Add fixes to user logging in calicoctl utility container logs

Change-Id: If50de7431166764b7a6e75e836ffa6956637e4d7
This commit is contained in:
Luna Das 2019-08-28 17:07:13 +05:30
parent 37e7008675
commit 3a1b842802
6 changed files with 37 additions and 2 deletions

View File

@ -15,4 +15,5 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
sudo /tmp/override-oslo-rootwrap-logging.sh
exec sudo socat -d -v -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout exec sudo socat -d -v -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout

View File

@ -0,0 +1,26 @@
#!/bin/sh
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
These lines will disable extra handler, extra formatter, extra level to the
root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl.
These lines will get rid of duplicate logs, generated because of the formatter
attached by oslo-rootwrap.
*/}}
sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py

View File

@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
nobody ALL=SETENV: NOPASSWD: /usr/bin/socat -d -v -s -t0 -T0 -u \ nobody ALL=SETENV: NOPASSWD: /tmp/override-oslo-rootwrap-logging.sh, \
/usr/bin/socat -d -v -s -t0 -T0 -u \
UNIX-RECV\:/dev/log\,reuseaddr stdout, \ UNIX-RECV\:/dev/log\,reuseaddr stdout, \
/usr/local/bin/calicoctl-utility-rootwrap /etc/calicoctl/rootwrap.conf *, \ /usr/local/bin/calicoctl-utility-rootwrap /etc/calicoctl/rootwrap.conf *, \
/usr/local/bin/calicoctl version /usr/local/bin/calicoctl version

View File

@ -25,6 +25,9 @@ data:
image-repo-sync.sh: | image-repo-sync.sh: |
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
override-oslo-rootwrap-logging.sh: |
{{ tuple "bin/_override-oslo-rootwrap-logging.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
calicoctl-utility-rootwrap: | calicoctl-utility-rootwrap: |
{{ tuple "bin/_calicoctl-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_calicoctl-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}

View File

@ -141,6 +141,10 @@ spec:
mountPath: /usr/local/bin/calicoctl-utility-rootwrap mountPath: /usr/local/bin/calicoctl-utility-rootwrap
subPath: calicoctl-utility-rootwrap subPath: calicoctl-utility-rootwrap
readOnly: true readOnly: true
- name: calicoctl-utility-bin
mountPath: /tmp/override-oslo-rootwrap-logging.sh
subPath: override-oslo-rootwrap-logging.sh
readOnly: true
- name: calicoctl-utility-sudoers - name: calicoctl-utility-sudoers
mountPath: /etc/sudoers.d/nobody mountPath: /etc/sudoers.d/nobody
subPath: utilscli-sudo subPath: utilscli-sudo

View File

@ -29,7 +29,7 @@ facility = {{ .Values.conf.cephrootwrap.DEFAULT.syslog_log_facility | quote }}
if "AUSER" in os.environ: if "AUSER" in os.environ:
user_id = os.environ["AUSER"] user_id = os.environ["AUSER"]
elif {{ .Values.conf.utility.always_log_user | quote }} == 'true': elif {{ .Values.conf.utility.always_log_user | quote }} == 'true':
user_id = os.environ["AUSER"] user_id = 'development site'
else: else:
print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.") print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.")
exit() exit()