fix(rpm): preserve config on upgrade, set correct ownership/permissions
RPM packaging improvements: - Fix %config(noreplace) directive in spec file (logcorrelator.yml) - Fix post script: use correct path for .yml.example (/etc/logcorrelator/) - Set /var/run/logcorrelator ownership to logcorrelator:logcorrelator - Set correct permissions: /var/run (755), /var/log (750), /var/lib (750) - Add %config(noreplace) for logrotate.d/logcorrelator - Add comprehensive RPM test script (packaging/test/test-rpm.sh) Documentation updates: - Update architecture.yml with filesystem permissions section - Document socket ownership (logcorrelator:logcorrelator, 0666) - Document config file policy (%config(noreplace) behavior) - Add systemd hardening directives (NoNewPrivileges, ProtectSystem) - Update ClickHouse schema: mark non-implemented fields - Remove materialized view SQL (managed externally) - Add stdout sink module documentation Build pipeline: - Update Dockerfile.package with comments for config policy - Add /var/lib/logcorrelator directory creation - Document fpm %config(noreplace) limitations Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
toto
@ -1,6 +1,12 @@
|
||||
#!/bin/bash
|
||||
# post script for logcorrelator RPM package
|
||||
# post install script for logcorrelator RPM package
|
||||
# Compatible with CentOS 7, Rocky Linux 8, 9, 10
|
||||
#
|
||||
# Configuration file policy:
|
||||
# - logcorrelator.yml: %config(noreplace) - NEVER overwritten on upgrade
|
||||
# - logcorrelator.yml.example: ALWAYS updated with new configuration options
|
||||
# - On first install: logcorrelator.yml is created from logcorrelator.yml.example
|
||||
# - On upgrade: existing logcorrelator.yml is preserved
|
||||
|
||||
set -e
|
||||
|
||||
@ -24,19 +30,34 @@ mkdir -p /var/log/logcorrelator
|
||||
mkdir -p /var/run/logcorrelator
|
||||
|
||||
# Set ownership
|
||||
# /var/run/logcorrelator: must be owned by logcorrelator for socket creation
|
||||
# /var/log/logcorrelator: must be owned by logcorrelator for log file writing
|
||||
# /var/lib/logcorrelator: home directory for the service
|
||||
chown -R logcorrelator:logcorrelator /var/lib/logcorrelator
|
||||
chown -R logcorrelator:logcorrelator /var/log/logcorrelator
|
||||
chown -R logcorrelator:logcorrelator /var/run/logcorrelator
|
||||
chown -R logcorrelator:logcorrelator /etc/logcorrelator
|
||||
|
||||
# Set permissions
|
||||
# /var/run/logcorrelator: 755 to allow other users/apps to create sockets if needed
|
||||
# /var/log/logcorrelator: 750 to restrict log access
|
||||
# /var/lib/logcorrelator: 750 for service data
|
||||
# /etc/logcorrelator: 750 to restrict config access
|
||||
chmod 755 /var/run/logcorrelator
|
||||
chmod 750 /var/lib/logcorrelator
|
||||
chmod 750 /var/log/logcorrelator
|
||||
chmod 750 /etc/logcorrelator
|
||||
|
||||
# Copy default config if not exists
|
||||
# Copy default config example (always updated)
|
||||
# The main config file is preserved across upgrades via %config(noreplace)
|
||||
if [ -f /etc/logcorrelator/logcorrelator.yml.example ]; then
|
||||
chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml.example
|
||||
chmod 640 /etc/logcorrelator/logcorrelator.yml.example
|
||||
fi
|
||||
|
||||
# Create main config file only if it doesn't exist (first install)
|
||||
if [ ! -f /etc/logcorrelator/logcorrelator.yml ]; then
|
||||
cp /usr/share/logcorrelator/logcorrelator.yml.example /etc/logcorrelator/logcorrelator.yml
|
||||
cp /etc/logcorrelator/logcorrelator.yml.example /etc/logcorrelator/logcorrelator.yml
|
||||
chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml
|
||||
chmod 640 /etc/logcorrelator/logcorrelator.yml
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user