[kubic-bugs] [Bug 1111012] New: cri-o writes log files to /tmp
http://bugzilla.suse.com/show_bug.cgi?id=1111012 Bug ID: 1111012 Summary: cri-o writes log files to /tmp Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kubic Assignee: vrothberg@suse.com Reporter: kukuk@suse.com QA Contact: qa-bugs@suse.de CC: kubic-bugs@opensuse.org Found By: --- Blocker: --- cri-o seems to write log files to /tmp. This should never be done, as the name seems to be guessable, it could be a security problem, too. As cri-o is creating several files, I think best would be an own directory /var/log/cri-o -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1111012 http://bugzilla.suse.com/show_bug.cgi?id=1111012#c1 --- Comment #1 from Valentin Rothberg <vrothberg@suse.com> --- I guess we can achieve this by changing the crio.conf in our package. See `man crio`: --log="": Set the log file path where internal debug information is written -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1111012 http://bugzilla.suse.com/show_bug.cgi?id=1111012#c2 Richard Brown <rbrown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rbrown@suse.com --- Comment #2 from Richard Brown <rbrown@suse.com> --- (In reply to Valentin Rothberg from comment #1)
I guess we can achieve this by changing the crio.conf in our package.
See `man crio`: --log="": Set the log file path where internal debug information is written
Does that mean the docs need updating - there's no mention of a log param in the crio.conf man page AFAICS https://github.com/kubernetes-sigs/cri-o/blob/9246d35b40666132a27b89bfd2c5b9... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1111012 http://bugzilla.suse.com/show_bug.cgi?id=1111012#c3 --- Comment #3 from Valentin Rothberg <vrothberg@suse.com> --- (In reply to Richard Brown from comment #2)
(In reply to Valentin Rothberg from comment #1)
I guess we can achieve this by changing the crio.conf in our package.
See `man crio`: --log="": Set the log file path where internal debug information is written
Does that mean the docs need updating - there's no mention of a log param in the crio.conf man page AFAICS
https://github.com/kubernetes-sigs/cri-o/blob/ 9246d35b40666132a27b89bfd2c5b9e3eef55a8b/docs/crio.conf.5.md
Looks like, yes. The conf manpage was quite outdated, so it seems likely that this option was forgotten. Let's check if it works with --log (and setting it in crio.conf) and open a PR upstream. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1111012 http://bugzilla.suse.com/show_bug.cgi?id=1111012#c4 --- Comment #4 from Richard Brown <rbrown@suse.com> --- (In reply to Valentin Rothberg from comment #3)
Looks like, yes. The conf manpage was quite outdated, so it seems likely that this option was forgotten. Let's check if it works with --log (and setting it in crio.conf) and open a PR upstream.
--log works when set to a full filepath. It produces a fatal error if set to a directory. However, the contents of that log seems to have no relation to the contents of the logs produced by crio in /tmp. --log seems to record notices you'd typically expect in a journal, eg "error updating cni config: Missing CNI default network" with journal style timestamps The logs in /tmp have a very different format, with a header that includes "Log file created at:... Running on machine: ... Binary: Built with gc go1.10.3 for linux/amd64 Log line format: ...." and THEN log errors, which seem to be go specific error messages, eg. "hostport_manager.go:64] The binary conntrack is not installed, this can cause failures in network connection cleanup" Therefore I'm convinced that --log has no impact on the logs this bug is related to We need to find a way of getting those logs from /tmp into somewhere more sensible. log= in crio.conf seems to have zero effect if set to a full filepath or to a directory -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1111012 http://bugzilla.suse.com/show_bug.cgi?id=1111012#c5 Valentin Rothberg <vrothberg@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #5 from Valentin Rothberg <vrothberg@suse.com> --- I had a deeper look at the bug and found that there is no valuable information on those files as it seems to be caused by some libraries of crio that are using glog. I openened an upstream issue: https://github.com/kubernetes-sigs/cri-o/issues/1879 I don't think that it's a security issue but an undesired side-effect. `critest` from the `cri-tools` package shows similar issues. Probably, `crictl`as well. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1111012 http://bugzilla.suse.com/show_bug.cgi?id=1111012#c6 Valentin Rothberg <vrothberg@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |WONTFIX --- Comment #6 from Valentin Rothberg <vrothberg@suse.com> --- The issues is currently being worked on in Kubernetes. The glog library has been forked to address the mentioned issue and others. I guess it'll be fixed with CRI-O/Kubernetes v1.14. I don't think we need to backport any patches (likely large ones) given there's no real content in the log files. I am therefore closing it as wontfix and suggest to wait. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com