[#MCOL-5024] Log files must be own by mysql:mysql user rather than partially own by root:root OS user.

[MCOL-5024] Log files must be own by mysql:mysql user rather than partially own by root:root OS user. Created: 2022-03-23 Updated: 2023-10-27 Resolved: 2023-10-27
Status:	Closed
Project:	MariaDB ColumnStore
Component/s:	installation
Affects Version/s:	5.6.3, 5.6.4, 5.6.5, 6.1.1, 6.2.1, 6.2.2, 6.2.3
Fix Version/s:	Icebox

Type:

Bug

Priority:

Minor

Reporter:

Pramod Mahto

Assignee:

Leonid Fedorov

Resolution:

Fixed

Votes:

Labels:

None

Description

As root owned files involve sysadmin to do fewer task but generally these file should be managed by DBA or CS team. Also If we change the ownership to mysql:mysql , as soon as the file is archived and cycled, it is again owned by root.

[root@mcs_node_01 columnstore]# pwd

/var/log/mariadb/columnstore

[root@mcs_node_01 columnstore]# ls -ltrh |grep -v drw

total 0

-rw-r--r--. 1 root  root    0 Mar 22 16:14 cmapi_server.log

-rw-------. 1 root  root    0 Mar 22 16:14 crit.log

-rw-------. 1 mysql mysql   0 Mar 22 16:14 debug.log

-rw-------. 1 root  root    0 Mar 22 16:14 err.log

-rw-------. 1 mysql mysql   0 Mar 22 16:14 info.log

-rw-------. 1 root  root    0 Mar 22 16:14 warning.log

Comments

Comment by alexey vorovich (Inactive) [ 2022-03-23 ]

??{{rw-rw-rw- 1 root mysql 10765 Mar 23 14:01 writeengineserver.log
~~rw-r~~r- 1 root mysql 471972 Mar 23 14:01 info.log
~~rw-r~~r- 1 root mysql 3780129 Mar 23 14:02 warning.log
~~rw-rw-rw~~ 1 root mysql 1836792 Mar 23 14:02 exemgr.log
~~rw-rw~~--- 1 root mysql 1264906 Mar 23 15:01 mariadb-error.log
~~rw-r~~r- 1 root mysql 1048483 Mar 23 15:35 cmapi_server.log.1
~~rw-rw-rw~~ 1 root mysql 2200059 Mar 23 15:41 cmapi_server.log.2
~~rw-r~~r- 1 root mysql 158884 Mar 23 15:41 cmapi_server.log}}??

toddstoffel petko.vasilev
above is what I see on the cluster that i created with the latest sky version. Note that not only CS but ES logs are the same root owner.

I presume that owner(=root) and group owner(=mysql) are derived from account that starts the top process in the process tree.

Is that determined at docker build time ? via
USER root
WORKDIR /opt

Is that affected somehow by k8s ?

Priority of this is already minor , but I am going to ask pramod.mahto@mariadb.com what practical problems does this present

Comment by Pramod Mahto [ 2022-03-23 ]

alexey.vorovich In general DBA want to cycled and archive these log files on regular interval of time, doing that using non-root user not possible. They need to involve sysadmin team , generally they don't want to do that.

Comment by alexey vorovich (Inactive) [ 2022-03-23 ]

pramod.mahto@mariadb.com Yes, I absolutely understand the need to access files . I am just trying to understand various types of access control. I login via VSCODE terminal option (I believe it is the same as kubectl) and i am root .

[root@cs-node-0 /]# id
uid=0(root) gid=0(root) groups=0(root)
[root@cs-node-0 /]#

Your example is also in Sky , correct ?

Comment by Leonid Fedorov [ 2023-10-27 ]

Fixed in version 23.02

Generated at Thu Feb 08 02:54:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MCOL-5024] Log files must be own by mysql:mysql user rather than partially own by root:root OS user. Created: 2022-03-23 Updated: 2023-10-27 Resolved: 2023-10-27