code_public/logcorrelator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
97862bb1dc0977b1e02e349d40e58caee70b104a
logcorrelator/packaging/rpm/post
toto 24f2d8a3c4 fix(rpm): preserve config on upgrade, set correct ownership/permissions 
RPM packaging improvements:
- Fix %config(noreplace) directive in spec file (logcorrelator.yml)
- Fix post script: use correct path for .yml.example (/etc/logcorrelator/)
- Set /var/run/logcorrelator ownership to logcorrelator:logcorrelator
- Set correct permissions: /var/run (755), /var/log (750), /var/lib (750)
- Add %config(noreplace) for logrotate.d/logcorrelator
- Add comprehensive RPM test script (packaging/test/test-rpm.sh)

Documentation updates:
- Update architecture.yml with filesystem permissions section
- Document socket ownership (logcorrelator:logcorrelator, 0666)
- Document config file policy (%config(noreplace) behavior)
- Add systemd hardening directives (NoNewPrivileges, ProtectSystem)
- Update ClickHouse schema: mark non-implemented fields
- Remove materialized view SQL (managed externally)
- Add stdout sink module documentation

Build pipeline:
- Update Dockerfile.package with comments for config policy
- Add /var/lib/logcorrelator directory creation
- Document fpm %config(noreplace) limitations

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-03-03 21:30:27 +00:00

78 lines
2.7 KiB
Bash
Raw Blame History

#!/bin/bash
# post install script for logcorrelator RPM package
# Compatible with CentOS 7, Rocky Linux 8, 9, 10
#
# Configuration file policy:
# - logcorrelator.yml: %config(noreplace) - NEVER overwritten on upgrade
# - logcorrelator.yml.example: ALWAYS updated with new configuration options
# - On first install: logcorrelator.yml is created from logcorrelator.yml.example
# - On upgrade: existing logcorrelator.yml is preserved
set -e
# Create logcorrelator user and group
if ! getent group logcorrelator >/dev/null 2>&1; then
groupadd --system logcorrelator
fi
if ! getent passwd logcorrelator >/dev/null 2>&1; then
useradd --system \
--gid logcorrelator \
--home-dir /var/lib/logcorrelator \
--no-create-home \
--shell /usr/sbin/nologin \
logcorrelator
fi
# Create directories
mkdir -p /var/lib/logcorrelator
mkdir -p /var/log/logcorrelator
mkdir -p /var/run/logcorrelator
# Set ownership
# /var/run/logcorrelator: must be owned by logcorrelator for socket creation
# /var/log/logcorrelator: must be owned by logcorrelator for log file writing
# /var/lib/logcorrelator: home directory for the service
chown -R logcorrelator:logcorrelator /var/lib/logcorrelator
chown -R logcorrelator:logcorrelator /var/log/logcorrelator
chown -R logcorrelator:logcorrelator /var/run/logcorrelator
chown -R logcorrelator:logcorrelator /etc/logcorrelator
# Set permissions
# /var/run/logcorrelator: 755 to allow other users/apps to create sockets if needed
# /var/log/logcorrelator: 750 to restrict log access
# /var/lib/logcorrelator: 750 for service data
# /etc/logcorrelator: 750 to restrict config access
chmod 755 /var/run/logcorrelator
chmod 750 /var/lib/logcorrelator
chmod 750 /var/log/logcorrelator
chmod 750 /etc/logcorrelator
# Copy default config example (always updated)
# The main config file is preserved across upgrades via %config(noreplace)
if [ -f /etc/logcorrelator/logcorrelator.yml.example ]; then
chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml.example
chmod 640 /etc/logcorrelator/logcorrelator.yml.example
fi
# Create main config file only if it doesn't exist (first install)
if [ ! -f /etc/logcorrelator/logcorrelator.yml ]; then
cp /etc/logcorrelator/logcorrelator.yml.example /etc/logcorrelator/logcorrelator.yml
chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml
chmod 640 /etc/logcorrelator/logcorrelator.yml
fi
# Set permissions for logrotate config
if [ -f /etc/logrotate.d/logcorrelator ]; then
chmod 644 /etc/logrotate.d/logcorrelator
fi
# Reload systemd
if [ -x /bin/systemctl ]; then
systemctl daemon-reload
systemctl enable logcorrelator.service
systemctl start logcorrelator.service
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink