On 08/27/2014 02:55 AM, Lennart Poettering wrote: > On Tue, 26.08.14 15:43, WaLyong Cho (walyong....@samsung.com) wrote: > >> There is no Bofore= or After= dependencies between >> systemd-journald.service and systemd-tmpfiles-setup.service. So if both >> "/run/log/journal" and "/var/log/journal" does not exist then those can >> be make as root:root and also its ids directory and journal files. To >> make sure, do chown systemd-journal group to journal directories and >> files. > > Hmm? /run/log/journal will be recursively updated, and /var/log/journal > is not created by journald ever, but only by tmpfiles, which uses g+s to > ensure all files that will be created have the right owner from the > beginning. > I hope you test like me. Set *Storage=persistent* in journald.conf and remove(back it up to other) "/var/log/journal" and restart. Then maybe you can see like me:
[walyong@laptop ~]$ ls -alh /var/log/journal/9017c5267dfb4ec1869084165173ecb6/ total 16M drwxr-sr-x 1 root systemd-journal 62 Aug 29 21:48 . drwxr-sr-x 1 root systemd-journal 64 Aug 29 21:47 .. -rw-r----- 1 root root 8.0M Aug 29 21:53 system.journal -rw-r-----+ 1 root root 8.0M Aug 29 21:53 user-1000.journal [walyong@laptop system]$ systemctl status systemd-tmpfiles-setup.service ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories Loaded: loaded (/usr/lib/systemd/system/systemd-tmpfiles-setup.service; static) Active: active (exited) since Fri 2014-08-29 21:48:43 KST; 6min ago Docs: man:tmpfiles.d(5) man:systemd-tmpfiles(8) Process: 482 ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=0/SUCCESS) Main PID: 482 (code=exited, status=0/SUCCESS) CGroup: /system.slice/systemd-tmpfiles-setup.service After this, we can NOT read system.journal until journal file is rotated(newly generated system.journal will have root:systemd-journal permission) even if HAVE systemd-journal group permission. Am I wrong? >> +static int chown_group_systemd_journal(const char *path) { >> + int r; >> + gid_t gid; >> + _cleanup_free_ char *journal_group = NULL; >> + >> + r = in_group("systemd-journal"); >> + if (r < 0) >> + return r; >> + >> + r = access(path, F_OK); >> + if (r < 0) >> + return -errno; >> + >> + r = asprintf(&journal_group, "systemd-journal"); >> + if (r < 0) >> + return -ENOMEM; >> + >> + r = get_group_creds((const char **)&journal_group, &gid); >> + if (r < 0) >> + return r; > > We cannot do this. This internally invokes getpwent() which is an NSS > calls. NSS calls might end up being IPC calls to some external daemon, > which might want to log, back into journald. This hence means we'd have > a cyclic dependency. > > journald is not allowed to *ever* do NSS calls (and neither is PID 1 > actually). We must apply the ownership from the outside via tmpfiles or > so hence. > > Lennart > WaLyong _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel