Joseph Wu created MESOS-5856: -------------------------------- Summary: Logrotate ContainerLogger module does not rotate logs when run as root with --switch_user Key: MESOS-5856 URL: https://issues.apache.org/jira/browse/MESOS-5856 Project: Mesos Issue Type: Bug Affects Versions: 0.28.0, 0.27.0, 1.0.0 Reporter: Joseph Wu Priority: Minor
The logrotate ContainerLogger module runs as the agent's user. In most cases, this is {{root}}. When {{logrotate}} is run as root, there is an additional check the configuration files must pass (because a root {{logrotate}} needs to be secured against non-root modifications to the configuration): https://github.com/logrotate/logrotate/blob/fe80cb51a2571ca35b1a7c8ba0695db5a68feaba/config.c#L807-L815 Log rotation will fail under the following scenario: 1) The agent is run with {{--switch_user}} (default: true) 2) A task is launched with a non-root user specified 3) The logrotate module spawns a few companion processes (as root) and this creates the {{stdout}}, {{stderr}}, {{stdout.logrotate.conf}}, and {{stderr.logrotate.conf}} files (as root). This step races with the next step. 4) The Mesos containerizer will {{chown}} the task's sandbox to the non-root user. Including the files just created. 5) When {{logrotate}} is run, it will skip any non-root configuration files. This means the files are not rotated. ---- Fix: The logrotate module's companion processes should call {{setuid}} and {{setgid}}. -- This message was sent by Atlassian JIRA (v6.3.4#6332)