Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release(package): force chmod permissions without write permissions in the groups #15627

Merged
merged 9 commits into from
Feb 11, 2025
Merged

release(package): force chmod permissions without write permissions in the groups #15627

merged 9 commits into from
Feb 11, 2025

Conversation

v1v
Copy link
Member

@v1v v1v commented Feb 9, 2025
edited
Loading

Motivation/summary

Linux package apm-server.yml has incorrect file mode 664, causing an error on startup.

I decided to use install instead of changing the umask in the VM itself so the specific requirements are set correctly in the scripts. Tha's how it's done in the fnpm, see

apm-server/packaging/nfpm.yml

Lines 24 to 31 in e8b7251

- src: apm-server.yml
dst: /etc/apm-server/apm-server.yml
type: config|noreplace
file_info:
mode: 0600
owner: apm-server
group: apm-server

Checklist

For functional changes, consider:

  • Is it observable through the addition of either logging or metrics?
  • Is its use being published in telemetry to enable product improvement?
  • Have system tests been added to avoid regression?

How to test these changes

Download tar.gz files from https://buildkite.com/elastic/apm-server-package/builds/4008

Then

$ ls -l apm-server-9.1.0-linux-arm64
total 129632
-rw-r-----@ 1 vmartinez  staff      3859 Feb  9 14:13 LICENSE.txt
-rw-r-----@ 1 vmartinez  staff    943755 Feb  9 14:13 NOTICE.txt
-rwxrwxr-x@ 1 vmartinez  staff  56754328 Feb  9 14:13 apm-server
-rw-r-----@ 1 vmartinez  staff     39268 Feb  9 14:13 apm-server.yml
-rw-r-----@ 1 vmartinez  staff   8621110 Feb  9 14:13 java-attacher.jar

If you compare to what's the current settings in my local with umask 0022 and umask 0002

$ wget https://artifacts-staging.elastic.co/apm-server/9.1.0-alpha1-3ac48d47/downloads/apm-server/apm-server-9.1.0-alpha1-linux-arm64.tar.gz
$ tar xvzf apm-server-9.1.0-alpha1-linux-arm64.tar.gz 
$ ls -l apm-server-9.1.0-alpha1-linux-arm64
total 129632
-rw-r--r--  1 vmartinez  wheel      3859 Feb  8 01:14 LICENSE.txt
-rw-r--r--  1 vmartinez  wheel    943755 Feb  8 01:14 NOTICE.txt
-rwxr-xr-x  1 vmartinez  wheel  56754328 Feb  8 01:14 apm-server
-rw-r--r--  1 vmartinez  wheel     39268 Feb  8 01:14 apm-server.yml
-rw-r--r--  1 vmartinez  wheel   8621110 Feb  8 01:14 java-attacher.jar
$ rm -rf apm-server-9.1.0-alpha1-linux-arm64* 
$ umask 0002
$ wget https://artifacts-staging.elastic.co/apm-server/9.1.0-alpha1-3ac48d47/downloads/apm-server/apm-server-9.1.0-alpha1-linux-arm64.tar.gz
$ tar xvzf apm-server-9.1.0-alpha1-linux-arm64.tar.gz 
$ ls -l apm-server-9.1.0-alpha1-linux-arm64  
total 129632
-rw-rw-r--  1 vmartinez  wheel      3859 Feb  8 01:14 LICENSE.txt
-rw-rw-r--  1 vmartinez  wheel    943755 Feb  8 01:14 NOTICE.txt
-rwxrwxr-x  1 vmartinez  wheel  56754328 Feb  8 01:14 apm-server
-rw-rw-r--  1 vmartinez  wheel     39268 Feb  8 01:14 apm-server.yml
-rw-rw-r--  1 vmartinez  wheel   8621110 Feb  8 01:14 java-attacher.jar

You can see the file permissions is 640 instead 644 or 664.

Related issues

Closes #15592

@v1v v1v requested a review from a team as a code owner February 9, 2025 13:26
@v1v v1v self-assigned this Feb 9, 2025
@v1v v1v added backport-8.x Automated backport to the 8.x branch with mergify backport-8.17 Automated backport with mergify backport-8.18 Automated backport to the 8.18 branch backport-9.0 Automated backport to the 9.0 branch labels Feb 9, 2025
@v1v v1v mentioned this pull request Feb 9, 2025
Closed
v1v
v1v commented Feb 9, 2025
View reviewed changes
packaging.mk Outdated Show resolved Hide resolved
@v1v
Copy link
Member Author

v1v commented Feb 10, 2025

Failures are not related to these changes but a bug when testing feature branches for the DRA. I'll fix it in a follow-up

carsonip
carsonip reviewed Feb 10, 2025
View reviewed changes
Copy link
Member

@carsonip carsonip left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this fix should work.

  • we'll need a changelog for this (in this PR or in a separate one)
  • related to the above, i wonder if we should fix this in 8.17 patch, or just from 8.18 and 9.0. In any case, we shouldn't merge this too soon to avoid it coming out untested in 8.17.2.

packaging.mk Outdated Show resolved Hide resolved
@v1v v1v removed the backport-8.17 Automated backport with mergify label Feb 10, 2025
@v1v
Copy link
Member Author

v1v commented Feb 10, 2025

I'll add an entry in the changelog after validating if things work after using 600

@v1v
Copy link
Member Author

v1v commented Feb 10, 2025

Test

I downloaded
build/distributions/apm-server-9.1.0-SNAPSHOT-linux-x86_64.tar.gz
from this build

$ tar -xvzf apm-server-9.1.0-SNAPSHOT-linux-x86_64.tar.gz 
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/apm-server.yml
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/.build_hash.txt
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/java-attacher.jar
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/LICENSE.txt
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/NOTICE.txt
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/apm-server
$ ls -l apm-server-9.1.0-SNAPSHOT-linux-x86_64
total 134456
-rw-------@ 1 vmartinez  staff      3859 Feb 10 11:30 LICENSE.txt
-rw-------@ 1 vmartinez  staff    943755 Feb 10 11:30 NOTICE.txt
-rwxr-xr-x@ 1 vmartinez  staff  59224216 Feb 10 11:30 apm-server
-rw-------@ 1 vmartinez  staff     39268 Feb 10 11:30 apm-server.yml
-rw-------@ 1 vmartinez  staff   8621110 Feb 10 11:30 java-attacher.jar

@v1v
Copy link
Member Author

v1v commented Feb 10, 2025

we'll need a changelog for this (in this PR or in a separate one)

See 1c9a161 (#15627)

related to the above, i wonder if we should fix this in 8.17 patch, or just from 8.18 and 9.0. In any case, we shouldn't merge this too soon to avoid it coming out untested in 8.17.2.

I removed the backport label for 8.17

carsonip
carsonip reviewed Feb 10, 2025
View reviewed changes
packaging.mk Outdated Show resolved Hide resolved
changelogs/head.asciidoc Outdated Show resolved Hide resolved
@v1v v1v requested a review from carsonip February 11, 2025 12:54
carsonip
carsonip reviewed Feb 11, 2025
View reviewed changes
Copy link
Member

@carsonip carsonip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! nit, as discussed, to make a clearer description

changelogs/8.18.asciidoc Show resolved Hide resolved
changelogs/9.0.asciidoc Show resolved Hide resolved
carsonip
carsonip previously approved these changes Feb 11, 2025
View reviewed changes
@v1v
Copy link
Member Author

v1v commented Feb 11, 2025
edited
Loading

Tests

I downloaded this

$ tar -xvzf apm-server-9.1.0-SNAPSHOT-linux-x86_64.tar.gz
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/apm-server.yml
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/.build_hash.txt
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/java-attacher.jar
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/LICENSE.txt
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/NOTICE.txt
x apm-server-9.1.0-SNAPSHOT-linux-x86_64/apm-server
$ ls -l apm-server-9.1.0-SNAPSHOT-linux-x86_64
total 134456
-rw-r--r--@ 1 vmartinez  staff      3859 Feb 11 15:35 LICENSE.txt
-rw-r--r--@ 1 vmartinez  staff    943755 Feb 11 15:35 NOTICE.txt
-rwxr-xr-x@ 1 vmartinez  staff  59224216 Feb 11 15:35 apm-server
-rw-------@ 1 vmartinez  staff     39268 Feb 11 15:35 apm-server.yml
-rw-r--r--@ 1 vmartinez  staff   8621110 Feb 11 15:35 java-attacher.jar

I downloaded this

$ tar -xvzf apm-server-9.1.0-SNAPSHOT-linux-arm64.tar.gz 
x apm-server-9.1.0-SNAPSHOT-linux-arm64/
x apm-server-9.1.0-SNAPSHOT-linux-arm64/apm-server.yml
x apm-server-9.1.0-SNAPSHOT-linux-arm64/.build_hash.txt
x apm-server-9.1.0-SNAPSHOT-linux-arm64/java-attacher.jar
x apm-server-9.1.0-SNAPSHOT-linux-arm64/LICENSE.txt
x apm-server-9.1.0-SNAPSHOT-linux-arm64/NOTICE.txt
x apm-server-9.1.0-SNAPSHOT-linux-arm64/apm-server
$ ls -l apm-server-9.1.0-SNAPSHOT-linux-arm64           
total 129632
-rw-r--r--@ 1 vmartinez  staff      3859 Feb 11 15:36 LICENSE.txt
-rw-r--r--@ 1 vmartinez  staff    943755 Feb 11 15:36 NOTICE.txt
-rwxr-xr-x@ 1 vmartinez  staff  56754328 Feb 11 15:36 apm-server
-rw-------@ 1 vmartinez  staff     39268 Feb 11 15:36 apm-server.yml
-rw-r--r--@ 1 vmartinez  staff   8621110 Feb 11 15:36 java-attacher.jar

@v1v v1v merged commit 9f75aa4 into main Feb 11, 2025
17 checks passed
@v1v v1v deleted the feature/set-permissions-dra-packaging branch February 11, 2025 15:53
mergify bot pushed a commit that referenced this pull request Feb 11, 2025
@v1v @mergify
release(package): force chmod permissions without write permissions i…
f92a4d3 
…n the groups (#15627)

(cherry picked from commit 9f75aa4)

# Conflicts:
#	changelogs/9.0.asciidoc
mergify bot pushed a commit that referenced this pull request Feb 11, 2025
@v1v @mergify
release(package): force chmod permissions without write permissions i…
1aa39cf 
…n the groups (#15627)

(cherry picked from commit 9f75aa4)

# Conflicts:
#	changelogs/8.18.asciidoc
#	changelogs/9.0.asciidoc
mergify bot pushed a commit that referenced this pull request Feb 11, 2025
@v1v @mergify
release(package): force chmod permissions without write permissions i…
71497c9 
…n the groups (#15627)

(cherry picked from commit 9f75aa4)

# Conflicts:
#	changelogs/9.0.asciidoc
This was referenced Feb 11, 2025
Merged
Merged
Merged
mergify bot added a commit that referenced this pull request Feb 11, 2025
@mergify @v1v
[9.0] release(package): force chmod permissions without write permiss…
5de4897 
…ions in the groups (backport #15627) (#15677)

* release(package): force chmod permissions without write permissions in the groups (#15627)

(cherry picked from commit 9f75aa4)

# Conflicts:
#	changelogs/8.18.asciidoc
#	changelogs/9.0.asciidoc

* remove

---------

Co-authored-by: Victor Martinez <[email protected]>
mergify bot added a commit that referenced this pull request Feb 11, 2025
@mergify @v1v
[8.x] release(package): force chmod permissions without write permiss…
5dae1aa 
…ions in the groups (backport #15627) (#15675)

* release(package): force chmod permissions without write permissions in the groups (#15627)

(cherry picked from commit 9f75aa4)

# Conflicts:
#	changelogs/9.0.asciidoc

* remove

---------

Co-authored-by: Victor Martinez <[email protected]>
mergify bot added a commit that referenced this pull request Feb 11, 2025
@mergify @v1v
[8.18] release(package): force chmod permissions without write permis…
1e5b58d 
…sions in the groups (backport #15627) (#15676)

* release(package): force chmod permissions without write permissions in the groups (#15627)

(cherry picked from commit 9f75aa4)

# Conflicts:
#	changelogs/9.0.asciidoc

* remove

---------

Co-authored-by: Victor Martinez <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carsonip carsonip carsonip approved these changes

Assignees

@v1v v1v

Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport to the 8.18 branch backport-9.0 Automated backport to the 9.0 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Linux package apm-server.yml has incorrect file mode 664 causing error on startup
2 participants
@v1v @carsonip