Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5856

Logrotate ContainerLogger module does not rotate logs when run as root with `--switch_user`.

    XMLWordPrintableJSON

    Details

    • Epic Link:
    • Sprint:
      Mesosphere Sprint 44, Mesosphere Sprint 45, Mesosphere Sprint 46, Mesosphere Sprint 47
    • Story Points:
      3

      Description

      The logrotate ContainerLogger module runs as the agent's user. In most cases, this is root.

      When logrotate is run as root, there is an additional check the configuration files must pass (because a root logrotate needs to be secured against non-root modifications to the configuration):
      https://github.com/logrotate/logrotate/blob/fe80cb51a2571ca35b1a7c8ba0695db5a68feaba/config.c#L807-L815

      Log rotation will fail under the following scenario:
      1) The agent is run with --switch_user (default: true)
      2) A task is launched with a non-root user specified
      3) The logrotate module spawns a few companion processes (as root) and this creates the stdout, stderr, stdout.logrotate.conf, and stderr.logrotate.conf files (as root). This step races with the next step.
      4) The Mesos containerizer and Fetcher will chown the task's sandbox to the non-root user. Including the files just created.
      5) When logrotate is run, it will skip any non-root configuration files. This means the files are not rotated.


      Fix: The logrotate module's companion processes should call setuid and setgid.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sivaramsk Sivaram Kannan
                Reporter:
                kaysoky Joseph Wu
                Shepherd:
                Joseph Wu
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: