Replies: 2 comments 2 replies
-
|
AFAIU containerd doesn't use conmon, is this reported in the right repo? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, it is correct repo. This discussion is about the hard coded setting for conmon, which is 0600(u+rw,g+r) wheras containerd and docker is setting 0640 (u+rw,g+r) for log files. Allowing a group to read logs is a good idea, because you wouldn't need to run the process that is reading the log as the same user that owns the file, i.e. root. |
Beta Was this translation helpful? Give feedback.
-
|
I've updated the post to make it more clear :) |
Beta Was this translation helpful? Give feedback.
-
|
#541 - Thanks, I borrowed your wording for the commit message. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
See the code for conmon:
conmon/src/ctr_logging.c
Line 116 in aee638f
Opening the log files with permission 0600 (user=read+write) only allows uid 0 to read the file.
Others like containerd opens log files with permissions 0640 (user=read+write,group=read) according to containerd/cri#613 (they also argue that docker does it).
Changing to 0640 would allow the administrator to set sticky group on the log directory, and for a selected log-users (in a spesific group) without root-permissions to read the log files.
Beta Was this translation helpful? Give feedback.
All reactions