From 2ffe74a8f696b78c902cabfc8d176c5419f9aeed Mon Sep 17 00:00:00 2001 From: Cyril de Bourgues Date: Fri, 15 Oct 2021 11:58:46 +0200 Subject: [PATCH 1/5] ensure fileowner for Swift logs --- puppet/files/rsyslog/20-swift.conf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 puppet/files/rsyslog/20-swift.conf diff --git a/puppet/files/rsyslog/20-swift.conf b/puppet/files/rsyslog/20-swift.conf new file mode 100644 index 00000000..c48688e8 --- /dev/null +++ b/puppet/files/rsyslog/20-swift.conf @@ -0,0 +1,18 @@ +$fileOwner swift + +if $programname contains 'account' then /var/log/swift/account.log +if $programname contains 'account' then stop + +if $programname contains 'container' then /var/log/swift/container.log +if $programname contains 'container' then stop + +if $programname contains 'object' then /var/log/swift/object.log +if $programname contains 'object' then stop + +if $programname contains 'proxy' then /var/log/swift/proxy.log +if $programname contains 'proxy' then stop + +if $programname contains 'swift' then /var/log/swift/swift.log +if $programname contains 'swift' then stop + +$fileOwner root -- GitLab From 7ae69764b327fa08f0247919de905e6c243d8348 Mon Sep 17 00:00:00 2001 From: Cyril de Bourgues Date: Fri, 15 Oct 2021 11:59:38 +0200 Subject: [PATCH 2/5] move kern-legacy to the Swift common manifest & fix rsyslog rules order --- puppet/manifests/swiftproxy.pp | 39 +++++++++++----------------------- 1 file changed, 12 insertions(+), 27 deletions(-) diff --git a/puppet/manifests/swiftproxy.pp b/puppet/manifests/swiftproxy.pp index 3f8fd9af..a58cc1cb 100644 --- a/puppet/manifests/swiftproxy.pp +++ b/puppet/manifests/swiftproxy.pp @@ -817,36 +817,21 @@ EnvironmentFile=/etc/swift/swift-proxy.enviroment", } } - package { 'swift-drive-audit': - ensure => present, - } - - file { '/etc/rsyslog.d/10-kern-legacy.conf': - ensure => present, - source => 'puppet:///modules/oci/rsyslog/10-kern-legacy.conf', - path => '/etc/rsyslog.d/10-kern-legacy.conf', - group => 'root', - owner => 'root', - mode => '0644', - require => [Package['rsyslog']], + # update Rsyslog HAProxy priority to avoid log mess between HAProxy & Swift proxy + exec { 'move-haproxy-rsyslog-priority': + command => 'cp /etc/rsyslog.d/49-haproxy.conf /etc/rsyslog.d/15-haproxy.conf', + onlyif => 'test -e /etc/rsyslog.d/49-haproxy.conf', + creates => '/etc/rsyslog.d/15-haproxy.conf', + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + } + + exec { 'remove-default-configuration': + command => 'rm /etc/rsyslog.d/49-haproxy.conf', + onlyif => 'test -e /etc/rsyslog.d/49-haproxy.conf', + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], notify => Service['rsyslog'], } - logrotate::rule { 'kern-legacy': - path => '/var/log/kern-legacy.log', - rotate => '4', - rotate_every => 'week', - missingok => true, - ifempty => false, - compress => true, - delaycompress => true, - postrotate => '/usr/lib/rsyslog/rsyslog-rotate', - } - - swift_drive_audit_config { - 'drive-audit/log_file_pattern': value => '/var/log/kern-legacy.*[!.][!g][!z]'; - } - if $swift_store_account { $rings1 = [ 'account' ] }else{ -- GitLab From 0a816da117c527b58862759bfdbc7b64d022abd4 Mon Sep 17 00:00:00 2001 From: Cyril de Bourgues Date: Fri, 15 Oct 2021 12:01:12 +0200 Subject: [PATCH 3/5] bring swift-drive-audit stuff in the common part, use our new rsyslog rules & set group inheritance via setgid --- puppet/manifests/swiftcommon.pp | 158 ++++++++++---------------------- 1 file changed, 47 insertions(+), 111 deletions(-) diff --git a/puppet/manifests/swiftcommon.pp b/puppet/manifests/swiftcommon.pp index 867db57e..3602f474 100644 --- a/puppet/manifests/swiftcommon.pp +++ b/puppet/manifests/swiftcommon.pp @@ -1,119 +1,55 @@ class oci::swiftcommon( ){ + package { 'swift-drive-audit': + ensure => present, + } + + swift_drive_audit_config { + 'drive-audit/log_file_pattern': value => '/var/log/kern-legacy.*[!.][!g][!z]'; + } + + file { '/etc/rsyslog.d/10-kern-legacy.conf': + ensure => present, + source => 'puppet:///modules/oci/rsyslog/10-kern-legacy.conf', + path => '/etc/rsyslog.d/10-kern-legacy.conf', + group => 'root', + owner => 'root', + mode => '0644', + require => [Package['rsyslog']], + notify => Service['rsyslog'], + } + + logrotate::rule { 'kern-legacy': + path => '/var/log/kern-legacy.log', + rotate => '4', + rotate_every => 'week', + missingok => true, + ifempty => false, + compress => true, + delaycompress => true, + postrotate => '/usr/lib/rsyslog/rsyslog-rotate', + } + + exec { 'remove-default-swift-rules': + command => 'rm /etc/rsyslog.d/swift.conf', + onlyif => 'test -e /etc/rsyslog.d/swift.conf', + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + notify => Service['rsyslog'], + } + + file { '/etc/rsyslog.d/20-swift.conf': + ensure => present, + source => "puppet:///modules/oci/rsyslog/20-swift.conf", + require => [Package['rsyslog'], File['/var/log/swift']], + notify => Service['rsyslog'], + } + + # setgid so created files inherit the group file { '/var/log/swift': ensure => directory, - mode => '0750', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-account-auditor.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-account.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-account-reaper.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-account-replicator.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-container-auditor.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-container.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-container-reconciler.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-container-replicator.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-container-sync.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-container-updater.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-proxy.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-object.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-object-auditor.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-object-replicator.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-object-updater.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/object.log': - ensure => file, - mode => '0640', - owner => 'swift', - group => 'adm', - }-> - file { '/var/log/swift/swift-drive-audit.log': - ensure => file, - mode => '0640', + mode => '2750', owner => 'swift', group => 'adm', } - -} \ No newline at end of file +} -- GitLab From 2bbccd12a5cbbd0ba101ae2389c4a63b8afc07cc Mon Sep 17 00:00:00 2001 From: Cyril de Bourgues Date: Fri, 15 Oct 2021 13:40:11 +0200 Subject: [PATCH 4/5] move swift-drive-audit to Swift common part --- puppet/manifests/swiftstore.pp | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/puppet/manifests/swiftstore.pp b/puppet/manifests/swiftstore.pp index 26bc3285..4f614096 100644 --- a/puppet/manifests/swiftstore.pp +++ b/puppet/manifests/swiftstore.pp @@ -277,36 +277,6 @@ class oci::swiftstore( } } - package { 'swift-drive-audit': - ensure => present, - } - - file { '/etc/rsyslog.d/10-kern-legacy.conf': - ensure => present, - source => 'puppet:///modules/oci/rsyslog/10-kern-legacy.conf', - path => '/etc/rsyslog.d/10-kern-legacy.conf', - group => 'root', - owner => 'root', - mode => '0644', - require => [Package['rsyslog']], - notify => Service['rsyslog'], - } - - logrotate::rule { 'kern-legacy': - path => '/var/log/kern-legacy.log', - rotate => '4', - rotate_every => 'week', - missingok => true, - ifempty => false, - compress => true, - delaycompress => true, - postrotate => '/usr/lib/rsyslog/rsyslog-rotate', - } - - swift_drive_audit_config { - 'drive-audit/log_file_pattern': value => '/var/log/kern-legacy.*[!.][!g][!z]'; - } - if $swift_store_account { $rings1 = [ 'account' ] }else{ -- GitLab From 52f05f87df1f4cea0eb347a1229b31c3153b7b41 Mon Sep 17 00:00:00 2001 From: Cyril de Bourgues Date: Fri, 15 Oct 2021 14:29:02 +0200 Subject: [PATCH 5/5] use File module for file removal --- puppet/manifests/swiftcommon.pp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/swiftcommon.pp b/puppet/manifests/swiftcommon.pp index 3602f474..ff1b2515 100644 --- a/puppet/manifests/swiftcommon.pp +++ b/puppet/manifests/swiftcommon.pp @@ -31,11 +31,8 @@ class oci::swiftcommon( postrotate => '/usr/lib/rsyslog/rsyslog-rotate', } - exec { 'remove-default-swift-rules': - command => 'rm /etc/rsyslog.d/swift.conf', - onlyif => 'test -e /etc/rsyslog.d/swift.conf', - path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], - notify => Service['rsyslog'], + file { '/etc/rsyslog.d/swift.conf': + ensure => absent, } file { '/etc/rsyslog.d/20-swift.conf': -- GitLab