[systemd-devel] [PATCH] journal: grant systemd-journal group permission
Lennart Poettering
lennart at poettering.net
Wed Oct 22 15:45:16 PDT 2014
On Wed, 22.10.14 23:53, Lennart Poettering (lennart at poettering.net) wrote:
> On Fri, 29.08.14 22:03, WaLyong Cho (walyong.cho at samsung.com) wrote:
>
> > On 08/27/2014 02:55 AM, Lennart Poettering wrote:
> > > On Tue, 26.08.14 15:43, WaLyong Cho (walyong.cho at samsung.com) wrote:
> > >
> > >> There is no Bofore= or After= dependencies between
> > >> systemd-journald.service and systemd-tmpfiles-setup.service. So if both
> > >> "/run/log/journal" and "/var/log/journal" does not exist then those can
> > >> be make as root:root and also its ids directory and journal files. To
> > >> make sure, do chown systemd-journal group to journal directories and
> > >> files.
> > >
> > > Hmm? /run/log/journal will be recursively updated, and /var/log/journal
> > > is not created by journald ever, but only by tmpfiles, which uses g+s to
> > > ensure all files that will be created have the right owner from the
> > > beginning.
> > >
> > I hope you test like me. Set *Storage=persistent* in journald.conf and
> > remove(back it up to other) "/var/log/journal" and restart.
>
> Ah, umm. Yuck. Storage=persistent is indeed a different case...
>
> Hmm, not sure what we can do here. We cannot do NSS lookups in
> journald though, we need to find another way.
>
> Hmm, one idea is to make systemd-journal-flush synchronous, and then
> order it before systemd-tmpfiles. That way, if Storage=persistent is
> set we would *know* that the dir is first created, and tmpfiles could
> then just adjust the ACLs for it...
>
> However, making systemd-journal-flush isn't that easy I fear. It would
> be easy if we had dbus as IPC, but that's something we cannot use
> unless we have kdbus, since we cannot allow a cyclic loop between
> dbus-daemon logging to journald, and journald waiting for dbus....
>
> I need to think about this more...
OK, I thought a bit about this more. And now changed
systemd-journal-flush.service to be asynchronous, so that it can be
ordered before systemd-tmpfiles-setup.service and the ownership of the
dirs can be correctly applied. Please give this a test run.
I implemented this via a new "journalctl --flush" command which will
first send SIGUSR1 to journald, and then wait for
/run/systemd/journal/flushed to appear in the FS which is what
journald uses internally to remember if it already flushed the journal
or not.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list