24f2d8a3c4
RPM packaging improvements: - Fix %config(noreplace) directive in spec file (logcorrelator.yml) - Fix post script: use correct path for .yml.example (/etc/logcorrelator/) - Set /var/run/logcorrelator ownership to logcorrelator:logcorrelator - Set correct permissions: /var/run (755), /var/log (750), /var/lib (750) - Add %config(noreplace) for logrotate.d/logcorrelator - Add comprehensive RPM test script (packaging/test/test-rpm.sh) Documentation updates: - Update architecture.yml with filesystem permissions section - Document socket ownership (logcorrelator:logcorrelator, 0666) - Document config file policy (%config(noreplace) behavior) - Add systemd hardening directives (NoNewPrivileges, ProtectSystem) - Update ClickHouse schema: mark non-implemented fields - Remove materialized view SQL (managed externally) - Add stdout sink module documentation Build pipeline: - Update Dockerfile.package with comments for config policy - Add /var/lib/logcorrelator directory creation - Document fpm %config(noreplace) limitations Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
78 lines
2.7 KiB
Bash
78 lines
2.7 KiB
Bash
#!/bin/bash
|
|
# post install script for logcorrelator RPM package
|
|
# Compatible with CentOS 7, Rocky Linux 8, 9, 10
|
|
#
|
|
# Configuration file policy:
|
|
# - logcorrelator.yml: %config(noreplace) - NEVER overwritten on upgrade
|
|
# - logcorrelator.yml.example: ALWAYS updated with new configuration options
|
|
# - On first install: logcorrelator.yml is created from logcorrelator.yml.example
|
|
# - On upgrade: existing logcorrelator.yml is preserved
|
|
|
|
set -e
|
|
|
|
# Create logcorrelator user and group
|
|
if ! getent group logcorrelator >/dev/null 2>&1; then
|
|
groupadd --system logcorrelator
|
|
fi
|
|
|
|
if ! getent passwd logcorrelator >/dev/null 2>&1; then
|
|
useradd --system \
|
|
--gid logcorrelator \
|
|
--home-dir /var/lib/logcorrelator \
|
|
--no-create-home \
|
|
--shell /usr/sbin/nologin \
|
|
logcorrelator
|
|
fi
|
|
|
|
# Create directories
|
|
mkdir -p /var/lib/logcorrelator
|
|
mkdir -p /var/log/logcorrelator
|
|
mkdir -p /var/run/logcorrelator
|
|
|
|
# Set ownership
|
|
# /var/run/logcorrelator: must be owned by logcorrelator for socket creation
|
|
# /var/log/logcorrelator: must be owned by logcorrelator for log file writing
|
|
# /var/lib/logcorrelator: home directory for the service
|
|
chown -R logcorrelator:logcorrelator /var/lib/logcorrelator
|
|
chown -R logcorrelator:logcorrelator /var/log/logcorrelator
|
|
chown -R logcorrelator:logcorrelator /var/run/logcorrelator
|
|
chown -R logcorrelator:logcorrelator /etc/logcorrelator
|
|
|
|
# Set permissions
|
|
# /var/run/logcorrelator: 755 to allow other users/apps to create sockets if needed
|
|
# /var/log/logcorrelator: 750 to restrict log access
|
|
# /var/lib/logcorrelator: 750 for service data
|
|
# /etc/logcorrelator: 750 to restrict config access
|
|
chmod 755 /var/run/logcorrelator
|
|
chmod 750 /var/lib/logcorrelator
|
|
chmod 750 /var/log/logcorrelator
|
|
chmod 750 /etc/logcorrelator
|
|
|
|
# Copy default config example (always updated)
|
|
# The main config file is preserved across upgrades via %config(noreplace)
|
|
if [ -f /etc/logcorrelator/logcorrelator.yml.example ]; then
|
|
chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml.example
|
|
chmod 640 /etc/logcorrelator/logcorrelator.yml.example
|
|
fi
|
|
|
|
# Create main config file only if it doesn't exist (first install)
|
|
if [ ! -f /etc/logcorrelator/logcorrelator.yml ]; then
|
|
cp /etc/logcorrelator/logcorrelator.yml.example /etc/logcorrelator/logcorrelator.yml
|
|
chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml
|
|
chmod 640 /etc/logcorrelator/logcorrelator.yml
|
|
fi
|
|
|
|
# Set permissions for logrotate config
|
|
if [ -f /etc/logrotate.d/logcorrelator ]; then
|
|
chmod 644 /etc/logrotate.d/logcorrelator
|
|
fi
|
|
|
|
# Reload systemd
|
|
if [ -x /bin/systemctl ]; then
|
|
systemctl daemon-reload
|
|
systemctl enable logcorrelator.service
|
|
systemctl start logcorrelator.service
|
|
fi
|
|
|
|
exit 0
|