Replies: 2 comments 2 replies
-
|
AFAIU containerd doesn't use conmon, is this reported in the right repo? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, it is correct repo. This discussion is about the hard coded setting for conmon, which is 0600(u+rw,g+r) wheras containerd and docker is setting 0640 (u+rw,g+r) for log files. Allowing a group to read logs is a good idea, because you wouldn't need to run the process that is reading the log as the same user that owns the file, i.e. root. |
Beta Was this translation helpful? Give feedback.
-
|
I've updated the post to make it more clear :) |
Beta Was this translation helpful? Give feedback.
-
|
#541 - Thanks, I borrowed your wording for the commit message. |
Beta Was this translation helpful? Give feedback.
-
See the code for conmon:
conmon/src/ctr_logging.c
Line 116 in aee638f
Opening the log files with permission 0600 (user=read+write) only allows uid 0 to read the file.
Others like containerd opens log files with permissions 0640 (user=read+write,group=read) according to containerd/cri#613 (they also argue that docker does it).
Changing to 0640 would allow the administrator to set sticky group on the log directory, and for a selected log-users (in a spesific group) without root-permissions to read the log files.
Beta Was this translation helpful? Give feedback.
All reactions