starlingx/stx-puppet
Code Issues Proposed changes

Merge "Update permission of files under /var/log/"

Browse Source
This commit is contained in:
Zuul 2025-02-13 11:41:52 +00:00 committed by Gerrit Code Review
commit 5ef826ddcf
8 changed files with 142 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
puppet-manifests/src/manifests/aio.pp
View File

@ -125,6 +125,11 @@ class { '::platform::config::aio::post':
stage => post,
}
class { '::platform::logpermission':
stage => post,
require => Class['::platform::config::aio::post'],
}
if $::osfamily == 'Debian' {
lookup('classes', {merge => unique}).include
} else {

5
puppet-manifests/src/manifests/controller.pp
View File

@ -128,6 +128,11 @@ class { '::platform::config::controller::post':
stage => post,
}
class { '::platform::logpermission':
stage => post,
require => Class['::platform::config::controller::post'],
}
if $::osfamily == 'Debian' {
lookup('classes', {merge => unique}).include
} else {

5
puppet-manifests/src/manifests/storage.pp
View File

@ -46,6 +46,11 @@ class { '::platform::config::storage::post':
stage => post,
}
class { '::platform::logpermission':
stage => post,
require => Class['::platform::config::storage::post'],
}
if $::osfamily == 'Debian' {
lookup('classes', {merge => unique}).include
} else {

5
puppet-manifests/src/manifests/worker.pp
View File

@ -63,6 +63,11 @@ class { '::platform::config::worker::post':
stage => post,
}
class { '::platform::logpermission':
stage => post,
require => Class['::platform::config::worker::post'],
}
if $::osfamily == 'Debian' {
lookup('classes', {merge => unique}).include
} else {

3
puppet-manifests/src/modules/openstack/manifests/barbican.pp
View File

@ -150,7 +150,8 @@ class openstack::barbican::service (
cron { 'barbican-cleaner':
ensure => 'present',
command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log',
command => '/usr/bin/barbican-manage db clean -p -e -L /var/log/barbican/barbican-clean.log && \
chmod 640 /var/log/barbican/barbican-clean.log',
environment => 'PATH=/bin:/usr/bin:/usr/sbin',
minute => '50',
hour => '*/24',

1
puppet-manifests/src/modules/openstack/templates/barbican-api-logrotate.erb
View File

@ -11,4 +11,5 @@
compress
notifempty
copytruncate
create 0640 root root
}

3
puppet-manifests/src/modules/platform/manifests/collectd.pp
View File

@ -94,7 +94,8 @@ class platform::collectd
command => @(EOL/L),
date --rfc-3339=s >> /var/log/rss-memory.log; \
ps -e -o ppid,pid,nlwp,rss:10,vsz:10,comm,cmd --sort=-rss \
>> /var/log/rss-memory.log
>> /var/log/rss-memory.log; \
/bin/chmod 0640 /var/log/rss-memory.log
|- EOL
}

117
puppet-manifests/src/modules/platform/manifests/logpermission.pp Normal file
View File

@ -0,0 +1,117 @@
class platform::logpermission {
# Set permissions to 640 only for files with less restrictive permissions
exec { 'set_log_permissions':
command => 'find /var/log -type f \( -perm -004 -o -perm -020 \) -exec chmod 640 {} \;',
path => '/bin:/usr/bin',
onlyif => 'find /var/log -type f \( -perm -004 -o -perm -020 \)',
}
# Set permissions to 750 for directories under /var/log if not already set
exec { 'set_log_directory_permissions':
command => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \) -exec chmod 750 {} \;',
path => '/bin:/usr/bin',
onlyif => 'find /var/log -type d \( -perm -001 -o -perm -010 -o -perm -100 \)',
}
# Change ownership to root:root for specific log files
file { '/var/log/postgresql/postgresql-13-main.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/nfv-vim-events.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/nfv-vim-alarms.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/ceph/ceph-mds.controller-0.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/ceph/ceph-mgr.controller-0.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/ceph-manager.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/rabbitmq/startup_log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/rabbitmq/startup_err':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/rabbitmq/log/crash.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/rabbitmq/rabbit@localhost_upgrade.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/rabbitmq/rabbit@localhost.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/mgr-restful-plugin.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
file { '/var/log/barbican/barbican-api.log':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
# Use exec to change ownership for /var/log/memcached.log to avoid conflicts with other modules
exec { 'set_memcached_log_ownership':
command => 'chown root:root /var/log/memcached.log && chmod 640 /var/log/memcached.log',
path => '/bin:/usr/bin',
onlyif => 'stat -c "%U:%G" /var/log/memcached.log | grep -qv "root:root"',
}
}