Ensure that permissions are permissible enough for the rsyslog container

The rsyslog container is unable to read the log files produced by the
other containers due to permissions issues and inconsistant user:group
ownership and user:group presence between containers.

The simplest way of dealing with this is to ensure that the log
directory allows read and traversal rights for all users.

This patch ensures that the log directory is always created by the
container_common role for containers.

This patch also add the processing of swift logs to logstash. The
template was always there, but had no task which deployed it.

Change-Id: I6ec12b2f2302e0cffc2a36096d38cb85e4b3ab04
Closes-Bug: #1407633
Related-Bug: #1403890

rpc_deployment/inventory/group_vars/cinder_all.yml

@@ -69,7 +69,7 @@ service_names:
   - cinder-volume
 
 container_directories:
-  - { name: /var/log/cinder }
+  - { name: /var/log/cinder, mode: 755 }
   - { name: /var/lib/cinder }
   - { name: /var/lib/cinder/volumes }
   - { name: /etc/cinder }

rpc_deployment/inventory/group_vars/elasticsearch.yml

@@ -21,3 +21,7 @@ verbose: True
 
 container_lvm_fstype: ext4
 container_lvm_fssize: 5GB
+
+# Directories to create
+container_directories:
+  - { name: /var/log/elasticsearch, mode: 755 }

rpc_deployment/inventory/group_vars/galera.yml

@@ -33,3 +33,7 @@ service_pip_dependencies:
   - MySQL-python
   - python-memcached
   - pycrypto
+
+# Directories to create
+container_directories:
+  - { name: '/var/log/mysql', mode: 755 }

rpc_deployment/inventory/group_vars/glance_all.yml

@@ -71,7 +71,7 @@ service_names:
 flavor: "keystone+cachemanagement"
 
 container_directories:
-   - { name: /var/log/glance }
+   - { name: /var/log/glance, mode: 755 }
    - { name: /var/lib/glance }
    - { name: /var/lib/glance/cache }
    - { name: /var/lib/glance/cache/api }

rpc_deployment/inventory/group_vars/heat_all.yml

@@ -69,4 +69,4 @@ container_directories:
    - { name: /etc/heat/templates }
    - { name: /var/cache/heat }
    - { name: /var/lib/heat }
-   - { name: /var/log/heat }
+   - { name: /var/log/heat, mode: 755 }

rpc_deployment/inventory/group_vars/horizon.yml

@@ -49,6 +49,7 @@ horizon_help_url: http://docs.rackspace.com/rpc/api/v9/rpc-faq-v9/content/rpc-co
 install_lib_dir: /usr/local/lib/python2.7/dist-packages
 
 container_directories:
+  - { name: /var/log/horizon, mode: 755 }
   - { name: /etc/horizon }
   - { name: /var/lib/horizon }
   - { name: /usr/local/lib/python2.7/dist-packages/static }

rpc_deployment/inventory/group_vars/keystone_all.yml

@@ -66,5 +66,5 @@ container_directories:
   - { name: /etc/keystone }
   - { name: /etc/keystone/ssl }
   - { name: /var/lib/keystone }
-  - { name: /var/log/keystone }
+  - { name: /var/log/keystone, mode: 755 }
   - { name: /var/www/cgi-bin/keystone, mode: 755 }

rpc_deployment/inventory/group_vars/kibana.yml

@@ -29,3 +29,7 @@ kibana_fqdn: "{{ external_vip_address }}"
 kibana_server_name: "{{ container_name }}"
 kibana_self_signed: true
 kibana_ssl_port: 8443
+
+# Directories to create
+container_directories:
+  - { name: /var/log/kibana, mode: 755 }

rpc_deployment/inventory/group_vars/logstash.yml

@@ -28,3 +28,7 @@ container_lvm_fssize: 5GB
 # Change this with caution, anything other than 1 will currently
 # break multiline filtering
 logstash_workers: 1
+
+# Directories to create
+container_directories:
+  - { name: /var/log/logstash, mode: 755 }

rpc_deployment/inventory/group_vars/memcached.yml

@@ -18,3 +18,7 @@ service_name: memcached
 # only used when the lxc vg is present on the target
 container_lvm_fstype: ext4
 container_lvm_fssize: 5GB
+
+# Directories to create
+container_directories:
+  - { name: '/var/log/memcached', mode: 755 }

rpc_deployment/inventory/group_vars/neutron_all.yml

@@ -84,5 +84,5 @@ container_directories:
   - { name: /var/lib/neutron, mode: 755 }
   - { name: /var/lib/neutron/ha_confs }
   - { name: /var/lock/neutron }
-  - { name: /var/log/neutron }
+  - { name: /var/log/neutron, mode: 755 }
   - { name: /var/run/neutron }

rpc_deployment/inventory/group_vars/nova_all.yml

@@ -87,7 +87,7 @@ nova_scheduler_max_attempts: 5
 nova_scheduler_weight_classes: nova.scheduler.weights.all_weighers
 
 container_directories:
-   - { name: /var/log/nova, skip_group: nova_compute }
+   - { name: /var/log/nova, mode: 755, skip_group: nova_compute }
    - { name: /var/lib/nova, mode: 755 }
    - { name: /var/lib/nova/instances, mode: 755 }
    - { name: /var/lib/nova/cache }

rpc_deployment/inventory/group_vars/rabbit.yml

@@ -24,3 +24,6 @@ enable_management_plugin: true
 
 rabbit_cluster_name: rpc
 
+# Directories to create
+container_directories:
+  - { name: '/var/log/rabbitmq', mode: 755 }

rpc_deployment/playbooks/infrastructure/galera-post-config.yml

@@ -17,9 +17,3 @@
   user: root
   roles:
     - galera_setup
-
-- hosts: galera
-  user: root
-  roles:
-    - galera_post_config
-

rpc_deployment/roles/container_common/tasks/container_user_create.yml

@@ -25,6 +25,7 @@
     name: "{{ system_user }}"
     shell: "/bin/false"
     group: "{{ system_group }}"
+    groups: adm
     home: "/var/lib/{{ system_user }}"
     system: "yes"
     createhome: "yes"

rpc_deployment/roles/galera_post_config/tasks/main.yml

@@ -1,25 +0,0 @@
----
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-- name: Ensure permissions on Log dir make it readable by syslog
-  file:
-    path: "{{ item.path }}"
-    state: "directory"
-    group: "{{ item.owner }}"
-    owner: "{{ item.owner }}"
-    mode: "0755"
-    recurse: "true"
-  with_items:
-    - { path: '/var/log/mysql/', owner: 'mysql' }

rpc_deployment/roles/logstash/tasks/main.yml

@@ -28,6 +28,7 @@
     - 05-cinder.conf
     - 06-nova.conf
     - 07-sqlalchemy.conf
+    - 08-swift.conf
     - 09-apache.conf
     - 10-mysql.conf
     - 11-neutron.conf

rpc_deployment/roles/swift_common/tasks/log_setup.yml

@@ -18,7 +18,7 @@
     path: "{{ item }}"
     state: "directory"
     owner: "syslog"
-    group: "syslog"
+    group: "adm"
   with_items:
     - /var/log/swift
     - /openstack/log/{{ inventory_hostname }}

rpc_deployment/roles/swift_common/templates/swift-rsyslog.conf.j2

@@ -5,6 +5,11 @@
 #$template HourlyProxyLog,"/openstack/log/{{ inventory_hostname }}/hourly/%$YEAR%%$MONTH%%$DAY%%$HOUR%"
 #local1.*;local1.!notice ?HourlyProxyLog
 
+# Even if rsyslog is a member of the adm group, rsyslogd cannot read the
+# account/container/object logs. To work around this we need to ensure that
+# the logs are readable by all users.
+$FileCreateMode 0644
+
 local1.*;local1.!notice /var/log/swift/proxy.log
 local1.notice           /var/log/swift/proxy-error.log
 local1.*                ~
@@ -20,3 +25,6 @@ local3.*                ~
 local4.*;local4.!notice /openstack/log/{{ inventory_hostname }}/object.log
 local4.notice           /openstack/log/{{ inventory_hostname }}/object-error.log
 local4.*                ~
+
+# Set the file create mode back to the default
+$FileCreateMode 0640