Skip to content

fix: Ensure /var/log/mail permissions + ownership are correct#4374

Merged
polarathene merged 2 commits intomasterfrom
fix/container-restarts-fix-log-permissions
Feb 17, 2025
Merged

fix: Ensure /var/log/mail permissions + ownership are correct#4374
polarathene merged 2 commits intomasterfrom
fix/container-restarts-fix-log-permissions

Conversation

@polarathene
Copy link
Copy Markdown
Member

@polarathene polarathene commented Feb 17, 2025
edited
Loading

Description

This is an interim fix for DMS v15 until a proper fix can more confidently be implemented.

Changes:

  • Migrates what was originally contributed in Oct 2019 to setup-stack.sh for container restart support.
  • Ensures permissions of /var/log/mail/ and it's contents are corrected if a volume mount differs.

History for these changes is messy (as documented in the "proper fix" link), but looks like it shouldn't really be necessary going forward (new permissions fix may be relevant to avoid the logrotate failure scenario).

Workaround for volume mounts that are too relaxed

In the kubernetes helm project, a user reports their /var/log/mail mount with 777 permissions which appears to impact logrotate service as a result:

/etc/cron.daily/logrotate:
error: skipping "/var/log/mail/mail.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail/rspamd.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
run-parts: /etc/cron.daily/logrotate exited with return code 1

According to that linked discussion, correcting that mount permissions for a specific mount in the Helm chart is problematic? 🤷‍♂️

Chance of regression low

In addition these are runtime corrections intended for volume mounts, thus is intended as part of the DMS v15 improved restart support.

Prior to this PR these changes would have occurred much earlier during startup:

docker-mailserver/target/scripts/start-mailserver.sh

Line 46 in 0294294

_register_setup_function '_setup_logs_general'

There is a slight chance that shifting the changes to apply at the end of _setup() introduces a regression, but it should be unlikely:

docker-mailserver/target/scripts/start-mailserver.sh

Lines 122 to 124 in 0294294

# ! The following functions must be executed after all other setup functions
_register_setup_function '_setup_directory_and_file_permissions'
_register_setup_function '_setup_run_user_patches'

Restart support calls same two methods + (rsyslog daemon starts with /var/log/mail/mail.log):

docker-mailserver/target/scripts/start-mailserver.sh

Lines 167 to 196 in 0294294

# ? >> Executing all stacks / actual start of DMS
# ------------------------------------------------------------
_early_supervisor_setup
_early_variables_setup
_log 'info' "Welcome to docker-mailserver ${DMS_RELEASE}"
_register_functions
_check
# Ensure DMS only adjusts config files for a new container.
# Container restarts should skip as they retain the modified config.
if [[ -f /CONTAINER_START ]]; then
_log 'info' 'Container was restarted. Skipping most setup routines.'
# We cannot skip all setup routines because some need to run _after_
# the initial setup (and hence, they cannot be moved to the check stack).
_setup_directory_and_file_permissions
_setup_adjust_state_permissions
else
_setup
fi
# marker to check if container was restarted
date >/CONTAINER_START
# Container logs will receive updates from this log file:
MAIN_LOGFILE=/var/log/mail/mail.log
# NOTE: rsyslogd would usually create this later during `_start_daemons`, however it would already exist if the container was restarted.
touch "${MAIN_LOGFILE}"

DMS v15 is to release with the two separate call sites shown above as no maintainer presently has the time to investigate test failures introduced when moving methods those into a unified location.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • [?] Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • New and existing unit tests pass locally with my changes
  • I have added information about changes made in this PR to CHANGELOG.md

@polarathene polarathene added area/scripts kind/improvement Improve an existing feature, configuration file or the documentation kind/bug/fix A fix (PR) for a confirmed bug labels Feb 17, 2025
@polarathene polarathene added this to the v15.0.0 milestone Feb 17, 2025
@polarathene polarathene self-assigned this Feb 17, 2025
@polarathene polarathene marked this pull request as ready for review February 17, 2025 02:55
@polarathene polarathene mentioned this pull request Feb 17, 2025
Closed
12 tasks
@polarathene polarathene merged commit d2d74a2 into master Feb 17, 2025
7 checks passed
@polarathene polarathene deleted the fix/container-restarts-fix-log-permissions branch February 17, 2025 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@georglauterbach georglauterbach georglauterbach approved these changes

@casperklein casperklein Awaiting requested review from casperklein

Assignees

@polarathene polarathene

Labels

area/scripts kind/bug/fix A fix (PR) for a confirmed bug kind/improvement Improve an existing feature, configuration file or the documentation

Projects

None yet

Milestone

v15.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@polarathene @georglauterbach