Consul: Allow configuring permissions for log files
On Linux I used -log-file flag to redirect all the Consul agent log messages to a local file, for some reason the log file was created with the permission that is write only by owner, for example:
--w------- 1 fispguat fispguat 91300 Mar 6 12:54 consul_20190306-114637-1551890797918163665.log
Is this write only permission by design of consul? I have not found anything in documentation and existing issues so would appreciate any insights from consul team.
achenand
All 5 comments
@achenand This was definitely not intended. #5346 was for the same thing and was fixed in version 1.4.3. If you upgrade, log files will now be created rw permissions for the owner and read only permissions for the group.
mkeeler
on 7 Mar 2019
Hi Matt,
This "rw permissions for the owner and read only permissions for the group." is still too restrictive for our use case. We would like to have read access for users in different groups.
Could you make it possible to allow an umask to be supplied along with the -log-file flag?
Thanks again.
achenand
on 11 Mar 2019
@achenand I reopened the issue and edited the title to more closely align with what I think the request is.
Could you elaborate on your usage a bit. Particularly what sorts of permissions you are desiring or how you would desire those log files to be created.
mkeeler
on 11 Mar 2019
Thanks for updating the title.
I am looking to have "644" as the log file permission on Linux servers, "rw" for owner, "r" for group and others. In our use case, developers are only allowed to access production Linux boxes as a low-privileged users while consul process is run as a higher-privileged service id.
In another note, when I specified the complete path along with the name of the log file in -log-file flag the {timestamp} was still appended. For example I have specified the name of the log file as consul_20190311-141420.log
But actual log file name still have {timestamp} added, is it possible to remove this additional {timestamp} to match the behavior described by the documentation?
consul_20190311-141420-1552328060963016440.log
-log-file - to redirect all the Consul agent log messages to a file. This can be specified with the complete path along with the name of the log. In case the path doesn't have the filename, the filename defaults to consul-{timestamp}.log. Can be combined with -log-rotate-bytes and -log-rotate-duration for a fine-grained log rotation experience.
achenand
on 11 Mar 2019
Hi, 644 would be very good for me as well as I'd like to ingest these logs into Splunk. However, Splunk runs under a pretty non-privileged user in our case. With the logs having an unpredictable name (as it uses a timestamp) it is tough to get around this. Any help on this would be appreciated.
neillyt
on 10 Aug 2019
Related issues
hooksie1
路
3Comments
slackpad
路
3Comments
wing731
路
3Comments
eshujiushiwo
路
3Comments
powerman
路
3Comments
Most helpful comment
Thanks for updating the title.
I am looking to have "644" as the log file permission on Linux servers, "rw" for owner, "r" for group and others. In our use case, developers are only allowed to access production Linux boxes as a low-privileged users while consul process is run as a higher-privileged service id.
In another note, when I specified the complete path along with the name of the log file in -log-file flag the {timestamp} was still appended. For example I have specified the name of the log file as consul_20190311-141420.log
But actual log file name still have {timestamp} added, is it possible to remove this additional {timestamp} to match the behavior described by the documentation?
consul_20190311-141420-1552328060963016440.log
-log-file - to redirect all the Consul agent log messages to a file. This can be specified with the complete path along with the name of the log. In case the path doesn't have the filename, the filename defaults to consul-{timestamp}.log. Can be combined with -log-rotate-bytes and -log-rotate-duration for a fine-grained log rotation experience.