreciated...
> >
> > On Sep 18, 2017 15:05, "ABHISHEK PALIWAL" <abhishpaliwal
at gmail.com
> > <mailto:abhishpaliwal at gmail.com>> wrote:
> >
> >     Any quick suggestion.....?
> >
> >     On Mon, Sep 18, 2017 at 1:50 PM, ABHISHEK PALIWAL
> >     <abhishpaliwal at gmail.com <mailto:abhishpaliwal at
gmail.com>> wrote:
> >
> >         Hi Team,
> >
> >         As you can see permission for the glusterfs logs in
> >         /var/log/glusterfs is 600.
> >
> >         drwxr-xr-x 3 root root  140 Jan  1 00:00 ..
> >         *-rw------- 1 root root    0 Jan  3 20:21 cmd_history.log*
> >         drwxr-xr-x 2 root root   40 Jan  3 20:21 bricks
> >         drwxr-xr-x 3 root root  100 Jan  3 20:21 .
> >         *-rw------- 1 root root 2102 Jan  3 20:21
> >         etc-glusterfs-glusterd.vol.log*
> >
> >         Due to that non-root user is not able to access these logs
> >         files, could you please let me know how can I change these
> >         permission. So that non-root user can also access these log
> files.
> >
>
> There is no "quick fix."  Gluster creates the log files with 0600
? like
> nearly everything else in /var/log.
>
> The admin can chmod the files, but when the logs rotate the new log
> files will be 0600 again.
>
> You'd have to patch the source and rebuild to get different permission
> bits.
>
> You can probably do something with ACLs, but as above, when the logs
> rotate the new files won't have the ACLs.
>
>
>
> --
>
> Kaleb
>


-- 




Regards
Abhishek Paliwal
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20170920/fe94dd11/attachment.html>

You could trigger a chmod on log rotation.

Alex

On Sep 21, 2017 06:45, "Kaleb S. KEITHLEY" <kkeithle at
redhat.com> wrote:
> On 09/18/2017 09:22 PM, ABHISHEK PALIWAL wrote:
> > Any suggestion would be appreciated...
> >
> > On Sep 18, 2017 15:05, "ABHISHEK PALIWAL" <abhishpaliwal
at gmail.com
> > <mailto:abhishpaliwal at gmail.com>> wrote:
> >
> >     Any quick suggestion.....?
> >
> >     On Mon, Sep 18, 2017 at 1:50 PM, ABHISHEK PALIWAL
> >     <abhishpaliwal at gmail.com <mailto:abhishpaliwal at
gmail.com>> wrote:
> >
> >         Hi Team,
> >
> >         As you can see permission for the glusterfs logs in
> >         /var/log/glusterfs is 600.
> >
> >         drwxr-xr-x 3 root root  140 Jan  1 00:00 ..
> >         *-rw------- 1 root root    0 Jan  3 20:21 cmd_history.log*
> >         drwxr-xr-x 2 root root   40 Jan  3 20:21 bricks
> >         drwxr-xr-x 3 root root  100 Jan  3 20:21 .
> >         *-rw------- 1 root root 2102 Jan  3 20:21
> >         etc-glusterfs-glusterd.vol.log*
> >
> >         Due to that non-root user is not able to access these logs
> >         files, could you please let me know how can I change these
> >         permission. So that non-root user can also access these log
> files.
> >
>
> There is no "quick fix."  Gluster creates the log files with 0600
? like
> nearly everything else in /var/log.
>
> The admin can chmod the files, but when the logs rotate the new log
> files will be 0600 again.
>
> You'd have to patch the source and rebuild to get different permission
> bits.
>
> You can probably do something with ACLs, but as above, when the logs
> rotate the new files won't have the ACLs.
>
>
>
> --
>
> Kaleb
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://lists.gluster.org/mailman/listinfo/gluster-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20170921/51e42dfe/attachment.html>

Who is rotating the logs? If logrotate then setfacl may be the way to go
https://bugzilla.redhat.com/show_bug.cgi?id=666677

[root at centos7 ~]# touch /var/log/my.log
[root at centos7 ~]# ls -al /var/log/my.log
-rw-r--r--. 1 root root 0 Sep 21 07:01 /var/log/my.log
[root at centos7 ~]# chmod 600 /var/log/my.log
[root at centos7 ~]# sudo su - vagrant
Last login: Thu Sep 21 07:01:36 UTC 2017 from 10.0.2.2 on pts/0
[vagrant at centos7 ~]$ cat /var/log/my.log
cat: /var/log/my.log: Permission denied
[vagrant at centos7 ~]$ exit
logout
[root at centos7 ~]# setfacl -m u:vagrant:r /var/log/my.log
[root at centos7 ~]# sudo su - vagrant
Last login: Thu Sep 21 07:03:05 UTC 2017 on pts/0
[vagrant at centos7 ~]$ cat /var/log/my.log
[vagrant at localhost ~]$ getfacl /var/log/my.log
getfacl: Removing leading '/' from absolute path names
# file: var/log/my.log
# owner: root
# group: root
user::rw-
user:vagrant:r--
group::---
mask::r--
other::---

Marcin


On Wed, Sep 20, 2017 at 2:07 PM, ABHISHEK PALIWAL <abhishpaliwal at
gmail.com>
wrote:
> I have modified the source code and its working fine but only below two
> files permission is not getting change even after modification.
>
> 1. cli.log
> 2. file which contains the mounting information for "mount -t
glusterfs"
> command
>
> On Wed, Sep 20, 2017 at 5:20 PM, Kaleb S. KEITHLEY <kkeithle at
redhat.com>
> wrote:
>
>> On 09/18/2017 09:22 PM, ABHISHEK PALIWAL wrote:
>> > Any suggestion would be appreciated...
>> >
>> > On Sep 18, 2017 15:05, "ABHISHEK PALIWAL"
<abhishpaliwal at gmail.com
>> > <mailto:abhishpaliwal at gmail.com>> wrote:
>> >
>> >     Any quick suggestion.....?
>> >
>> >     On Mon, Sep 18, 2017 at 1:50 PM, ABHISHEK PALIWAL
>> >     <abhishpaliwal at gmail.com <mailto:abhishpaliwal at
gmail.com>> wrote:
>> >
>> >         Hi Team,
>> >
>> >         As you can see permission for the glusterfs logs in
>> >         /var/log/glusterfs is 600.
>> >
>> >         drwxr-xr-x 3 root root  140 Jan  1 00:00 ..
>> >         *-rw------- 1 root root    0 Jan  3 20:21 cmd_history.log*
>> >         drwxr-xr-x 2 root root   40 Jan  3 20:21 bricks
>> >         drwxr-xr-x 3 root root  100 Jan  3 20:21 .
>> >         *-rw------- 1 root root 2102 Jan  3 20:21
>> >         etc-glusterfs-glusterd.vol.log*
>> >
>> >         Due to that non-root user is not able to access these logs
>> >         files, could you please let me know how can I change these
>> >         permission. So that non-root user can also access these
log
>> files.
>> >
>>
>> There is no "quick fix."  Gluster creates the log files with
0600 ? like
>> nearly everything else in /var/log.
>>
>> The admin can chmod the files, but when the logs rotate the new log
>> files will be 0600 again.
>>
>> You'd have to patch the source and rebuild to get different
permission
>> bits.
>>
>> You can probably do something with ACLs, but as above, when the logs
>> rotate the new files won't have the ACLs.
>>
>>
>>
>> --
>>
>> Kaleb
>>
>
>
>
> --
>
>
>
>
> Regards
> Abhishek Paliwal
>
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://lists.gluster.org/mailman/listinfo/gluster-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20170921/f1cc6d22/attachment.html>

On Wed, Sep 20, 2017 at 07:50:58AM -0400, Kaleb S. KEITHLEY
wrote:
> On 09/18/2017 09:22 PM, ABHISHEK PALIWAL wrote:
> > Any suggestion would be appreciated...
> > 
> > On Sep 18, 2017 15:05, "ABHISHEK PALIWAL" <abhishpaliwal
at gmail.com
> > <mailto:abhishpaliwal at gmail.com>> wrote:
> > 
> >     Any quick suggestion.....?
> > 
> >     On Mon, Sep 18, 2017 at 1:50 PM, ABHISHEK PALIWAL
> >     <abhishpaliwal at gmail.com <mailto:abhishpaliwal at
gmail.com>> wrote:
> > 
> >         Hi Team,
> > 
> >         As you can see permission for the glusterfs logs in
> >         /var/log/glusterfs is 600.
> > 
> >         drwxr-xr-x 3 root root? 140 Jan? 1 00:00 ..
> >         *-rw------- 1 root root??? 0 Jan? 3 20:21 cmd_history.log*
> >         drwxr-xr-x 2 root root?? 40 Jan? 3 20:21 bricks
> >         drwxr-xr-x 3 root root? 100 Jan? 3 20:21 .
> >         *-rw------- 1 root root 2102 Jan? 3 20:21
> >         etc-glusterfs-glusterd.vol.log*
> > 
> >         Due to that non-root user is not able to access these logs
> >         files, could you please let me know how can I change these
> >         permission. So that non-root user can also access these log
files.
> >
> 
> There is no "quick fix."  Gluster creates the log files with 0600
? like
> nearly everything else in /var/log.
> 
> The admin can chmod the files, but when the logs rotate the new log
> files will be 0600 again.
> 
> You'd have to patch the source and rebuild to get different permission
bits.
> 
> You can probably do something with ACLs, but as above, when the logs
> rotate the new files won't have the ACLs.
Actually, if you set the 'default' ACL on the /var/log/gluster and other
directories, it gets inherited to new files that are created under
there. (The 'chmod' permissions for the directory will apply as
maximum permissions for ACLs, with chmod=755 reading files is possible.)

Something like this might work (give group 'admin' read permissions):

  # setfacl -d -m g:admin:r $(find /var/log/gluster -type d)
  # setfacl -R -m g:admin:r /var/log/gluster

Once you test this out, and are successful, you might want to add this
to the documentation on http://docs.gluster.org/ somewhere. Pull
requests can be sent to https://github.com/gluster/glusterdocs/ .

Thanks,
Niels
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20170922/1738d97c/attachment.sig>