Bug#925929: LogsDirectory vs. group adm
On Mon, 1 Apr 2019, Felipe Sateler wrote: > Thanks for linking to the full file. I had not noticed that the unit used a > specific User. This means a root-owned /var/log/tomcat9 is not going to be > writable by tomcat. You should probably set it to tomcat9:adm, or add an Oops, yes, tomcat:adm is correct (the user got renamed from tomcat8 to tomcat). > Additionally, you might want to add `RequiresMountsFor=/var/log/tomcat9 > /var/lib/tomcat9`, in case the admin has moved those dirs to a separate > mount. Thanks, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ** Mit der tarent Academy bieten wir auch Trainings und Schulungen in den Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an. Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt. **
Bug#925929: LogsDirectory vs. group adm
Hi, On Mon, Apr 1, 2019 at 8:36 AM Thorsten Glaser wrote: > Hi again Felipe, > > > If you ship this, there is no need for a LogsDirectory= entry. > > But I probably do need to add it with ReadWritePaths if we use > ProtectSystem=strict, correct? > Correct. > > > https://salsa.debian.org/java-team/tomcat9/commit/5556481b345049f32720e20d22a072ebd9b865fa Thanks for linking to the full file. I had not noticed that the unit used a specific User. This means a root-owned /var/log/tomcat9 is not going to be writable by tomcat. You should probably set it to tomcat9:adm, or add an appropriate acl (tmpfiles can do it with a `a+` line). Additionally, you might want to add `RequiresMountsFor=/var/log/tomcat9 /var/lib/tomcat9`, in case the admin has moved those dirs to a separate mount. -- Saludos, Felipe Sateler
Bug#925929: LogsDirectory vs. group adm
Hi again Felipe, > If you ship this, there is no need for a LogsDirectory= entry. But I probably do need to add it with ReadWritePaths if we use ProtectSystem=strict, correct? https://salsa.debian.org/java-team/tomcat9/commit/5556481b345049f32720e20d22a072ebd9b865fa Thanks, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ** Mit der tarent Academy bieten wir auch Trainings und Schulungen in den Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an. Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt. **
Bug#925929: LogsDirectory vs. group adm
On Fri, 29 Mar 2019, Felipe Sateler wrote: > It might be a good idea to store that script somewhere else (possibly > /usr/lib/tomcat9 ?) and call it from the init script. As the script gets Indeed… the systemd unit calls the scripts from /usr/libexec/tomcat9/ (which is the currently recommended location for such things, as they are not libraries, nor normal commands) already, and I’m almost sure I managed to figure out enough magic around start-stop-daemon to be able to just call the same scripts the systemd unit does, so the init script itself will be trivial enough (it does manual tmpdir setup, which is automated by systemd, granted, but not much more than that). Lintian teaches this, too, by the way (at least if you’re trying to call an init script from a systemd service file *cough* which works, if you set a special environment variable, but… let’s just say it has a point and scripts under /usr/libexec/ are definitely better). bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ** Mit der tarent Academy bieten wir auch Trainings und Schulungen in den Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an. Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt. **
Bug#925929: LogsDirectory vs. group adm
On Fri, Mar 29, 2019 at 6:12 PM Thorsten Glaser wrote: > Hi Felipe, > > > > This won’t delete the logs on shutdown or something, because > > > it’s called tmpfiles? > > > > No, because we don't provide the last argument (the age one): > > thanks! > Glad to help. > > > In fact, /var/log is already tmpfile'd with a similar entry: > > OK. I don’t run systemd, so I didn’t know and needed this info, > as I had just fixed this for sysvinit-based systems in tomcat9, > and found the LogsDirectory stuff in the systemd service file, > which I’m currently transferring into an init script. > It might be a good idea to store that script somewhere else (possibly /usr/lib/tomcat9 ?) and call it from the init script. As the script gets more complex, the chance of a conffile conflict increases, as the probability of needed modification either by the admin or the maintainer increases. -- Saludos, Felipe Sateler
Bug#925929: LogsDirectory vs. group adm
Hi Felipe, > > This won’t delete the logs on shutdown or something, because > > it’s called tmpfiles? > > No, because we don't provide the last argument (the age one): thanks! > In fact, /var/log is already tmpfile'd with a similar entry: OK. I don’t run systemd, so I didn’t know and needed this info, as I had just fixed this for sysvinit-based systems in tomcat9, and found the LogsDirectory stuff in the systemd service file, which I’m currently transferring into an init script. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ** Mit der tarent Academy bieten wir auch Trainings und Schulungen in den Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an. Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt. **
Bug#925929: LogsDirectory vs. group adm
On Fri, Mar 29, 2019 at 5:17 PM Thorsten Glaser wrote: > Hi Felipe, > > > You can ship a tmpfiles snippet like: > > > > d /var/log/tomcat9 2750 root adm - > > This won’t delete the logs on shutdown or something, because > it’s called tmpfiles? > No, because we don't provide the last argument (the age one): > Create a directory. The mode and ownership will be adjusted > if specified. Contents of this directory are subject to time based > cleanup if the age argument is specified. https://manpages.debian.org/unstable/systemd/tmpfiles.d.5.en.html#Type In fact, /var/log is already tmpfile'd with a similar entry: d /var/log 0755 - - - -- Saludos, Felipe Sateler
Bug#925929: LogsDirectory vs. group adm
Hi Felipe, > You can ship a tmpfiles snippet like: > > d /var/log/tomcat9 2750 root adm - This won’t delete the logs on shutdown or something, because it’s called tmpfiles? > If you ship this, there is no need for a LogsDirectory= entry. Thanks, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ** Mit der tarent Academy bieten wir auch Trainings und Schulungen in den Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an. Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt. **
Bug#925929: LogsDirectory vs. group adm
Hi Thorsten, On Fri, Mar 29, 2019 at 1:17 PM Thorsten Glaser wrote: > Hi, > > how can we make it so that a service that uses LogsDirectory > has its logs readable by group adm? > > There is “LogsDirectoryMode=750” which we could change to 2750, > but no way to set the group to adm, and from what I’ve read, > pre-creating the /var/log/tomcat9 (in this case) as 2750 tomcat:adm > will just make systemd chgrp it recursively? > > Having logs readable by group adm is customary on Debian, so how > can this be implemented for non-sysvinit users? > > You can ship a tmpfiles snippet like: d /var/log/tomcat9 2750 root adm - If you ship this, there is no need for a LogsDirectory= entry. -- Saludos, Felipe Sateler
Bug#925929: LogsDirectory vs. group adm
Hi, how can we make it so that a service that uses LogsDirectory has its logs readable by group adm? There is “LogsDirectoryMode=750” which we could change to 2750, but no way to set the group to adm, and from what I’ve read, pre-creating the /var/log/tomcat9 (in this case) as 2750 tomcat:adm will just make systemd chgrp it recursively? Having logs readable by group adm is customary on Debian, so how can this be implemented for non-sysvinit users? Thanks, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ** Mit der tarent Academy bieten wir auch Trainings und Schulungen in den Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an. Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt. **
