Joseph Wu created MESOS-5856:
--------------------------------
Summary: Logrotate ContainerLogger module does not rotate logs
when run as root with --switch_user
Key: MESOS-5856
URL: https://issues.apache.org/jira/browse/MESOS-5856
Project: Mesos
Issue Type: Bug
Affects Versions: 0.28.0, 0.27.0, 1.0.0
Reporter: Joseph Wu
Priority: Minor
The logrotate ContainerLogger module runs as the agent's user. In most cases,
this is {{root}}.
When {{logrotate}} is run as root, there is an additional check the
configuration files must pass (because a root {{logrotate}} needs to be secured
against non-root modifications to the configuration):
https://github.com/logrotate/logrotate/blob/fe80cb51a2571ca35b1a7c8ba0695db5a68feaba/config.c#L807-L815
Log rotation will fail under the following scenario:
1) The agent is run with {{--switch_user}} (default: true)
2) A task is launched with a non-root user specified
3) The logrotate module spawns a few companion processes (as root) and this
creates the {{stdout}}, {{stderr}}, {{stdout.logrotate.conf}}, and
{{stderr.logrotate.conf}} files (as root). This step races with the next step.
4) The Mesos containerizer will {{chown}} the task's sandbox to the non-root
user. Including the files just created.
5) When {{logrotate}} is run, it will skip any non-root configuration files.
This means the files are not rotated.
----
Fix: The logrotate module's companion processes should call {{setuid}} and
{{setgid}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
