<div dir="ltr"><div>Igor,</div><div><br></div><div>I will investigate this, thanks!</div><div><br></div>Artem,<div><br></div><div>I guess that if we have an untrusted user on master node, he could just put something he wants to be in the snapshot in /var/log without having to time the attack carefully with tar execution.</div><div><br></div><div>I want to use links for directories, this saves me the trouble of creating hardlinks for every single file in the directory. Although with how exclusion is currently implemented it can cause deleting log files from original directories, need to check this out.</div><div><br></div><div>About your PS: whole /var/log on master node (not in container) is currently downloaded, I think we shouldn't change this as we plan to drop containers in 9.0.</div><div><br></div><div>Cheers,</div><div>Maciej</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 14, 2016 at 12:32 PM, Artem Panchenko <span dir="ltr"><<a href="mailto:apanchenko@mirantis.com" target="_blank">apanchenko@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
using symlinks is a bit dangerous, here is a quote from the man you
mentioned [0]:<br>
<br>
>
<span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)">The<span> </span></span><samp style="color:rgb(0,0,0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">`--dereference'</samp><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)"><span> </span>option is unsafe if an
untrusted user can modify directories while<span> </span></span><code style="color:rgb(0,0,0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">tar</code><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)"><span> </span>is running.<br>
</span><br>
Hard links usage is much safer, because you can't use them for
directories. But at the same time implementation in shotgun would be
more complicated than with symlinks.<br>
<br>
Anyway, in order to determine what linking to use we need to decide
where (/var/log or another partition) diagnostic snapshot will be
stored. <br>
<br>
p.s.<span class=""><br>
<pre>>This doesn't really give us much right now, because most of the logs are fetched from master node via ssh due to shotgun being run in mcollective container
</pre></span>
AFAIK '/var/log/docker-logs/' is available from mcollective
container and mounted to /var/log/:<br>
<br>
[root@fuel-lab-cz5557 ~]# dockerctl shell mcollective mount -l |
grep os-varlog<br>
/dev/mapper/os-varlog on /var/log type ext4
(rw,relatime,stripe=128,data=ordered)<br>
<br>
From my experience '/var/log/docker-logs/remote' folder is most '
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)">heavy</span>'
thing in snapshot.<br>
<br>
[0]
<a href="http://www.gnu.org/software/tar/manual/html_node/dereference.html" target="_blank">http://www.gnu.org/software/tar/manual/html_node/dereference.html</a><br>
<br>
Thanks!<div><div class="h5"><br>
<br>
<div>On 14.01.16 13:00, Igor Kalnitsky
wrote:<br>
</div>
<blockquote type="cite">
<blockquote type="cite">
<pre>I took a glance on Maciej's patch and it adds a switch to tar command
to make it follow symbolic links
</pre>
</blockquote>
<pre>Yeah, that should work. Except one thing - we previously had fqdn ->
ipaddr links in snapshots. So now they will be resolved into full
copy?
</pre>
<blockquote type="cite">
<pre>I meant that symlinks also give us the benefit of not using additional
space (just as hardlinks do) while being able to link to files from
different filesystems.
</pre>
</blockquote>
<pre>I'm sorry, I got you wrong. :)
- Igor
On Thu, Jan 14, 2016 at 12:34 PM, Maciej Kwiek <a href="mailto:mkwiek@mirantis.com" target="_blank"><mkwiek@mirantis.com></a> wrote:
</pre>
<blockquote type="cite">
<pre>Igor,
I meant that symlinks also give us the benefit of not using additional space
(just as hardlinks do) while being able to link to files from different
filesystems.
Also, as Barłomiej pointed out the `h` switch for tar should do the trick
[1].
Cheers,
Maciej
[1] <a href="http://www.gnu.org/software/tar/manual/html_node/dereference.html" target="_blank">http://www.gnu.org/software/tar/manual/html_node/dereference.html</a>
On Thu, Jan 14, 2016 at 11:22 AM, Bartlomiej Piotrowski
<a href="mailto:bpiotrowski@mirantis.com" target="_blank"><bpiotrowski@mirantis.com></a> wrote:
</pre>
<blockquote type="cite">
<pre>Igor,
I took a glance on Maciej's patch and it adds a switch to tar command to
make it follow symbolic links, so it looks good to me.
Bartłomiej
On Thu, Jan 14, 2016 at 10:39 AM, Igor Kalnitsky <a href="mailto:ikalnitsky@mirantis.com" target="_blank"><ikalnitsky@mirantis.com></a>
wrote:
</pre>
<blockquote type="cite">
<pre>Hey Maceij -
</pre>
<blockquote type="cite">
<pre>About hardlinks - wouldn't it be better to use symlinks?
This way we don't occupy more space than necessary
</pre>
</blockquote>
<pre>AFAIK, hardlinks won't occupy much space. They are the links, after all.
:)
As for symlinks, I'm afraid shotgun (and fabric underneath) won't
resolve them and links are get to snapshot As Is. That means if there
will be no content in the snapshot they are pointing to, they are
simply useless. Needs to be checked, though.
- Igor
On Thu, Jan 14, 2016 at 10:31 AM, Maciej Kwiek <a href="mailto:mkwiek@mirantis.com" target="_blank"><mkwiek@mirantis.com></a>
wrote:
</pre>
<blockquote type="cite">
<pre>Thanks for your insight guys!
I agree with Oleg, I will see what I can do to make this work this way.
About hardlinks - wouldn't it be better to use symlinks? This way we
don't
occupy more space than necessary, and we can link to files and
directories
that are in other block device than /var. Please see [1] review for a
proposed change that introduces symlinks.
This doesn't really give us much right now, because most of the logs
are
fetched from master node via ssh due to shotgun being run in
mcollective
container, but it's something! When we remove containers, this will
prove
more useful.
Regards,
Maciej Kwiek
[1] <a href="https://review.openstack.org/#/c/266964/" target="_blank">https://review.openstack.org/#/c/266964/</a>
On Tue, Jan 12, 2016 at 1:51 PM, Oleg Gelbukh <a href="mailto:ogelbukh@mirantis.com" target="_blank"><ogelbukh@mirantis.com></a>
wrote:
</pre>
<blockquote type="cite">
<pre>I think we need to find a way to:
1) verify the size of snapshot without actually making it and compare
to
the available disk space beforehand.
2) refuse to create snapshot if space is insufficient and notify user
(otherwise it breaks Admin node as we have seen)
3) provide a way to prioritize elements of the snapshot and exclude
them
based on the priorities or user choice.
This will allow for better and safer UX with the snapshot.
--
Best regards,
Oleg Gelbukh
On Tue, Jan 12, 2016 at 1:47 PM, Maciej Kwiek <a href="mailto:mkwiek@mirantis.com" target="_blank"><mkwiek@mirantis.com></a>
wrote:
</pre>
<blockquote type="cite">
<pre>Hi!
I need some advice on how to tackle this issue. There is a bug [1]
describing the problem with creating a diagnostic snapshot. The issue
is
that /var/log has 100GB available, while /var (where diagnostic
snapshot is
being generated - /var/www/nailgun/dump/fuel-snapshot according to
[2]) has
10GB available, so dumping the logs can be an issue when logs size
exceed
free space in /var.
There are several things we could do, but I am unsure on which course
to
take. Should we
a) Allocate more disk space for /var/www (or for whole /var)?
b) Make the snapshot location share the diskspace of /var/log?
c) Something else? What?
Please share your thoughts on this.
Cheers,
Maciej Kwiek
[1] <a href="https://bugs.launchpad.net/fuel/+bug/1529182" target="_blank">https://bugs.launchpad.net/fuel/+bug/1529182</a>
[2]
<a href="https://github.com/openstack/fuel-web/blob/2855a9ba925c146b4802ab3cd2185f1dce2d8a6a/nailgun/nailgun/settings.yaml#L717" target="_blank">https://github.com/openstack/fuel-web/blob/2855a9ba925c146b4802ab3cd2185f1dce2d8a6a/nailgun/nailgun/settings.yaml#L717</a>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
<a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<pre>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
<a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<pre>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
<a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<pre>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
<a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<pre>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<pre>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div><span class=""><pre cols="72">--
Artem Panchenko
QA Engineer</pre>
</span></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>