Skip to content

Commit

Permalink
fix: update permissions for logging directories in /var
Browse files Browse the repository at this point in the history
Fixes #9630

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 7f3aaa2)
  • Loading branch information
smira committed Nov 13, 2024
1 parent 5044a41 commit 8c193c8
Showing 1 changed file with 46 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -887,20 +887,58 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
return err
}

for _, p := range []string{"/var/log/audit", "/var/log/containers", "/var/log/pods", "/var/lib/kubelet", "/var/run/lock", constants.SeccompProfilesDirectory} {
if err := os.MkdirAll(p, 0o700); err != nil {
for _, dir := range []struct {
Path string
Mode os.FileMode
UID, GID int
}{
{
Path: "/var/log",
Mode: 0o755,
},
{
Path: "/var/log/audit",
Mode: 0o700,
},
{
Path: "/var/log/containers",
Mode: 0o755,
},
{
Path: "/var/log/pods",
Mode: 0o755,
},
{
Path: "/var/lib/kubelet",
Mode: 0o700,
},
{
Path: "/var/run/lock",
Mode: 0o755,
},
{
Path: constants.SeccompProfilesDirectory,
Mode: 0o700,
},
{
Path: constants.KubernetesAuditLogDir,
Mode: 0o700,
UID: constants.KubernetesAPIServerRunUser,
GID: constants.KubernetesAPIServerRunGroup,
},
} {
if err := os.MkdirAll(dir.Path, dir.Mode); err != nil {
return err
}
}

// Handle Kubernetes directories which need different ownership
for _, p := range []string{constants.KubernetesAuditLogDir} {
if err := os.MkdirAll(p, 0o700); err != nil {
if err := os.Chmod(dir.Path, dir.Mode); err != nil {
return err
}

if err := os.Chown(p, constants.KubernetesAPIServerRunUser, constants.KubernetesAPIServerRunGroup); err != nil {
return fmt.Errorf("failed to chown %s: %w", p, err)
if dir.UID != 0 || dir.GID != 0 {
if err := os.Chown(dir.Path, dir.UID, dir.GID); err != nil {
return err
}
}
}

Expand Down

0 comments on commit 8c193c8

Please sign in to comment.