search

sensu / sensu-omnibus

Build full-stack platform-specific Sensu packages
12 stars 16 forks source link

Omnibus-generated RPM specs are too greedy #224

Closed cwjohnston closed 7 years ago

cwjohnston commented 7 years ago

Per sensu/sensu#1705, our RPM packages are behaving in a way that inappropriately prevents other packages from writing to some number of directories, e.g. /etc/sensu/conf.d and /etc/systemd/system.

Thanks for @blee1170 for reporting this issue.

I've used rpmrebuild to regenerate the RPM specs for sensu-0.26.5-2.el7.x86_64.rpm and sensu-1.0.0-1.el7.x86_64.rpm, the latter being the last released package built with the deprecated sensu-build toolchain. The regenerated specs are in this gist.

Off hand I see the following in the 1.0.0-1 spec, which seem problematic:

%dir %attr(0755, root, root) "/etc"
%dir %attr(0755, root, root) "/etc/default"
%config(noreplace) %attr(0644, root, root) "/etc/default/sensu"
%dir %attr(0755, root, root) "/etc/logrotate.d"
%config(noreplace) %attr(0644, root, root) "/etc/logrotate.d/sensu"
%dir %attr(0755, root, root) "/etc/sensu"
%dir %attr(0755, root, root) "/etc/sensu/conf.d"
%dir %attr(0755, root, root) "/etc/sensu/extensions"
%dir %attr(0755, root, root) "/etc/sensu/plugins"
%dir %attr(0755, root, root) "/etc/systemd"
%dir %attr(0755, root, root) "/etc/systemd/system"

Compare to the 0.26.5 spec, for example with regard to /etc/sensu/conf.d:

%config(noreplace) %attr(0644, root, root) "/etc/sensu/conf.d/README.md"

Also I note that there's a big difference in the overall number of %dir directives between the two:

$ grep "%dir" sensu-1.0.0-1.spec | wc -l
     688
$ grep "%dir" sensu-0.26.5-2.spec  | wc -l
      21
amdprophet commented 7 years ago

@blee1170 - can you try adding "Requires: sensu" to your RPM spec? It should allow you to write files to paths owned by the Sensu RPM.

I am working on a fix to remove ownership of the systemd directories.

LordBrain commented 7 years ago

@amdprophet Unfortunately the way our pipeline works, we have a base image that installs everything we need on it to run (sensu is one of those). Then application get installed onto that image later. So we can not include sensu in those RPMs because it would mess up the testing.

amdprophet commented 7 years ago

@blee1170 Do your deployments include any other mainstream packages (e,g. apache, haproxy)? I've taken a look at the spec files for apache, haproxy and they both have %dir entries for their respective etc directories. It seems that it's standard practice for applications to own their configuration directories so I'm curious how your pipeline deals (or would deal) with them.

LordBrain commented 7 years ago

@amdprophet We do have apps that use apache,tomcat,haproxy. Just a ton really. Any as far as I know they are not having a problem like this.

amdprophet commented 7 years ago

@blee1170 are you able to provide us with a way to replicate the issue you're seeing - perhaps by providing an RPM specfile?

portertech commented 7 years ago

We now exclude certain file system directories from the Sensu RPM package spec -https://sensuapp.org/docs/1.0/overview/changelog.html#core-v1-0-1-changes

@blee1170 please try Sensu 1.0.1 (or greater) and let us know if this fixes the issue for you. Please feel free to create a new issue if it does not 👍