fix(rpm): preserve config on upgrade, set correct ownership/permissions
RPM packaging improvements: - Fix %config(noreplace) directive in spec file (logcorrelator.yml) - Fix post script: use correct path for .yml.example (/etc/logcorrelator/) - Set /var/run/logcorrelator ownership to logcorrelator:logcorrelator - Set correct permissions: /var/run (755), /var/log (750), /var/lib (750) - Add %config(noreplace) for logrotate.d/logcorrelator - Add comprehensive RPM test script (packaging/test/test-rpm.sh) Documentation updates: - Update architecture.yml with filesystem permissions section - Document socket ownership (logcorrelator:logcorrelator, 0666) - Document config file policy (%config(noreplace) behavior) - Add systemd hardening directives (NoNewPrivileges, ProtectSystem) - Update ClickHouse schema: mark non-implemented fields - Remove materialized view SQL (managed externally) - Add stdout sink module documentation Build pipeline: - Update Dockerfile.package with comments for config policy - Add /var/lib/logcorrelator directory creation - Document fpm %config(noreplace) limitations Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
toto
@ -45,6 +45,8 @@ RUN dnf install -y epel-release && \
|
||||
|
||||
# Copy binary from builder
|
||||
COPY --from=builder /build/dist/logcorrelator /tmp/pkgroot/usr/bin/logcorrelator
|
||||
# Config files: .yml is marked %config(noreplace) in RPM spec (preserved on upgrade)
|
||||
# .yml.example is always updated to reflect latest configuration options
|
||||
COPY --from=builder /build/config.example.yml /tmp/pkgroot/etc/logcorrelator/logcorrelator.yml
|
||||
COPY --from=builder /build/config.example.yml /tmp/pkgroot/etc/logcorrelator/logcorrelator.yml.example
|
||||
COPY --from=builder /build/logcorrelator.service /tmp/pkgroot/etc/systemd/system/logcorrelator.service
|
||||
@ -54,6 +56,9 @@ COPY packaging/rpm/postun /tmp/scripts/postun
|
||||
COPY packaging/rpm/logrotate /tmp/pkgroot/etc/logrotate.d/logcorrelator
|
||||
|
||||
# Create directories and set permissions
|
||||
# /var/run/logcorrelator: 755 - will be owned by logcorrelator:logcorrelator by post install script
|
||||
# /var/log/logcorrelator: 755 - will be owned by logcorrelator:logcorrelator by post install script
|
||||
# /var/lib/logcorrelator: created for service home directory
|
||||
RUN mkdir -p /tmp/pkgroot/var/log/logcorrelator && \
|
||||
mkdir -p /tmp/pkgroot/var/run/logcorrelator && \
|
||||
mkdir -p /tmp/pkgroot/var/lib/logcorrelator && \
|
||||
@ -63,9 +68,12 @@ RUN mkdir -p /tmp/pkgroot/var/log/logcorrelator && \
|
||||
chmod 644 /tmp/pkgroot/etc/systemd/system/logcorrelator.service && \
|
||||
chmod 755 /tmp/scripts/* && \
|
||||
chmod 755 /tmp/pkgroot/var/log/logcorrelator && \
|
||||
chmod 755 /tmp/pkgroot/var/run/logcorrelator
|
||||
chmod 755 /tmp/pkgroot/var/run/logcorrelator && \
|
||||
chmod 755 /tmp/pkgroot/var/lib/logcorrelator
|
||||
|
||||
# Build RPM for Enterprise Linux 8 (el8)
|
||||
# Note: fpm does not support %config(noreplace) directly; this is handled in the spec file
|
||||
# The post install script ensures existing config is preserved
|
||||
ARG VERSION=$(grep -m1 "^Version:" packaging/rpm/logcorrelator.spec | awk '{print $2}')
|
||||
RUN mkdir -p /packages/rpm/el8 && \
|
||||
fpm -s dir -t rpm \
|
||||
@ -107,6 +115,8 @@ RUN dnf install -y epel-release && \
|
||||
|
||||
# Copy binary from builder
|
||||
COPY --from=builder /build/dist/logcorrelator /tmp/pkgroot/usr/bin/logcorrelator
|
||||
# Config files: .yml is marked %config(noreplace) in RPM spec (preserved on upgrade)
|
||||
# .yml.example is always updated to reflect latest configuration options
|
||||
COPY --from=builder /build/config.example.yml /tmp/pkgroot/etc/logcorrelator/logcorrelator.yml
|
||||
COPY --from=builder /build/config.example.yml /tmp/pkgroot/etc/logcorrelator/logcorrelator.yml.example
|
||||
COPY --from=builder /build/logcorrelator.service /tmp/pkgroot/etc/systemd/system/logcorrelator.service
|
||||
@ -116,6 +126,9 @@ COPY packaging/rpm/postun /tmp/scripts/postun
|
||||
COPY packaging/rpm/logrotate /tmp/pkgroot/etc/logrotate.d/logcorrelator
|
||||
|
||||
# Create directories and set permissions
|
||||
# /var/run/logcorrelator: 755 - will be owned by logcorrelator:logcorrelator by post install script
|
||||
# /var/log/logcorrelator: 755 - will be owned by logcorrelator:logcorrelator by post install script
|
||||
# /var/lib/logcorrelator: created for service home directory
|
||||
RUN mkdir -p /tmp/pkgroot/var/log/logcorrelator && \
|
||||
mkdir -p /tmp/pkgroot/var/run/logcorrelator && \
|
||||
mkdir -p /tmp/pkgroot/var/lib/logcorrelator && \
|
||||
@ -125,7 +138,8 @@ RUN mkdir -p /tmp/pkgroot/var/log/logcorrelator && \
|
||||
chmod 644 /tmp/pkgroot/etc/systemd/system/logcorrelator.service && \
|
||||
chmod 755 /tmp/scripts/* && \
|
||||
chmod 755 /tmp/pkgroot/var/log/logcorrelator && \
|
||||
chmod 755 /tmp/pkgroot/var/run/logcorrelator
|
||||
chmod 755 /tmp/pkgroot/var/run/logcorrelator && \
|
||||
chmod 755 /tmp/pkgroot/var/lib/logcorrelator
|
||||
|
||||
# Build RPM for Enterprise Linux 9 (el9)
|
||||
ARG VERSION=$(grep -m1 "^Version:" packaging/rpm/logcorrelator.spec | awk '{print $2}')
|
||||
@ -169,6 +183,8 @@ RUN dnf install -y epel-release && \
|
||||
|
||||
# Copy binary from builder
|
||||
COPY --from=builder /build/dist/logcorrelator /tmp/pkgroot/usr/bin/logcorrelator
|
||||
# Config files: .yml is marked %config(noreplace) in RPM spec (preserved on upgrade)
|
||||
# .yml.example is always updated to reflect latest configuration options
|
||||
COPY --from=builder /build/config.example.yml /tmp/pkgroot/etc/logcorrelator/logcorrelator.yml
|
||||
COPY --from=builder /build/config.example.yml /tmp/pkgroot/etc/logcorrelator/logcorrelator.yml.example
|
||||
COPY --from=builder /build/logcorrelator.service /tmp/pkgroot/etc/systemd/system/logcorrelator.service
|
||||
@ -178,6 +194,9 @@ COPY packaging/rpm/postun /tmp/scripts/postun
|
||||
COPY packaging/rpm/logrotate /tmp/pkgroot/etc/logrotate.d/logcorrelator
|
||||
|
||||
# Create directories and set permissions
|
||||
# /var/run/logcorrelator: 755 - will be owned by logcorrelator:logcorrelator by post install script
|
||||
# /var/log/logcorrelator: 755 - will be owned by logcorrelator:logcorrelator by post install script
|
||||
# /var/lib/logcorrelator: created for service home directory
|
||||
RUN mkdir -p /tmp/pkgroot/var/log/logcorrelator && \
|
||||
mkdir -p /tmp/pkgroot/var/run/logcorrelator && \
|
||||
mkdir -p /tmp/pkgroot/var/lib/logcorrelator && \
|
||||
@ -187,7 +206,8 @@ RUN mkdir -p /tmp/pkgroot/var/log/logcorrelator && \
|
||||
chmod 644 /tmp/pkgroot/etc/systemd/system/logcorrelator.service && \
|
||||
chmod 755 /tmp/scripts/* && \
|
||||
chmod 755 /tmp/pkgroot/var/log/logcorrelator && \
|
||||
chmod 755 /tmp/pkgroot/var/run/logcorrelator
|
||||
chmod 755 /tmp/pkgroot/var/run/logcorrelator && \
|
||||
chmod 755 /tmp/pkgroot/var/lib/logcorrelator
|
||||
|
||||
# Build RPM for Enterprise Linux 10 (el10)
|
||||
ARG VERSION=$(grep -m1 "^Version:" packaging/rpm/logcorrelator.spec | awk '{print $2}')
|
||||
|
||||
Reference in New Issue
Block a user