Feature/x requirements log permission (#5238) (#5258)

* change log file default mode 0640

Signed-off-by: clyi <clyi@alauda.io>

Author: changluyi

cmd/controller/controller.go

@@ -8,6 +8,7 @@ import (
 	"net/http/pprof"
 	"os"
 	"slices"
+	"strconv"
 	"time"
 
 	v1 "k8s.io/api/authorization/v1"
@@ -46,6 +47,12 @@ func CmdMain() {
 		util.LogFatalAndExit(err, "failed to parse config")
 	}
 
+	perm, err := strconv.ParseUint(config.LogPerm, 8, 32)
+	if err != nil {
+		util.LogFatalAndExit(err, "failed to parse log-perm")
+	}
+	util.InitLogFilePerm("kube-ovn-controller", os.FileMode(perm))
+
 	if err := checkPermission(config); err != nil {
 		util.LogFatalAndExit(err, "failed to check permission")
 	}

cmd/daemon/cniserver.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"slices"
+	"strconv"
 	"strings"
 	"time"
 
@@ -28,7 +29,6 @@ import (
 
 func main() {
 	defer klog.Flush()
-
 	config := daemon.ParseFlags()
 	klog.Info(versions.String())
 
@@ -38,7 +38,11 @@ func main() {
 		}
 		return
 	}
-
+	perm, err := strconv.ParseUint(config.LogPerm, 8, 32)
+	if err != nil {
+		util.LogFatalAndExit(err, "failed to parse log-perm")
+	}
+	util.InitLogFilePerm("kube-ovn-cni", os.FileMode(perm))
 	printCaps()
 
 	ovs.UpdateOVSVsctlLimiter(config.OVSVsctlConcurrency)

cmd/ovn_ic_controller/ovn_ic_controller.go

@@ -1,6 +1,9 @@
 package ovn_ic_controller
 
 import (
+	"os"
+	"strconv"
+
 	"k8s.io/klog/v2"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
@@ -23,6 +26,12 @@ func CmdMain() {
 		util.LogFatalAndExit(err, "failed to parse config")
 	}
 
+	perm, err := strconv.ParseUint(config.LogPerm, 8, 32)
+	if err != nil {
+		util.LogFatalAndExit(err, "failed to parse log-perm")
+	}
+	util.InitLogFilePerm("kube-ovn-ic-controller", os.FileMode(perm))
+
 	stopCh := signals.SetupSignalHandler().Done()
 	ctl := ovn_ic_controller.NewController(config)
 	ctl.Run(stopCh)

cmd/ovn_monitor/ovn_monitor.go

@@ -3,6 +3,8 @@ package ovn_monitor
 import (
 	"net"
 	"net/http"
+	"os"
+	"strconv"
 	"time"
 
 	"k8s.io/klog/v2"
@@ -19,7 +21,6 @@ import (
 
 func CmdMain() {
 	defer klog.Flush()
-
 	klog.Info(versions.String())
 
 	currentCaps := cap.GetProc()
@@ -30,6 +31,12 @@ func CmdMain() {
 		util.LogFatalAndExit(err, "failed to parse config")
 	}
 
+	perm, err := strconv.ParseUint(config.LogPerm, 8, 32)
+	if err != nil {
+		util.LogFatalAndExit(err, "failed to parse log-perm")
+	}
+	util.InitLogFilePerm("kube-ovn-monitor", os.FileMode(perm))
+
 	ctrl.SetLogger(klog.NewKlogr())
 	ctx := signals.SetupSignalHandler()
 

cmd/pinger/pinger.go

@@ -2,6 +2,8 @@ package pinger
 
 import (
 	_ "net/http/pprof" // #nosec
+	"os"
+	"strconv"
 
 	"k8s.io/klog/v2"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
@@ -16,7 +18,6 @@ import (
 
 func CmdMain() {
 	defer klog.Flush()
-
 	klog.Info(versions.String())
 
 	currentCaps := cap.GetProc()
@@ -27,6 +28,12 @@ func CmdMain() {
 		util.LogFatalAndExit(err, "failed to parse config")
 	}
 
+	perm, err := strconv.ParseUint(config.LogPerm, 8, 32)
+	if err != nil {
+		util.LogFatalAndExit(err, "failed to parse log-perm")
+	}
+	util.InitLogFilePerm("kube-ovn-pinger", os.FileMode(perm))
+
 	ctrl.SetLogger(klog.NewKlogr())
 	ctx := signals.SetupSignalHandler()
 	if config.Mode == "server" {

cmd/speaker/speaker.go

@@ -1,6 +1,9 @@
 package speaker
 
 import (
+	"os"
+	"strconv"
+
 	"k8s.io/klog/v2"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -14,7 +17,6 @@ import (
 
 func CmdMain() {
 	defer klog.Flush()
-
 	klog.Info(versions.String())
 
 	currentCaps := cap.GetProc()
@@ -25,6 +27,12 @@ func CmdMain() {
 		util.LogFatalAndExit(err, "failed to parse config")
 	}
 
+	perm, err := strconv.ParseUint(config.LogPerm, 8, 32)
+	if err != nil {
+		util.LogFatalAndExit(err, "failed to parse log-perm")
+	}
+	util.InitLogFilePerm("kube-ovn-speaker", os.FileMode(perm))
+
 	ctrl.SetLogger(klog.NewKlogr())
 	ctx := signals.SetupSignalHandler()
 	go func() {

pkg/controller/config.go

@@ -115,6 +115,9 @@ type Configuration struct {
 
 	// used to set vpc-egress-gateway image
 	Image string
+
+	// used to set log file permission
+	LogPerm string
 }
 
 // ParseFlags parses cmd args then init kubeclient and conf
@@ -196,6 +199,8 @@ func ParseFlags() (*Configuration, error) {
 		argBfdDetectMult = pflag.Int("detect-mult", 3, "The negotiated transmit interval, multiplied by this value, provides the Detection Time for the receiving system in Asynchronous mode.")
 
 		argImage = pflag.String("image", "", "The image for vpc-egress-gateway")
+
+		argLogPerm = pflag.String("log-perm", "640", "The permission for the log file")
 	)
 
 	klogFlags := flag.NewFlagSet("klog", flag.ExitOnError)
@@ -282,6 +287,7 @@ func ParseFlags() (*Configuration, error) {
 		BfdDetectMult:                  *argBfdDetectMult,
 		EnableANP:                      *argEnableANP,
 		Image:                          *argImage,
+		LogPerm:                        *argLogPerm,
 	}
 
 	if config.NetworkType == util.NetworkTypeVlan && config.DefaultHostInterface == "" {

pkg/daemon/config.go

@@ -75,6 +75,7 @@ type Configuration struct {
 	EnableTProxy              bool
 	OVSVsctlConcurrency       int32
 	SetVxlanTxOff             bool
+	LogPerm                   string
 }
 
 // ParseFlags will parse cmd args then init kubeClient and configuration
@@ -120,6 +121,7 @@ func ParseFlags() *Configuration {
 		argOVSVsctlConcurrency       = pflag.Int32("ovs-vsctl-concurrency", 100, "concurrency limit of ovs-vsctl")
 		argEnableOVNIPSec            = pflag.Bool("enable-ovn-ipsec", false, "Whether to enable ovn ipsec")
 		argSetVxlanTxOff             = pflag.Bool("set-vxlan-tx-off", false, "Whether to set vxlan_sys_4789 tx off")
+		argLogPerm                   = pflag.String("log-perm", "640", "The permission for the log file")
 	)
 
 	// mute info log for ipset lib
@@ -181,6 +183,7 @@ func ParseFlags() *Configuration {
 		EnableTProxy:              *argEnableTProxy,
 		OVSVsctlConcurrency:       *argOVSVsctlConcurrency,
 		SetVxlanTxOff:             *argSetVxlanTxOff,
+		LogPerm:                   *argLogPerm,
 	}
 	return config
 }

pkg/ovn_ic_controller/config.go

@@ -32,6 +32,7 @@ type Configuration struct {
 	NodeSwitch     string
 	ClusterRouter  string
 	NodeSwitchCIDR string
+	LogPerm        string
 }
 
 func ParseFlags() (*Configuration, error) {
@@ -48,6 +49,7 @@ func ParseFlags() (*Configuration, error) {
 		argClusterRouter  = pflag.String("cluster-router", util.DefaultVpc, "The router name for cluster router")
 		argNodeSwitch     = pflag.String("node-switch", "join", "The name of node gateway switch which help node to access pod network")
 		argNodeSwitchCIDR = pflag.String("node-switch-cidr", "100.64.0.0/16", "The cidr for node switch")
+		argLogPerm        = pflag.String("log-perm", "640", "The permission for the log file")
 	)
 
 	klogFlags := flag.NewFlagSet("klog", flag.ContinueOnError)
@@ -88,6 +90,7 @@ func ParseFlags() (*Configuration, error) {
 		ClusterRouter:  *argClusterRouter,
 		NodeSwitch:     *argNodeSwitch,
 		NodeSwitchCIDR: *argNodeSwitchCIDR,
+		LogPerm:        *argLogPerm,
 	}
 
 	if err := config.initKubeClient(); err != nil {

pkg/ovnmonitor/config.go

@@ -45,6 +45,7 @@ type Configuration struct {
 	EnableMetrics                   bool
 	SecureServing                   bool
 	MetricsPort                     int32
+	LogPerm                         string
 }
 
 // ParseFlags get parameters information.
@@ -88,6 +89,8 @@ func ParseFlags() (*Configuration, error) {
 		argServiceVswitchdFilePidPath = pflag.String("service.vswitchd.file.pid.path", "/var/run/openvswitch/ovs-vswitchd.pid", "OVS vswitchd daemon process id file.")
 		argServiceNorthdFileLogPath   = pflag.String("service.ovn.northd.file.log.path", "/var/log/ovn/ovn-northd.log", "OVN northd daemon log file.")
 		argServiceNorthdFilePidPath   = pflag.String("service.ovn.northd.file.pid.path", "/var/run/ovn/ovn-northd.pid", "OVN northd daemon process id file.")
+
+		argLogPerm = pflag.String("log-perm", "640", "The permission for the log file")
 	)
 
 	klogFlags := flag.NewFlagSet("klog", flag.ExitOnError)
@@ -144,6 +147,7 @@ func ParseFlags() (*Configuration, error) {
 		EnableMetrics:                   *argEnableMetrics,
 		SecureServing:                   *argSecureServing,
 		MetricsPort:                     *argMetricsPort,
+		LogPerm:                         *argLogPerm,
 	}
 
 	klog.Infof("ovn monitor config is %+v", config)