Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

debugd: run logcollector containers unprivileged

Browse Source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2022-12-01 18:31:27 +01:00
parent 67ce1ac3b2
commit c52dfb09b9
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
debugd/internal/debugd/logcollector/logcollector.go
View File

@ -116,7 +116,7 @@ func getTemplate(ctx context.Context, logger *logger.Logger) (*template.Template
return nil, fmt.Errorf("creating logstash template container: %w\n%s", err, out) return nil, fmt.Errorf("creating logstash template container: %w\n%s", err, out)
} }
if err := os.MkdirAll("/run/logstash", 0o511); err != nil { if err := os.MkdirAll("/run/logstash", 0o777); err != nil {
return nil, fmt.Errorf("creating logstash template dir: %w", err) return nil, fmt.Errorf("creating logstash template dir: %w", err)
} }
@ -169,10 +169,8 @@ func startPod(ctx context.Context, logger *logger.Logger) error {
"--rm", "--rm",
"--name=logstash", "--name=logstash",
"--pod=logcollection", "--pod=logcollection",
"--user=root",
"--privileged",
"--log-driver=none", "--log-driver=none",
"--volume=/run/logstash/pipeline:/usr/share/logstash/pipeline:ro", "--volume=/run/logstash/pipeline:/usr/share/logstash/pipeline/:ro",
versions.LogstashImage, versions.LogstashImage,
} }
runLogstashCmd := exec.CommandContext(ctx, "podman", runLogstashArgs...) runLogstashCmd := exec.CommandContext(ctx, "podman", runLogstashArgs...)
@ -190,7 +188,6 @@ func startPod(ctx context.Context, logger *logger.Logger) error {
"--rm", "--rm",
"--name=filebeat", "--name=filebeat",
"--pod=logcollection", "--pod=logcollection",
"--user=root",
"--privileged", "--privileged",
"--log-driver=none", "--log-driver=none",
"--volume=/run/log/journal:/run/log/journal:ro", "--volume=/run/log/journal:/run/log/journal:ro",
@ -217,11 +214,11 @@ type logstashConfInput struct {
} }
func writeLogstashPipelineConf(templ *template.Template, in logstashConfInput) error { func writeLogstashPipelineConf(templ *template.Template, in logstashConfInput) error {
if err := os.MkdirAll("/run/logstash/pipeline", 0o511); err != nil { if err := os.MkdirAll("/run/logstash/pipeline", 0o777); err != nil {
return fmt.Errorf("creating logstash config dir: %w", err) return fmt.Errorf("creating logstash config dir: %w", err)
} }
file, err := os.OpenFile("/run/logstash/pipeline/pipeline.conf", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600) file, err := os.OpenFile("/run/logstash/pipeline/pipeline.conf", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o777)
if err != nil { if err != nil {
return fmt.Errorf("opening logstash config file: %w", err) return fmt.Errorf("opening logstash config file: %w", err)
} }