[fix] Ensure log files are owned by www-data #627#631
Conversation
Log files in {{ openwisp2_path }}/log/ could be created as root, which
prevented the application processes (uWSGI, celery, daphne, Django)
running as www-data from writing to them.
- Set the log directory owner to www_user (was root:www_group).
- Pre-create the supervisor and Django log files with www_user:www_group
ownership so supervisord (root) and Django do not create them as root.
- Run load_initial_data as www_user so openwisp2.log is not created as
root during deployment.
- Install the cron jobs in the www-data crontab (and remove the obsolete
root-owned entries) so log rollovers triggered by cron do not create
root-owned files.
Fixes openwisp#627
📝 WalkthroughWalkthroughCron jobs in Estimated code review effort: 2 (Simple) | ~15 minutes Related issues: Suggested labels: bug, ansible Suggested reviewers: none identified Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error)
✅ Passed checks (7 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Closing because this PR doesn't follow our PR template. Please reopen following our guidelines, rules and PR templates. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@CHANGES.md`:
- Around line 9-14: The CHANGES.md entry uses RST formatting instead of
Markdown, so the issue reference will not render as a clickable link. Update the
changelog text to use Markdown link syntax and plain inline code styling where
needed, keeping the same content but replacing the RST-style issue reference
near the OpenWISP log directory note. Use the surrounding changelog entry as the
target for the fix.
In `@tasks/django.yml`:
- Around line 27-56: The log-file precreation task is touching feature-specific
logs unconditionally, which creates empty files even when the related workers
are disabled. Update the Ansible task using the existing loop in the Django log
setup so that celery-network.log, celery-monitoring.log, and
celery-firmware-upgrader.log are only included when openwisp2_network_topology,
openwisp2_monitoring, or openwisp2_firmware_upgrader are enabled, while keeping
the always-needed logs (such as openwisp2.log, uwsgi.log, celery.log,
celerybeat.log, and daphne.log) unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 03b1d23a-9a7d-41b1-a981-62176649a436
📒 Files selected for processing (3)
CHANGES.mdtasks/cron.ymltasks/django.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (3)
**/*.{yml,yaml,j2}
📄 CodeRabbit inference engine (AGENTS.md)
Avoid unnecessary blank lines inside Jinja, YAML, and shell blocks.
Files:
tasks/cron.ymltasks/django.yml
**/*.{yml,yaml,j2,sh}
📄 CodeRabbit inference engine (AGENTS.md)
Write comments only when they explain why code is shaped a certain way. Put comments before the relevant block instead of scattering them inside it.
Files:
tasks/cron.ymltasks/django.yml
**/*.{md,rst,txt}
📄 CodeRabbit inference engine (Custom checks)
**/*.{md,rst,txt}: Changes: If the change affects behavior that is already documented, the documentation must be updated to reflect the new behavior
Features: Documentation must mention the new feature; for heavily UI-related features, a new section or page is appropriate
Files:
CHANGES.md
🔇 Additional comments (3)
tasks/cron.yml (1)
2-51: LGTM!tasks/django.yml (2)
16-26: LGTM!
257-266: 🗄️ Data Integrity & Integration
load_initial_data.pydoes not require root — The script only performs Django/database updates and readsPRIVATE_KEY/PUBLIC_KEYfrom the environment, so running this task as{{ www_user }}is appropriate.> Likely an incorrect or invalid review comment.
- Rewrote the CHANGES.md entry using Markdown link syntax so the issue reference renders as a clickable link. - Pre-create only the log files for the services that are actually enabled, matching the conditions used to install the supervisor programs, instead of creating empty files for disabled features. - Added regression tests to molecule verify that assert the log directory and supervisor/Django log files are owned by www-data and that the cron jobs run as www-data and not as root.
|
I see the you updated the PR description, reopening, thanks. |
Checklist
Reference to Existing Issue
Closes #627.
Description of Changes
Log files in the OpenWISP log directory (e.g.
/opt/openwisp2/log/) could be created asroot, preventing the application processes (uWSGI, celery, daphne, Django) that run aswww-datafrom writing to them.Root causes addressed:
owner, so underbecome: trueit was created asroot:www_group.load_initial_dataran as root, so Django'sRotatingFileHandlercreatedopenwisp2.logasrootduring deployment.manage.pylog rollovers created root-owned files.Changes:
tasks/django.ymlowner: "{{ www_user }}"to the log directory task.{{ www_user }}:{{ www_group }}. The list is gated per feature flag, matching the conditions used to install the supervisor programs, so no empty log files are created for disabled features.Load initial dataaswww_user(matching the existingmigrate/collectstatic/compilemessagestasks) soopenwisp2.logisn't created as root.tasks/cron.ymlwww-datacrontab (user: "{{ www_user }}") somanage.pyruns — and any log rollover — happen as the application user.molecule/resources/verify.ymlwww-data, and that the cron jobs are installed in thewww-datacrontab and not root's.CHANGES.md— added a bugfix entry.Scope note: nginx logs (
nginx.access.log/nginx.error.log) are intentionally left untouched, as they are created by the nginx master process running as root, and the existinglogrotate.d/openwisp-nginxconfig already recreates them aswww-data.Testing: validated locally with
yamllint,ansible-lint, andansible-playbook --syntax-check(all pass); the fullmoleculerun (converge + the new verify assertions) runs in CI across all four distros. I have not ticked "manually tested" because the end-to-end molecule run was executed by CI rather than locally.Screenshot
N/A