Hi, I am seeing the following log occasionally showing up:
ERROR StatusConsoleListener Could not define attribute view on path "/var/snap/opensearch/common/var/log/opensearch/opensearch-mayv.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1071)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:686)
at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:644)
at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:620)
at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:556)
at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:81)
at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2165)
at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2119)
at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2102)
at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1977)
at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1943)
at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1280)
at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:246)
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:913)
at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
The file does exist and has the right permissions thou:
$ sudo ls -la /var/snap/opensearch/common/var/log/opensearch/opensearch-mayv_server.json
-rw-r--r-- 1 snap_daemon snap_daemon 24756 Jun 13 05:50 /var/snap/opensearch/common/var/log/opensearch/opensearch-mayv_server.json
Looking at this trace and log4j source, I believe the issue happens because log4j tries to set attributes to this file and the snap security does not allow for that.
And one extra entry for the OpenSearch snap configure: Jun 12 19:07:32 ip-192-168-235-235 kernel: [ 116.909942] audit: type=1400 audit(1718219252.736:74): apparmor="DENIED" operation="capable" class="cap" profile="snap.opensearch.hook.configure" pid=4696 comm="bash" capability=1 capname="dac_override"
github-actions[bot]
commented
1 month ago
Hi, I am seeing the following log occasionally showing up:
The file does exist and has the right permissions thou:
Looking at this trace and log4j source, I believe the issue happens because log4j tries to set attributes to this file and the snap security does not allow for that.
From log4j source, seems this behavior of setting attributes is mandatory for linux.
Looking at the kernel logs, I can only see the following DENIED on apparmor, for java: https://pastebin.ubuntu.com/p/h63tRsnMcF/
And one extra entry for the OpenSearch snap configure: Jun 12 19:07:32 ip-192-168-235-235 kernel: [ 116.909942] audit: type=1400 audit(1718219252.736:74): apparmor="DENIED" operation="capable" class="cap" profile="snap.opensearch.hook.configure" pid=4696 comm="bash" capability=1 capname="dac_override"
They seem unrelated to the problem above.