Set correct permissions for /usr/share/logstash on pkg installs #12782
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
roaksoax
force-pushed
the
fix_pkg_permissions_gh12771
branch
from
d69b676 to
4327dc1
Compare
andsel
reviewed
Mar 30, 2021
Contributor
andsel
left a comment
andsel
left a comment
There was a problem hiding this comment.
From a logstash clone of this branch, I've tried with:
> rake artifact:deb
> multipass mount build/ ubuntu-lts
> multipass shell ubuntu-lts
> sudo dpkg -i logstash-7.12.0-amd64.deb
listing the contents of /usr/share/logstash:
ubuntu@ubuntu-lts:~$ ll /usr/share/logstash/
total 512
drwxr-xr-x 12 logstash logstash 4096 Mar 30 10:26 ./
drwxr-xr-x 114 root root 4096 Mar 25 15:41 ../
-rw-r--r-- 1 logstash logstash 2276 Mar 18 06:08 CONTRIBUTORS
so the directory doesn't seems to have the expects owner
andsel
approved these changes
Mar 30, 2021
Contributor
andsel
left a comment
andsel
left a comment
There was a problem hiding this comment.
I've retried, the PR LGTM and works.
I've used an old deb package.
Contributor
|
Jenkins test this please |
2 similar comments
Contributor
Author
|
Jenkins test this please |
Contributor
Author
|
Jenkins test this please |
Merged
2 tasks
roaksoax
added a commit
to roaksoax/logstash
that referenced
this pull request
Mar 31, 2021
…tic#12782) This PR sets correct ownership of /usr/share/logstash on DEB & RPM installs, following FHS guidelines. Closes: elastic#12771 (cherry picked from commit c4cb8f4)
Merged
2 tasks
roaksoax
added a commit
to roaksoax/logstash
that referenced
this pull request
Mar 31, 2021
…tic#12782) This PR sets correct ownership of /usr/share/logstash on DEB & RPM installs, following FHS guidelines. Closes: elastic#12771 (cherry picked from commit c4cb8f4)
roaksoax
added a commit
that referenced
this pull request
Mar 31, 2021
roaksoax
added a commit
that referenced
this pull request
Mar 31, 2021
robbavey
added a commit
to robbavey/logstash
that referenced
this pull request
May 13, 2021
Recent versions of bundler (> 2.2.3) have changed the resolution to resolve for the specific running platform, using the specific platform triple, such as `universal-java-1.8`, rather than `java`, as was previously the case, meaning that the 'PLATFORMS` section of the `Gemfile.lock` will change from: ``` PLATFORMS java ``` after: ``` PLATFORMS universal-java-1.8 ``` At runtime, unless bundler is run in frozen mode, this value is resolved again at runtime, and depending on whether the platform being run in matches that being built on, `Gemfile.lock` is resolved to match the running platform - which now causes a runtime error when running Logstash as a service, as the running application no longer has write permission on `Gemfile.lock` after elastic#12782. While this should fix elastic#12818, we should look into a permanent solution to enable us to keep up with bundler updates.
5 tasks
robbavey
added a commit
that referenced
this pull request
Aug 17, 2021
…hanges (#13015) This PR enables the upgrade of bundler to the latest version. Prior to this PR, the ability to do so was blocked by bundler.setup in versions of bundler > `2.23` making runtime changes to `Gemfile.lock` (unless the lock file was `frozen`) based on the specific platform the application was being run on, overriding any platforms (including generic `java` platform) set during build time. This was in conflict with changes made in #12782, which prevented the logstash user writing to files in `/usr/share/logstash`. This PR will freeze the lockfile when logstash is run, and unfreeze it when manipulating plugins (install, update, remove, install from offline pack) to allow new plugins to be added. While unfrozen, changes are also made to ensure that the platform list remains as the generic `java` platform, and not changed to the specific platform for the runtime JVM. This PR also introduces a new runtime flag, `--enable-local-plugin-development`. This flag is intended for use by Logstash developers only, and enables a mode of operation where a Gemfile can be manipulated, eg ``` gem "logstash-integration-kafka", :path => '/users/developer/code/plugins/logstash-integration-kafka' ``` to facilitate quick and simple plugin testing. This PR also sets the `silence_root_warning` flag to avoid bundler printing out alarming looking warning messages when `sudo` is used. This warning message was concerning for users - it would be printed out during normal operation of `bin/logstash-plugin install/update/remove` when run under `sudo`, which is the expected mode of operation when logstash is installed to run as a service via rpm/deb packages. This PR also updates the vagrant based integration tests to ensure that Logstash still runs after plugin update/install/remove operations, fixes up some regular expressions that would cause test failures, and removes some dead code from tests. ## Release notes * Updated Bundler to latest version * Ensured that `Gemfile.lock` are appropriately frozen * Added new developer-only flag to facilitate local plugin development to allow unfrozen lockfile in a development environment
robbavey
added a commit
that referenced
this pull request
Aug 17, 2021
…malize" platform on plugin changes Backport PR #13015 to 7.15 branch. Original Message: This PR enables the upgrade of bundler to the latest version. Prior to this PR, the ability to do so was blocked by bundler.setup in versions of bundler > `2.23` making runtime changes to `Gemfile.lock` (unless the lock file was `frozen`) based on the specific platform the application was being run on, overriding any platforms (including generic `java` platform) set during build time. This was in conflict with changes made in #12782, which prevented the logstash user writing to files in `/usr/share/logstash`. This PR will freeze the lockfile when logstash is run, and unfreeze it when manipulating plugins (install, update, remove, install from offline pack) to allow new plugins to be added. While unfrozen, changes are also made to ensure that the platform list remains as the generic `java` platform, and not changed to the specific platform for the runtime JVM. This PR also introduces a new runtime flag, `--enable-local-plugin-development`. This flag is intended for use by Logstash developers only, and enables a mode of operation where a Gemfile can be manipulated, eg ``` gem "logstash-integration-kafka", :path => '/users/developer/code/plugins/logstash-integration-kafka' ``` to facilitate quick and simple plugin testing. This PR also sets the `silence_root_warning` flag to avoid bundler printing out alarming looking warning messages when `sudo` is used. This warning message was concerning for users - it would be printed out during normal operation of `bin/logstash-plugin install/update/remove` when run under `sudo`, which is the expected mode of operation when logstash is installed to run as a service via rpm/deb packages. This PR also updates the vagrant based integration tests to ensure that Logstash still runs after plugin update/install/remove operations, fixes up some regular expressions that would cause test failures, and removes some dead code from tests. * Updated Bundler to latest version * Ensured that `Gemfile.lock` are appropriately frozen * Added new developer-only flag to facilitate local plugin development to allow unfrozen lockfile in a development environment (cherry picked from commit 4707cb)
robbavey
added a commit
to robbavey/logstash
that referenced
this pull request
Aug 17, 2021
…d "normalize" platform on plugin changes Backport PR elastic#13015 to 7.x branch. Original Message: This PR enables the upgrade of bundler to the latest version. Prior to this PR, the ability to do so was blocked by bundler.setup in versions of bundler > `2.23` making runtime changes to `Gemfile.lock` (unless the lock file was `frozen`) based on the specific platform the application was being run on, overriding any platforms (including generic `java` platform) set during build time. This was in conflict with changes made in elastic#12782, which prevented the logstash user writing to files in `/usr/share/logstash`. This PR will freeze the lockfile when logstash is run, and unfreeze it when manipulating plugins (install, update, remove, install from offline pack) to allow new plugins to be added. While unfrozen, changes are also made to ensure that the platform list remains as the generic `java` platform, and not changed to the specific platform for the runtime JVM. This PR also introduces a new runtime flag, `--enable-local-plugin-development`. This flag is intended for use by Logstash developers only, and enables a mode of operation where a Gemfile can be manipulated, eg ``` gem "logstash-integration-kafka", :path => '/users/developer/code/plugins/logstash-integration-kafka' ``` to facilitate quick and simple plugin testing. This PR also sets the `silence_root_warning` flag to avoid bundler printing out alarming looking warning messages when `sudo` is used. This warning message was concerning for users - it would be printed out during normal operation of `bin/logstash-plugin install/update/remove` when run under `sudo`, which is the expected mode of operation when logstash is installed to run as a service via rpm/deb packages. This PR also updates the vagrant based integration tests to ensure that Logstash still runs after plugin update/install/remove operations, fixes up some regular expressions that would cause test failures, and removes some dead code from tests. * Updated Bundler to latest version * Ensured that `Gemfile.lock` are appropriately frozen * Added new developer-only flag to facilitate local plugin development to allow unfrozen lockfile in a development environment (cherry picked from commit 4707cb)
This was referenced Aug 17, 2021
robbavey
added a commit
to robbavey/logstash
that referenced
this pull request
Aug 17, 2021
…d "normalize" platform on plugin changes Backport PR elastic#13015 to 7.x branch. Original Message: This PR enables the upgrade of bundler to the latest version. Prior to this PR, the ability to do so was blocked by bundler.setup in versions of bundler > `2.23` making runtime changes to `Gemfile.lock` (unless the lock file was `frozen`) based on the specific platform the application was being run on, overriding any platforms (including generic `java` platform) set during build time. This was in conflict with changes made in elastic#12782, which prevented the logstash user writing to files in `/usr/share/logstash`. This PR will freeze the lockfile when logstash is run, and unfreeze it when manipulating plugins (install, update, remove, install from offline pack) to allow new plugins to be added. While unfrozen, changes are also made to ensure that the platform list remains as the generic `java` platform, and not changed to the specific platform for the runtime JVM. This PR also introduces a new runtime flag, `--enable-local-plugin-development`. This flag is intended for use by Logstash developers only, and enables a mode of operation where a Gemfile can be manipulated, eg ``` gem "logstash-integration-kafka", :path => '/users/developer/code/plugins/logstash-integration-kafka' ``` to facilitate quick and simple plugin testing. This PR also sets the `silence_root_warning` flag to avoid bundler printing out alarming looking warning messages when `sudo` is used. This warning message was concerning for users - it would be printed out during normal operation of `bin/logstash-plugin install/update/remove` when run under `sudo`, which is the expected mode of operation when logstash is installed to run as a service via rpm/deb packages. This PR also updates the vagrant based integration tests to ensure that Logstash still runs after plugin update/install/remove operations, fixes up some regular expressions that would cause test failures, and removes some dead code from tests. * Updated Bundler to latest version * Ensured that `Gemfile.lock` are appropriately frozen * Added new developer-only flag to facilitate local plugin development to allow unfrozen lockfile in a development environment (cherry picked from commit 4707cb)
robbavey
added a commit
to robbavey/logstash
that referenced
this pull request
Aug 17, 2021
…nd "normalize" platform on plugin changes Backport PR elastic#13015 to 7.15 branch. Original Message: This PR enables the upgrade of bundler to the latest version. Prior to this PR, the ability to do so was blocked by bundler.setup in versions of bundler > `2.23` making runtime changes to `Gemfile.lock` (unless the lock file was `frozen`) based on the specific platform the application was being run on, overriding any platforms (including generic `java` platform) set during build time. This was in conflict with changes made in elastic#12782, which prevented the logstash user writing to files in `/usr/share/logstash`. This PR will freeze the lockfile when logstash is run, and unfreeze it when manipulating plugins (install, update, remove, install from offline pack) to allow new plugins to be added. While unfrozen, changes are also made to ensure that the platform list remains as the generic `java` platform, and not changed to the specific platform for the runtime JVM. This PR also introduces a new runtime flag, `--enable-local-plugin-development`. This flag is intended for use by Logstash developers only, and enables a mode of operation where a Gemfile can be manipulated, eg ``` gem "logstash-integration-kafka", :path => '/users/developer/code/plugins/logstash-integration-kafka' ``` to facilitate quick and simple plugin testing. This PR also sets the `silence_root_warning` flag to avoid bundler printing out alarming looking warning messages when `sudo` is used. This warning message was concerning for users - it would be printed out during normal operation of `bin/logstash-plugin install/update/remove` when run under `sudo`, which is the expected mode of operation when logstash is installed to run as a service via rpm/deb packages. This PR also updates the vagrant based integration tests to ensure that Logstash still runs after plugin update/install/remove operations, fixes up some regular expressions that would cause test failures, and removes some dead code from tests. * Updated Bundler to latest version * Ensured that `Gemfile.lock` are appropriately frozen * Added new developer-only flag to facilitate local plugin development to allow unfrozen lockfile in a development environment (cherry picked from commit 4707cb)
robbavey
added a commit
that referenced
this pull request
Aug 18, 2021
#13141) * Backport PR #13015 to 7.15: Bundler: freeze lockfile on run, and "normalize" platform on plugin changes Backport PR #13015 to 7.15 branch. Original Message: This PR enables the upgrade of bundler to the latest version. Prior to this PR, the ability to do so was blocked by bundler.setup in versions of bundler > `2.23` making runtime changes to `Gemfile.lock` (unless the lock file was `frozen`) based on the specific platform the application was being run on, overriding any platforms (including generic `java` platform) set during build time. This was in conflict with changes made in #12782, which prevented the logstash user writing to files in `/usr/share/logstash`. This PR will freeze the lockfile when logstash is run, and unfreeze it when manipulating plugins (install, update, remove, install from offline pack) to allow new plugins to be added. While unfrozen, changes are also made to ensure that the platform list remains as the generic `java` platform, and not changed to the specific platform for the runtime JVM. This PR also introduces a new runtime flag, `--enable-local-plugin-development`. This flag is intended for use by Logstash developers only, and enables a mode of operation where a Gemfile can be manipulated, eg ``` gem "logstash-integration-kafka", :path => '/users/developer/code/plugins/logstash-integration-kafka' ``` to facilitate quick and simple plugin testing. This PR also sets the `silence_root_warning` flag to avoid bundler printing out alarming looking warning messages when `sudo` is used. This warning message was concerning for users - it would be printed out during normal operation of `bin/logstash-plugin install/update/remove` when run under `sudo`, which is the expected mode of operation when logstash is installed to run as a service via rpm/deb packages. This PR also updates the vagrant based integration tests to ensure that Logstash still runs after plugin update/install/remove operations, fixes up some regular expressions that would cause test failures, and removes some dead code from tests. * Updated Bundler to latest version * Ensured that `Gemfile.lock` are appropriately frozen * Added new developer-only flag to facilitate local plugin development to allow unfrozen lockfile in a development environment (cherry picked from commit 4707cb) * Remove code pinning bundler to `~> 1.17` Also updates lockfile to update `BUNDLED WITH` to latest
robbavey
added a commit
that referenced
this pull request
Aug 18, 2021
#13140) * Backport PR #13015 to 7.x: Bundler: freeze lockfile on run, and "normalize" platform on plugin changes Backport PR #13015 to 7.x branch. Original Message: This PR enables the upgrade of bundler to the latest version. Prior to this PR, the ability to do so was blocked by bundler.setup in versions of bundler > `2.23` making runtime changes to `Gemfile.lock` (unless the lock file was `frozen`) based on the specific platform the application was being run on, overriding any platforms (including generic `java` platform) set during build time. This was in conflict with changes made in #12782, which prevented the logstash user writing to files in `/usr/share/logstash`. This PR will freeze the lockfile when logstash is run, and unfreeze it when manipulating plugins (install, update, remove, install from offline pack) to allow new plugins to be added. While unfrozen, changes are also made to ensure that the platform list remains as the generic `java` platform, and not changed to the specific platform for the runtime JVM. This PR also introduces a new runtime flag, `--enable-local-plugin-development`. This flag is intended for use by Logstash developers only, and enables a mode of operation where a Gemfile can be manipulated, eg ``` gem "logstash-integration-kafka", :path => '/users/developer/code/plugins/logstash-integration-kafka' ``` to facilitate quick and simple plugin testing. This PR also sets the `silence_root_warning` flag to avoid bundler printing out alarming looking warning messages when `sudo` is used. This warning message was concerning for users - it would be printed out during normal operation of `bin/logstash-plugin install/update/remove` when run under `sudo`, which is the expected mode of operation when logstash is installed to run as a service via rpm/deb packages. This PR also updates the vagrant based integration tests to ensure that Logstash still runs after plugin update/install/remove operations, fixes up some regular expressions that would cause test failures, and removes some dead code from tests. * Updated Bundler to latest version * Ensured that `Gemfile.lock` are appropriately frozen * Added new developer-only flag to facilitate local plugin development to allow unfrozen lockfile in a development environment (cherry picked from commit 4707cb) * Remove code pinning bundler to ~> 1.17
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release notes
Fix package install permissions of /usr/share/logstash
What does this PR do?
This PR fixes the the permissions of (RPM, DEB) for /usr/share/logstash.
Why is it important/What is the impact to the user?
Ensures /usr/share/logstash has the appropriate ownership as per the FHS. Also ensures the daemon cannot modify files it needs to run.
Checklist
[ ] I have commented my code, particularly in hard-to-understand areas[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files (and/or docker env variables)How to test this PR locally
Related issues