subject:"Bug#925353\: \[Pkg\-linaro\-lava\-devel\] Bug#925353\: lava\-server\: logrotate complains about \"parent directory has insecure permissions\""

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

2019-03-30 Thread Steve McIntyre

On Thu, Mar 28, 2019 at 06:01:38PM +0100, Andreas Beckmann wrote:
>On 2019-03-28 17:31, Steve McIntyre wrote:
>> I'm a little bit at a loss to see what's causing it... :-/
>
>I tried to normalize the logs (remove timestamps, tmpdir and everything
>before the dist-upgrade to buster) and then diff them to find this:
>
>@@ -6631,10 +6227,9 @@
>  INFO: Package lava-server contains logrotate file: 
> /etc/logrotate.d/lava-master-log
>  INFO: Package lava-server contains logrotate file: 
> /etc/logrotate.d/lava-publisher-log
>  INFO: Package lava-server contains logrotate file: 
> /etc/logrotate.d/lava-server-gunicorn-log
>- INFO: Package lava-server contains logrotate file: 
>/etc/logrotate.d/lava-server-uwsgi-log
>  DEBUG: Starting command: ['chroot', '<>', 'dpkg-query', '-W', '-f', 
> '${Status}\\t${binary:Package}\\t${Package}\\t${Version}\\n']
>
>and further up:
>
>@@ -5953,11 +5600,6 @@
>  DEBUG: Command ok: ['adequate', '--root', '<>', 'lava-server']
>  ERROR: WARN: Inadequate results from running adequate!
>   lava-server: broken-symlink /usr/share/lava-server/static/docs -> 
> ../../doc/lava-server-doc/html
>-  lava-server: obsolete-conffile /etc/logrotate.d/lava-server-uwsgi-log
>-  lava-server: obsolete-conffile /etc/lava-server/lava-server.wsgi
>-  lava-server: obsolete-conffile /etc/lava-server/debug.wsgi
>-  lava-server: obsolete-conffile /etc/lava-server/uwsgi.ini
>-  lava-server: obsolete-conffile /etc/lava-server/uwsgi.reload
>   lava-server: obsolete-conffile /etc/logrotate.d/lava-scheduler-log
>   lava-server: obsolete-conffile /etc/lava-server/lava-server-gunicorn.service
>   lava-server: obsolete-conffile 
> /etc/lava-server/dispatcher-config/device-types/nxp-k64f.jinja2
>@@ -5975,11 +5617,6 @@
>  DEBUG: Command ok: ['chroot', '<>', 
> 'tmp/scripts/pre_remove_40_find_missing_md5sums']
>  DEBUG: Starting command: ['chroot', '<>', 
> 'tmp/scripts/pre_remove_40_find_obsolete_conffiles']
>  DUMP:
>-  OBSOLETE CONFFILE /etc/logrotate.d/lava-server-uwsgi-log REGISTERED BY 
>lava-server
>-  OBSOLETE CONFFILE /etc/lava-server/lava-server.wsgi REGISTERED BY 
>lava-server
>-  OBSOLETE CONFFILE /etc/lava-server/debug.wsgi REGISTERED BY lava-server
>-  OBSOLETE CONFFILE /etc/lava-server/uwsgi.ini REGISTERED BY lava-server
>-  OBSOLETE CONFFILE /etc/lava-server/uwsgi.reload REGISTERED BY lava-server
>   OBSOLETE CONFFILE /etc/logrotate.d/lava-scheduler-log REGISTERED BY 
> lava-server (MISSING)
>   OBSOLETE CONFFILE /etc/lava-server/lava-server-gunicorn.service REGISTERED 
> BY lava-server
>   OBSOLETE CONFFILE 
> /etc/lava-server/dispatcher-config/device-types/nxp-k64f.jinja2 REGISTERED BY 
> lava-server
>
>So you have a lot of conffile cruft stemming from both jessie and stretch ...
>debian/lava-server.maintscript will be your friend :-)

ACK!

>We have the data already:
>https://piuparts.debian.org/stretch2buster/obsolete_conffiles_issue.html
>Someone needs to start filing bugs ... obsolete conffiles will bite you in the 
>future :-)

Nod, time to start cleaning up some of the old conffiles.

Thanks for the help with tracking this down - it's really appreciated!

-- 
Steve McIntyresteve.mcint...@linaro.org
 Linaro.org | Open source software for ARM SoCs

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

2019-03-28 Thread Andreas Beckmann

On 2019-03-28 17:31, Steve McIntyre wrote:
> I'm a little bit at a loss to see what's causing it... :-/

I tried to normalize the logs (remove timestamps, tmpdir and everything
before the dist-upgrade to buster) and then diff them to find this:

@@ -6631,10 +6227,9 @@
  INFO: Package lava-server contains logrotate file: 
/etc/logrotate.d/lava-master-log
  INFO: Package lava-server contains logrotate file: 
/etc/logrotate.d/lava-publisher-log
  INFO: Package lava-server contains logrotate file: 
/etc/logrotate.d/lava-server-gunicorn-log
- INFO: Package lava-server contains logrotate file: 
/etc/logrotate.d/lava-server-uwsgi-log
  DEBUG: Starting command: ['chroot', '<>', 'dpkg-query', '-W', '-f', 
'${Status}\\t${binary:Package}\\t${Package}\\t${Version}\\n']

and further up:

@@ -5953,11 +5600,6 @@
  DEBUG: Command ok: ['adequate', '--root', '<>', 'lava-server']
  ERROR: WARN: Inadequate results from running adequate!
   lava-server: broken-symlink /usr/share/lava-server/static/docs -> 
../../doc/lava-server-doc/html
-  lava-server: obsolete-conffile /etc/logrotate.d/lava-server-uwsgi-log
-  lava-server: obsolete-conffile /etc/lava-server/lava-server.wsgi
-  lava-server: obsolete-conffile /etc/lava-server/debug.wsgi
-  lava-server: obsolete-conffile /etc/lava-server/uwsgi.ini
-  lava-server: obsolete-conffile /etc/lava-server/uwsgi.reload
   lava-server: obsolete-conffile /etc/logrotate.d/lava-scheduler-log
   lava-server: obsolete-conffile /etc/lava-server/lava-server-gunicorn.service
   lava-server: obsolete-conffile 
/etc/lava-server/dispatcher-config/device-types/nxp-k64f.jinja2
@@ -5975,11 +5617,6 @@
  DEBUG: Command ok: ['chroot', '<>', 
'tmp/scripts/pre_remove_40_find_missing_md5sums']
  DEBUG: Starting command: ['chroot', '<>', 
'tmp/scripts/pre_remove_40_find_obsolete_conffiles']
  DUMP:
-  OBSOLETE CONFFILE /etc/logrotate.d/lava-server-uwsgi-log REGISTERED BY 
lava-server
-  OBSOLETE CONFFILE /etc/lava-server/lava-server.wsgi REGISTERED BY lava-server
-  OBSOLETE CONFFILE /etc/lava-server/debug.wsgi REGISTERED BY lava-server
-  OBSOLETE CONFFILE /etc/lava-server/uwsgi.ini REGISTERED BY lava-server
-  OBSOLETE CONFFILE /etc/lava-server/uwsgi.reload REGISTERED BY lava-server
   OBSOLETE CONFFILE /etc/logrotate.d/lava-scheduler-log REGISTERED BY 
lava-server (MISSING)
   OBSOLETE CONFFILE /etc/lava-server/lava-server-gunicorn.service REGISTERED 
BY lava-server
   OBSOLETE CONFFILE 
/etc/lava-server/dispatcher-config/device-types/nxp-k64f.jinja2 REGISTERED BY 
lava-server

So you have a lot of conffile cruft stemming from both jessie and stretch ...
debian/lava-server.maintscript will be your friend :-)

We have the data already:
https://piuparts.debian.org/stretch2buster/obsolete_conffiles_issue.html
Someone needs to start filing bugs ... obsolete conffiles will bite you in the 
future :-)

Andreas

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

2019-03-28 Thread Steve McIntyre

On Wed, Mar 27, 2019 at 01:30:22AM +0100, Andreas Beckmann wrote:
>On 2019-03-26 16:56, Steve McIntyre wrote:
>> That sounds like a weird way to fix what's claimed to be a permissions
>> problem in the log. Or is this just a bad error message from logrotate?
>> 
>> And checking - the logrotate file in question already has 'missingok'
>> spceified.
>
>That is the first time I encountered this strange error. The missing 
>'missingok' was just the most popular (i.e. only) cause for logrotate 
>failures so far.

ACK...

>>> 6m50.2s ERROR: Command failed (status=1): ['chroot', 
>>> '/srv/piuparts/tmp/tmpML5ulV', '/usr/sbin/logrotate', 
>>> '/etc/logrotate.d/lava-server-uwsgi-log']
>>>  error: skipping "/var/log/lava-server/lava-uwsgi.log" because parent 
>>> directory has insecure permissions (It's world writable or writable by 
>>> group which is not "root") Set "su" directive in config file to tell 
>>> logrotate which user/group should be used for rotation.
>> 
>> I appreciate that you won't have this session around now to be able to
>> look directly, but for future reports it would be very helpful if
>> piuparts could show the logfiles and directories look like at this point.
>
>I can quite easily rerun failing tests and get a shell in the chroot to 
>collect additional information ...
>
>This is after the failure in a jessie -> stretch -> buster upgrade:
>
># ls -la /var/log/lava-server/
>total 0
>drwxrwsr-x 2 lavaserver adm   80 Mar 26 17:41 .
>drwxr-xr-x 8 root   root 320 Mar 26 17:47 ..
>-rw-rw-r-- 1 lavaserver adm0 Mar 26 17:46 django.log
>-rw-r--r-- 1 root   adm0 Mar 26 17:43 lava-scheduler.log
>
>OK, that looks like bad permission, lets look where they come from:
>I added some scripts that do 'ls -la /var/log/lava-server/' before
>and after each distupgrade, full log attached.
>The problem happens during the upgrade to buster:
>
>27m28.9s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpgfr9HI', 
>'tmp/scripts/pre_distupgrade_zzz_debug-lava-server']
>27m28.9s DUMP: 
>  + ls -la /var/log/lava-server
>  total 0
>  drwsr-sr-x 2 root   root  80 Mar 26 23:02 .
>  drwxr-xr-x 9 root   root 340 Mar 26 23:07 ..
>  -rw-r--r-- 1 lavaserver adm0 Mar 26 23:09 django.log
>  -rw-r--r-- 1 root   adm0 Mar 26 23:07 lava-scheduler.log
>27m28.9s DEBUG: Command ok: ['chroot', '/srv/piuparts/tmp/tmpgfr9HI', 
>'tmp/scripts/pre_distupgrade_zzz_debug-lava-server']
>27m28.9s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpgfr9HI', 
>'apt-get', 'update']
>27m37.0s DUMP: 
>  Hit:1 http://ftp.de.debian.org/debian buster InRelease
>  Reading package lists...
>27m37.0s DEBUG: Command ok: ['chroot', '/srv/piuparts/tmp/tmpgfr9HI', 
>'apt-get', 'update']
>27m37.0s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpgfr9HI', 
>'apt-get', '-yf', 'dist-upgrade']
>[...]
>44m48.3s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpgfr9HI', 
>'tmp/scripts/post_distupgrade_000_debug-lava-server']
>44m48.3s DUMP: 
>  + ls -la /var/log/lava-server
>  total 0
>  drwxrwsr-x 2 lavaserver adm   80 Mar 26 23:02 .
>  drwxr-xr-x 9 root   root 340 Mar 26 23:07 ..
>  -rw-rw-r-- 1 lavaserver adm0 Mar 26 23:26 django.log
>  -rw-r--r-- 1 root   adm0 Mar 26 23:07 lava-scheduler.log
>44m48.3s DEBUG: Command ok: ['chroot', '/srv/piuparts/tmp/tmpgfr9HI', 
>'tmp/scripts/post_distupgrade_000_debug-lava-server']
>
>
>and now doing the same with starting in stretch (not jessie) and upgrading to 
>buster
>
>24m14.0s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpS7TOc2', 
>'tmp/scripts/pre_distupgrade_zzz_debug-lava-server']
>24m14.1s DUMP:
>  + ls -la /var/log/lava-server
>  total 0
>  drwsr-sr-x 2 root   root  80 Mar 26 23:49 .
>  drwxr-xr-x 8 root   root 300 Mar 26 23:46 ..
>  -rw-r--r-- 1 lavaserver adm0 Mar 26 23:59 django.log
>  -rw-r--r-- 1 root   adm0 Mar 26 23:49 lava-scheduler.log
>24m14.1s DEBUG: Command ok: ['chroot', '/srv/piuparts/tmp/tmpS7TOc2', 
>'tmp/scripts/pre_distupgrade_zzz_debug-lava-server']
>24m14.1s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpS7TOc2', 
>'apt-get', 'update']
>24m35.1s DUMP:
>  Hit:1 http://ftp.de.debian.org/debian buster InRelease
>  Reading package lists...
>24m35.1s DEBUG: Command ok: ['chroot', '/srv/piuparts/tmp/tmpS7TOc2', 
>'apt-get', 'update']
>24m35.1s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpS7TOc2', 
>'apt-get', '-yf', 'dist-upgrade']
>[...]
>33m44.0s DEBUG: Starting command: ['chroot', '/srv/piuparts/tmp/tmpS7TOc2', 
>'tmp/scripts/post_distupgrade_000_debug-lava-server']
>33m44.0s DUMP: 
>  + ls -la /var/log/lava-server
>  total 0
>  drwxrwsr-x 2 lavaserver adm   80 Mar 26 23:49 .
>  drwxr-xr-x 8 root   root 300 Mar 26 23:46 ..
>  -rw-rw-r-- 1 lavaserver adm0 Mar 27 00:15 django.log
>  -rw-r--r-- 1 root   adm0 Mar 26 23:49 lava-scheduler.log
>33m44.0s DEBUG: Command ok: ['chroot', '/srv/piuparts/tmp/tmpS7TOc2',

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

2019-03-26 Thread Steve McIntyre

Hi Andreas,

On Sat, Mar 23, 2019 at 05:04:56PM +0100, Andreas Beckmann wrote:
>Package: lava-server
>Version: 2019.01-4
>Severity: serious
>User: debian...@lists.debian.org
>Usertags: piuparts
>Control: found -1 2014.09.1-1+deb8u1
>
>Hi,
>
>during a test with piuparts I noticed your package's logrotate
>configuration causes logrotate to exit with an error after the package
>has been removed (*) or when logrote is run but no logfile exists.
>
>Usually the solution is to specify 'missingok' in the logrotate
>configuration.

That sounds like a weird way to fix what's claimed to be a permissions
problem in the log. Or is this just a bad error message from logrotate?

And checking - the logrotate file in question already has 'missingok'
spceified.

>*) logrotate configuration files remain installed and executed after a
>package has been removed, they only get removed when the package is
>purged.
>
>From the attached log (scroll to the bottom...):
>
>6m50.2s ERROR: Command failed (status=1): ['chroot', 
>'/srv/piuparts/tmp/tmpML5ulV', '/usr/sbin/logrotate', 
>'/etc/logrotate.d/lava-server-uwsgi-log']
>  error: skipping "/var/log/lava-server/lava-uwsgi.log" because parent 
> directory has insecure permissions (It's world writable or writable by group 
> which is not "root") Set "su" directive in config file to tell logrotate 
> which user/group should be used for rotation.

I appreciate that you won't have this session around now to be able to
look directly, but for future reports it would be very helpful if
piuparts could show the logfiles and directories look like at this point.

Steve McIntyresteve.mcint...@linaro.org
 Linaro.org | Open source software for ARM SoCs

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

Bug#925353: [Pkg-linaro-lava-devel] Bug#925353: lava-server: logrotate complains about "parent directory has insecure permissions"

4 matches

Site Navigation

Mail list logo

Footer information