Offer better choices for log file and directory permissions
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
We would like to collect GitLab logs using our corporate log management infrastructure, Sumo Logic. Per our current standards, the Sumo Logic collector runs as the sumologic user on Linux platforms. To give Sumo Logic access to application logs, we typically set ownership of files and directories so that a particular application-related group can read the log files, and then we add the sumologic user to that UNIX group.
This strategy does not work well for GitLab, because the default permissions for log directories are locked down pretty tight. Typically, only the user (git, or gitlab-www, etc.) can read the log files, and members of the associated group cannot. We've attempted to change the ownership and permissions to something that works better for us. However, that's not a viable strategy, because the various Chef recipes reset the directory permissions (and sometimes also ownership) every time gitlab-ctl reconfigure is run.
Proposal
We would like to see some better choices for log file and directory permissions in GitLab. Two options come to mind:
- A new default permissions/ownership strategy that makes it easier to grant other Linux users rights to view log files via group membership
- A new configuration option
manage_logs, similar to the existingmanage_etcoption, that would let us manage ownership/permissions of log directories outside of GitLab, without GitLab resetting changes during the reconfigure step
The table below shows a set of ownership and permissions that might work.
| Directory | Ownership | Permissions |
|---|---|---|
| /var/log/gitlab | git:git | 2770 |
| /var/log/gitlab/gitlab-rails | git:git | 2770 |
| /var/log/gitlab/gitlab-shell | git:git | 2770 |
| /var/log/gitlab/gitlab-workhorse | git:git | 2770 |
| /var/log/gitlab/nginx | gitlab-www:gitlab-www | 2770 |
| /var/log/gitlab/postgresql | gitlab-psql:gitlab-psql | 2770 |
| /var/log/gitlab/redis | gitlab-redis:gitlab-redis | 2770 |
| /var/log/gitlab/sidekiq | git:git | 2770 |
| /var/log/gitlab/unicorn | git:git | 2770 |
Given the 2770 permissions, files created in these directories will be owned by the correct group, which gets us most of the way there. However, in a few cases tweaks would also need to be made to permissions on log files. For instance, /var/log/gitlab/gitlab-rails/application.log has permissions 600, so the group ownership change isn't enough to give sumologic access to the log, even if it's in the git group.