Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5856

Logrotate ContainerLogger module does not rotate logs when run as root with `--switch_user`.

    XMLWordPrintableJSON

Details

    • Mesosphere Sprint 44, Mesosphere Sprint 45, Mesosphere Sprint 46, Mesosphere Sprint 47
    • 3

    Description

      The logrotate ContainerLogger module runs as the agent's user. In most cases, this is root.

      When logrotate is run as root, there is an additional check the configuration files must pass (because a root logrotate needs to be secured against non-root modifications to the configuration):
      https://github.com/logrotate/logrotate/blob/fe80cb51a2571ca35b1a7c8ba0695db5a68feaba/config.c#L807-L815

      Log rotation will fail under the following scenario:
      1) The agent is run with --switch_user (default: true)
      2) A task is launched with a non-root user specified
      3) The logrotate module spawns a few companion processes (as root) and this creates the stdout, stderr, stdout.logrotate.conf, and stderr.logrotate.conf files (as root). This step races with the next step.
      4) The Mesos containerizer and Fetcher will chown the task's sandbox to the non-root user. Including the files just created.
      5) When logrotate is run, it will skip any non-root configuration files. This means the files are not rotated.


      Fix: The logrotate module's companion processes should call setuid and setgid.

      Attachments

        Issue Links

          Activity

            People

              sivaramsk Sivaram Kannan
              kaysoky Joseph Wu
              Joseph Wu Joseph Wu
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: