From 3a1b8428026445fbd7227766665f411be89ffbfd Mon Sep 17 00:00:00 2001 From: Luna Das Date: Wed, 28 Aug 2019 17:07:13 +0530 Subject: [PATCH] Add fixes to user logging in calicoctl utility container logs Change-Id: If50de7431166764b7a6e75e836ffa6956637e4d7 --- .../templates/bin/_bootstrap.sh.tpl | 1 + .../_override-oslo-rootwrap-logging.sh.tpl | 26 +++++++++++++++++++ .../templates/bin/_utilscli-sudo.tpl | 3 ++- .../templates/configmap-bin.yaml | 3 +++ .../deployment-calicoctl-utility.yaml | 4 +++ .../bin/utility/_ceph-utility-rootwrap.tpl | 2 +- 6 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 calicoctl-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl diff --git a/calicoctl-utility/templates/bin/_bootstrap.sh.tpl b/calicoctl-utility/templates/bin/_bootstrap.sh.tpl index f79e49e3..4fc85940 100644 --- a/calicoctl-utility/templates/bin/_bootstrap.sh.tpl +++ b/calicoctl-utility/templates/bin/_bootstrap.sh.tpl @@ -15,4 +15,5 @@ See the License for the specific language governing permissions and limitations under the License. */}} +sudo /tmp/override-oslo-rootwrap-logging.sh exec sudo socat -d -v -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout diff --git a/calicoctl-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl b/calicoctl-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl new file mode 100644 index 00000000..ffb7a12f --- /dev/null +++ b/calicoctl-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl @@ -0,0 +1,26 @@ +#!/bin/sh +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +These lines will disable extra handler, extra formatter, extra level to the +root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl. +These lines will get rid of duplicate logs, generated because of the formatter +attached by oslo-rootwrap. +*/}} +sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py +sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py +sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py +sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py \ No newline at end of file diff --git a/calicoctl-utility/templates/bin/_utilscli-sudo.tpl b/calicoctl-utility/templates/bin/_utilscli-sudo.tpl index 09e2fcb7..37c18de2 100644 --- a/calicoctl-utility/templates/bin/_utilscli-sudo.tpl +++ b/calicoctl-utility/templates/bin/_utilscli-sudo.tpl @@ -14,7 +14,8 @@ See the License for the specific language governing permissions and limitations under the License. */}} -nobody ALL=SETENV: NOPASSWD: /usr/bin/socat -d -v -s -t0 -T0 -u \ +nobody ALL=SETENV: NOPASSWD: /tmp/override-oslo-rootwrap-logging.sh, \ + /usr/bin/socat -d -v -s -t0 -T0 -u \ UNIX-RECV\:/dev/log\,reuseaddr stdout, \ /usr/local/bin/calicoctl-utility-rootwrap /etc/calicoctl/rootwrap.conf *, \ /usr/local/bin/calicoctl version diff --git a/calicoctl-utility/templates/configmap-bin.yaml b/calicoctl-utility/templates/configmap-bin.yaml index 43295b71..b0e8a9af 100644 --- a/calicoctl-utility/templates/configmap-bin.yaml +++ b/calicoctl-utility/templates/configmap-bin.yaml @@ -25,6 +25,9 @@ data: image-repo-sync.sh: | {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} + override-oslo-rootwrap-logging.sh: | +{{ tuple "bin/_override-oslo-rootwrap-logging.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + calicoctl-utility-rootwrap: | {{ tuple "bin/_calicoctl-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} diff --git a/calicoctl-utility/templates/deployment-calicoctl-utility.yaml b/calicoctl-utility/templates/deployment-calicoctl-utility.yaml index a7103c0e..85db5a4b 100644 --- a/calicoctl-utility/templates/deployment-calicoctl-utility.yaml +++ b/calicoctl-utility/templates/deployment-calicoctl-utility.yaml @@ -141,6 +141,10 @@ spec: mountPath: /usr/local/bin/calicoctl-utility-rootwrap subPath: calicoctl-utility-rootwrap readOnly: true + - name: calicoctl-utility-bin + mountPath: /tmp/override-oslo-rootwrap-logging.sh + subPath: override-oslo-rootwrap-logging.sh + readOnly: true - name: calicoctl-utility-sudoers mountPath: /etc/sudoers.d/nobody subPath: utilscli-sudo diff --git a/ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl b/ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl index 6dbcf34f..74cf1b05 100644 --- a/ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl +++ b/ceph-utility/templates/bin/utility/_ceph-utility-rootwrap.tpl @@ -29,7 +29,7 @@ facility = {{ .Values.conf.cephrootwrap.DEFAULT.syslog_log_facility | quote }} if "AUSER" in os.environ: user_id = os.environ["AUSER"] elif {{ .Values.conf.utility.always_log_user | quote }} == 'true': - user_id = os.environ["AUSER"] + user_id = 'development site' else: print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.") exit()