Merge pull request kubernetes#129893 from simonfogliato/kubelet-log-permissions

k8s-ci-robot · web-flow · commit 26b1d3424ae9 · 2025-03-19T17:54:30.000-07:00
Use uncompressed kubelet log file permissions when compressed.
diff --git a/pkg/kubelet/logs/container_log_manager.go b/pkg/kubelet/logs/container_log_manager.go
@@ -79,7 +79,7 @@ func GetAllLogs(log string) ([]string, error) {
 	pattern := fmt.Sprintf("%s.*", log)
 	logs, err := filepath.Glob(pattern)
 	if err != nil {
-		return nil, fmt.Errorf("failed to list all log files with pattern %q: %v", pattern, err)
+		return nil, fmt.Errorf("failed to list all log files with pattern %q: %w", pattern, err)
 	}
 	inuse, _ := filterUnusedLogs(logs)
 	sort.Strings(inuse)
@@ -113,7 +113,7 @@ func UncompressLog(log string) (_ io.ReadCloser, retErr error) {
 	}
 	f, err := os.Open(log)
 	if err != nil {
-		return nil, fmt.Errorf("failed to open log: %v", err)
+		return nil, fmt.Errorf("failed to open log: %w", err)
 	}
 	defer func() {
 		if retErr != nil {
@@ -122,7 +122,7 @@ func UncompressLog(log string) (_ io.ReadCloser, retErr error) {
 	}()
 	r, err := gzip.NewReader(f)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create gzip reader: %v", err)
+		return nil, fmt.Errorf("failed to create gzip reader: %w", err)
 	}
 	return &compressReadCloser{f: f, Reader: r}, nil
 }
@@ -158,7 +158,7 @@ func NewContainerLogManager(runtimeService internalapi.RuntimeService, osInterfa
 	}
 	parsedMaxSize, err := parseMaxSize(maxSize)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse container log max size %q: %v", maxSize, err)
+		return nil, fmt.Errorf("failed to parse container log max size %q: %w", maxSize, err)
 	}
 	// Negative number means to disable container log rotation
 	if parsedMaxSize < 0 {
@@ -205,20 +205,20 @@ func (c *containerLogManager) Clean(ctx context.Context, containerID string) err
 	defer c.mutex.Unlock()
 	resp, err := c.runtimeService.ContainerStatus(ctx, containerID, false)
 	if err != nil {
-		return fmt.Errorf("failed to get container status %q: %v", containerID, err)
+		return fmt.Errorf("failed to get container status %q: %w", containerID, err)
 	}
 	if resp.GetStatus() == nil {
 		return fmt.Errorf("container status is nil for %q", containerID)
 	}
 	pattern := fmt.Sprintf("%s*", resp.GetStatus().GetLogPath())
 	logs, err := c.osInterface.Glob(pattern)
 	if err != nil {
-		return fmt.Errorf("failed to list all log files with pattern %q: %v", pattern, err)
+		return fmt.Errorf("failed to list all log files with pattern %q: %w", pattern, err)
 	}
 
 	for _, l := range logs {
 		if err := c.osInterface.Remove(l); err != nil && !os.IsNotExist(err) {
-			return fmt.Errorf("failed to remove container %q log %q: %v", containerID, l, err)
+			return fmt.Errorf("failed to remove container %q log %q: %w", containerID, l, err)
 		}
 	}
 
@@ -239,7 +239,7 @@ func (c *containerLogManager) rotateLogs(ctx context.Context) error {
 	// TODO(#59998): Use kubelet pod cache.
 	containers, err := c.runtimeService.ListContainers(ctx, &runtimeapi.ContainerFilter{})
 	if err != nil {
-		return fmt.Errorf("failed to list containers: %v", err)
+		return fmt.Errorf("failed to list containers: %w", err)
 	}
 	for _, container := range containers {
 		// Only rotate logs for running containers. Non-running containers won't
@@ -315,17 +315,17 @@ func (c *containerLogManager) rotateLog(ctx context.Context, id, log string) err
 	pattern := fmt.Sprintf("%s.*", log)
 	logs, err := filepath.Glob(pattern)
 	if err != nil {
-		return fmt.Errorf("failed to list all log files with pattern %q: %v", pattern, err)
+		return fmt.Errorf("failed to list all log files with pattern %q: %w", pattern, err)
 	}
 
 	logs, err = c.cleanupUnusedLogs(logs)
 	if err != nil {
-		return fmt.Errorf("failed to cleanup logs: %v", err)
+		return fmt.Errorf("failed to cleanup logs: %w", err)
 	}
 
 	logs, err = c.removeExcessLogs(logs)
 	if err != nil {
-		return fmt.Errorf("failed to remove excess logs: %v", err)
+		return fmt.Errorf("failed to remove excess logs: %w", err)
 	}
 
 	// Compress uncompressed log files.
@@ -334,12 +334,12 @@ func (c *containerLogManager) rotateLog(ctx context.Context, id, log string) err
 			continue
 		}
 		if err := c.compressLog(l); err != nil {
-			return fmt.Errorf("failed to compress log %q: %v", l, err)
+			return fmt.Errorf("failed to compress log %q: %w", l, err)
 		}
 	}
 
 	if err := c.rotateLatestLog(ctx, id, log); err != nil {
-		return fmt.Errorf("failed to rotate log %q: %v", log, err)
+		return fmt.Errorf("failed to rotate log %q: %w", log, err)
 	}
 
 	return nil
@@ -351,7 +351,7 @@ func (c *containerLogManager) cleanupUnusedLogs(logs []string) ([]string, error)
 	inuse, unused := filterUnusedLogs(logs)
 	for _, l := range unused {
 		if err := c.osInterface.Remove(l); err != nil {
-			return nil, fmt.Errorf("failed to remove unused log %q: %v", l, err)
+			return nil, fmt.Errorf("failed to remove unused log %q: %w", l, err)
 		}
 	}
 	return inuse, nil
@@ -404,7 +404,7 @@ func (c *containerLogManager) removeExcessLogs(logs []string) ([]string, error)
 	i := 0
 	for ; i < len(logs)-maxRotatedFiles; i++ {
 		if err := c.osInterface.Remove(logs[i]); err != nil {
-			return nil, fmt.Errorf("failed to remove old log %q: %v", logs[i], err)
+			return nil, fmt.Errorf("failed to remove old log %q: %w", logs[i], err)
 		}
 	}
 	logs = logs[i:]
@@ -413,15 +413,19 @@ func (c *containerLogManager) removeExcessLogs(logs []string) ([]string, error)
 
 // compressLog compresses a log to log.gz with gzip.
 func (c *containerLogManager) compressLog(log string) error {
+	logInfo, err := os.Stat(log)
+	if err != nil {
+		return fmt.Errorf("failed to stat log file: %w", err)
+	}
 	r, err := c.osInterface.Open(log)
 	if err != nil {
-		return fmt.Errorf("failed to open log %q: %v", log, err)
+		return fmt.Errorf("failed to open log %q: %w", log, err)
 	}
 	defer r.Close()
 	tmpLog := log + tmpSuffix
-	f, err := c.osInterface.OpenFile(tmpLog, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	f, err := c.osInterface.OpenFile(tmpLog, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, logInfo.Mode())
 	if err != nil {
-		return fmt.Errorf("failed to create temporary log %q: %v", tmpLog, err)
+		return fmt.Errorf("failed to create temporary log %q: %w", tmpLog, err)
 	}
 	defer func() {
 		// Best effort cleanup of tmpLog.
@@ -431,19 +435,19 @@ func (c *containerLogManager) compressLog(log string) error {
 	w := gzip.NewWriter(f)
 	defer w.Close()
 	if _, err := io.Copy(w, r); err != nil {
-		return fmt.Errorf("failed to compress %q to %q: %v", log, tmpLog, err)
+		return fmt.Errorf("failed to compress %q to %q: %w", log, tmpLog, err)
 	}
 	// The archive needs to be closed before renaming, otherwise an error will occur on Windows.
 	w.Close()
 	f.Close()
 	compressedLog := log + compressSuffix
 	if err := c.osInterface.Rename(tmpLog, compressedLog); err != nil {
-		return fmt.Errorf("failed to rename %q to %q: %v", tmpLog, compressedLog, err)
+		return fmt.Errorf("failed to rename %q to %q: %w", tmpLog, compressedLog, err)
 	}
 	// Remove old log file.
 	r.Close()
 	if err := c.osInterface.Remove(log); err != nil {
-		return fmt.Errorf("failed to remove log %q after compress: %v", log, err)
+		return fmt.Errorf("failed to remove log %q after compress: %w", log, err)
 	}
 	return nil
 }
@@ -454,7 +458,7 @@ func (c *containerLogManager) rotateLatestLog(ctx context.Context, id, log strin
 	timestamp := c.clock.Now().Format(timestampFormat)
 	rotated := fmt.Sprintf("%s.%s", log, timestamp)
 	if err := c.osInterface.Rename(log, rotated); err != nil {
-		return fmt.Errorf("failed to rotate log %q to %q: %v", log, rotated, err)
+		return fmt.Errorf("failed to rotate log %q to %q: %w", log, rotated, err)
 	}
 	if err := c.runtimeService.ReopenContainerLog(ctx, id); err != nil {
 		// Rename the rotated log back, so that we can try rotating it again
@@ -466,7 +470,7 @@ func (c *containerLogManager) rotateLatestLog(ctx context.Context, id, log strin
 			// log.
 			klog.ErrorS(renameErr, "Failed to rename rotated log", "rotatedLog", rotated, "newLog", log, "containerID", id)
 		}
-		return fmt.Errorf("failed to reopen container log %q: %v", id, err)
+		return fmt.Errorf("failed to reopen container log %q: %w", id, err)
 	}
 	return nil
 }
diff --git a/pkg/kubelet/logs/container_log_manager_test.go b/pkg/kubelet/logs/container_log_manager_test.go
@@ -370,10 +370,18 @@ func TestCompressLog(t *testing.T) {
 	testFile.Close()
 
 	testLog := testFile.Name()
+	testLogInfo, err := os.Stat(testLog)
+	assert.NoError(t, err)
 	c := &containerLogManager{osInterface: container.RealOS{}}
 	require.NoError(t, c.compressLog(testLog))
-	_, err = os.Stat(testLog + compressSuffix)
+	testLogCompressInfo, err := os.Stat(testLog + compressSuffix)
 	assert.NoError(t, err, "log should be compressed")
+	if testLogInfo.Mode() != testLogCompressInfo.Mode() {
+		t.Errorf("compressed and uncompressed test log file modes do not match")
+	}
+	if err := c.compressLog("test-unknown-log"); err == nil {
+		t.Errorf("compressing unknown log should return error")
+	}
 	_, err = os.Stat(testLog + tmpSuffix)
 	assert.Error(t, err, "temporary log should be renamed")
 	_, err = os.Stat(testLog)

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ func GetAllLogs(log string) ([]string, error) {`
`79`	`79`	`pattern := fmt.Sprintf("%s.*", log)`
`80`	`80`	`logs, err := filepath.Glob(pattern)`
`81`	`81`	`if err != nil {`
`82`		`- return nil, fmt.Errorf("failed to list all log files with pattern %q: %v", pattern, err)`
	`82`	`+ return nil, fmt.Errorf("failed to list all log files with pattern %q: %w", pattern, err)`
`83`	`83`	`}`
`84`	`84`	`inuse, _ := filterUnusedLogs(logs)`
`85`	`85`	`sort.Strings(inuse)`
`@@ -113,7 +113,7 @@ func UncompressLog(log string) (_ io.ReadCloser, retErr error) {`
`113`	`113`	`}`
`114`	`114`	`f, err := os.Open(log)`
`115`	`115`	`if err != nil {`
`116`		`- return nil, fmt.Errorf("failed to open log: %v", err)`
	`116`	`+ return nil, fmt.Errorf("failed to open log: %w", err)`
`117`	`117`	`}`
`118`	`118`	`defer func() {`
`119`	`119`	`if retErr != nil {`
`@@ -122,7 +122,7 @@ func UncompressLog(log string) (_ io.ReadCloser, retErr error) {`
`122`	`122`	`}()`
`123`	`123`	`r, err := gzip.NewReader(f)`
`124`	`124`	`if err != nil {`
`125`		`- return nil, fmt.Errorf("failed to create gzip reader: %v", err)`
	`125`	`+ return nil, fmt.Errorf("failed to create gzip reader: %w", err)`
`126`	`126`	`}`
`127`	`127`	`return &compressReadCloser{f: f, Reader: r}, nil`
`128`	`128`	`}`
`@@ -158,7 +158,7 @@ func NewContainerLogManager(runtimeService internalapi.RuntimeService, osInterfa`
`158`	`158`	`}`
`159`	`159`	`parsedMaxSize, err := parseMaxSize(maxSize)`
`160`	`160`	`if err != nil {`
`161`		`- return nil, fmt.Errorf("failed to parse container log max size %q: %v", maxSize, err)`
	`161`	`+ return nil, fmt.Errorf("failed to parse container log max size %q: %w", maxSize, err)`
`162`	`162`	`}`
`163`	`163`	`// Negative number means to disable container log rotation`
`164`	`164`	`if parsedMaxSize < 0 {`
`@@ -205,20 +205,20 @@ func (c *containerLogManager) Clean(ctx context.Context, containerID string) err`
`205`	`205`	`defer c.mutex.Unlock()`
`206`	`206`	`resp, err := c.runtimeService.ContainerStatus(ctx, containerID, false)`
`207`	`207`	`if err != nil {`
`208`		`- return fmt.Errorf("failed to get container status %q: %v", containerID, err)`
	`208`	`+ return fmt.Errorf("failed to get container status %q: %w", containerID, err)`
`209`	`209`	`}`
`210`	`210`	`if resp.GetStatus() == nil {`
`211`	`211`	`return fmt.Errorf("container status is nil for %q", containerID)`
`212`	`212`	`}`
`213`	`213`	`pattern := fmt.Sprintf("%s*", resp.GetStatus().GetLogPath())`
`214`	`214`	`logs, err := c.osInterface.Glob(pattern)`
`215`	`215`	`if err != nil {`
`216`		`- return fmt.Errorf("failed to list all log files with pattern %q: %v", pattern, err)`
	`216`	`+ return fmt.Errorf("failed to list all log files with pattern %q: %w", pattern, err)`
`217`	`217`	`}`
`218`	`218`
`219`	`219`	`for _, l := range logs {`
`220`	`220`	`if err := c.osInterface.Remove(l); err != nil && !os.IsNotExist(err) {`
`221`		`- return fmt.Errorf("failed to remove container %q log %q: %v", containerID, l, err)`
	`221`	`+ return fmt.Errorf("failed to remove container %q log %q: %w", containerID, l, err)`
`222`	`222`	`}`
`223`	`223`	`}`
`224`	`224`
`@@ -239,7 +239,7 @@ func (c *containerLogManager) rotateLogs(ctx context.Context) error {`
`239`	`239`	`// TODO(#59998): Use kubelet pod cache.`
`240`	`240`	`containers, err := c.runtimeService.ListContainers(ctx, &runtimeapi.ContainerFilter{})`
`241`	`241`	`if err != nil {`
`242`		`- return fmt.Errorf("failed to list containers: %v", err)`
	`242`	`+ return fmt.Errorf("failed to list containers: %w", err)`
`243`	`243`	`}`
`244`	`244`	`for _, container := range containers {`
`245`	`245`	`// Only rotate logs for running containers. Non-running containers won't`
`@@ -315,17 +315,17 @@ func (c *containerLogManager) rotateLog(ctx context.Context, id, log string) err`
`315`	`315`	`pattern := fmt.Sprintf("%s.*", log)`
`316`	`316`	`logs, err := filepath.Glob(pattern)`
`317`	`317`	`if err != nil {`
`318`		`- return fmt.Errorf("failed to list all log files with pattern %q: %v", pattern, err)`
	`318`	`+ return fmt.Errorf("failed to list all log files with pattern %q: %w", pattern, err)`
`319`	`319`	`}`
`320`	`320`
`321`	`321`	`logs, err = c.cleanupUnusedLogs(logs)`
`322`	`322`	`if err != nil {`
`323`		`- return fmt.Errorf("failed to cleanup logs: %v", err)`
	`323`	`+ return fmt.Errorf("failed to cleanup logs: %w", err)`
`324`	`324`	`}`
`325`	`325`
`326`	`326`	`logs, err = c.removeExcessLogs(logs)`
`327`	`327`	`if err != nil {`
`328`		`- return fmt.Errorf("failed to remove excess logs: %v", err)`
	`328`	`+ return fmt.Errorf("failed to remove excess logs: %w", err)`
`329`	`329`	`}`
`330`	`330`
`331`	`331`	`// Compress uncompressed log files.`
`@@ -334,12 +334,12 @@ func (c *containerLogManager) rotateLog(ctx context.Context, id, log string) err`
`334`	`334`	`continue`
`335`	`335`	`}`
`336`	`336`	`if err := c.compressLog(l); err != nil {`
`337`		`- return fmt.Errorf("failed to compress log %q: %v", l, err)`
	`337`	`+ return fmt.Errorf("failed to compress log %q: %w", l, err)`
`338`	`338`	`}`
`339`	`339`	`}`
`340`	`340`
`341`	`341`	`if err := c.rotateLatestLog(ctx, id, log); err != nil {`
`342`		`- return fmt.Errorf("failed to rotate log %q: %v", log, err)`
	`342`	`+ return fmt.Errorf("failed to rotate log %q: %w", log, err)`
`343`	`343`	`}`
`344`	`344`
`345`	`345`	`return nil`
`@@ -351,7 +351,7 @@ func (c *containerLogManager) cleanupUnusedLogs(logs []string) ([]string, error)`
`351`	`351`	`inuse, unused := filterUnusedLogs(logs)`
`352`	`352`	`for _, l := range unused {`
`353`	`353`	`if err := c.osInterface.Remove(l); err != nil {`
`354`		`- return nil, fmt.Errorf("failed to remove unused log %q: %v", l, err)`
	`354`	`+ return nil, fmt.Errorf("failed to remove unused log %q: %w", l, err)`
`355`	`355`	`}`
`356`	`356`	`}`
`357`	`357`	`return inuse, nil`
`@@ -404,7 +404,7 @@ func (c *containerLogManager) removeExcessLogs(logs []string) ([]string, error)`
`404`	`404`	`i := 0`
`405`	`405`	`for ; i < len(logs)-maxRotatedFiles; i++ {`
`406`	`406`	`if err := c.osInterface.Remove(logs[i]); err != nil {`
`407`		`- return nil, fmt.Errorf("failed to remove old log %q: %v", logs[i], err)`
	`407`	`+ return nil, fmt.Errorf("failed to remove old log %q: %w", logs[i], err)`
`408`	`408`	`}`
`409`	`409`	`}`
`410`	`410`	`logs = logs[i:]`
`@@ -413,15 +413,19 @@ func (c *containerLogManager) removeExcessLogs(logs []string) ([]string, error)`
`413`	`413`
`414`	`414`	`// compressLog compresses a log to log.gz with gzip.`
`415`	`415`	`func (c *containerLogManager) compressLog(log string) error {`
	`416`	`+ logInfo, err := os.Stat(log)`
	`417`	`+ if err != nil {`
	`418`	`+ return fmt.Errorf("failed to stat log file: %w", err)`
	`419`	`+ }`
`416`	`420`	`r, err := c.osInterface.Open(log)`
`417`	`421`	`if err != nil {`
`418`		`- return fmt.Errorf("failed to open log %q: %v", log, err)`
	`422`	`+ return fmt.Errorf("failed to open log %q: %w", log, err)`
`419`	`423`	`}`
`420`	`424`	`defer r.Close()`
`421`	`425`	`tmpLog := log + tmpSuffix`
`422`		`- f, err := c.osInterface.OpenFile(tmpLog, os.O_WRONLY\|os.O_CREATE\|os.O_TRUNC, 0644)`
	`426`	`+ f, err := c.osInterface.OpenFile(tmpLog, os.O_WRONLY\|os.O_CREATE\|os.O_TRUNC, logInfo.Mode())`
`423`	`427`	`if err != nil {`
`424`		`- return fmt.Errorf("failed to create temporary log %q: %v", tmpLog, err)`
	`428`	`+ return fmt.Errorf("failed to create temporary log %q: %w", tmpLog, err)`
`425`	`429`	`}`
`426`	`430`	`defer func() {`
`427`	`431`	`// Best effort cleanup of tmpLog.`
`@@ -431,19 +435,19 @@ func (c *containerLogManager) compressLog(log string) error {`
`431`	`435`	`w := gzip.NewWriter(f)`
`432`	`436`	`defer w.Close()`
`433`	`437`	`if _, err := io.Copy(w, r); err != nil {`
`434`		`- return fmt.Errorf("failed to compress %q to %q: %v", log, tmpLog, err)`
	`438`	`+ return fmt.Errorf("failed to compress %q to %q: %w", log, tmpLog, err)`
`435`	`439`	`}`
`436`	`440`	`// The archive needs to be closed before renaming, otherwise an error will occur on Windows.`
`437`	`441`	`w.Close()`
`438`	`442`	`f.Close()`
`439`	`443`	`compressedLog := log + compressSuffix`
`440`	`444`	`if err := c.osInterface.Rename(tmpLog, compressedLog); err != nil {`
`441`		`- return fmt.Errorf("failed to rename %q to %q: %v", tmpLog, compressedLog, err)`
	`445`	`+ return fmt.Errorf("failed to rename %q to %q: %w", tmpLog, compressedLog, err)`
`442`	`446`	`}`
`443`	`447`	`// Remove old log file.`
`444`	`448`	`r.Close()`
`445`	`449`	`if err := c.osInterface.Remove(log); err != nil {`
`446`		`- return fmt.Errorf("failed to remove log %q after compress: %v", log, err)`
	`450`	`+ return fmt.Errorf("failed to remove log %q after compress: %w", log, err)`
`447`	`451`	`}`
`448`	`452`	`return nil`
`449`	`453`	`}`
`@@ -454,7 +458,7 @@ func (c *containerLogManager) rotateLatestLog(ctx context.Context, id, log strin`
`454`	`458`	`timestamp := c.clock.Now().Format(timestampFormat)`
`455`	`459`	`rotated := fmt.Sprintf("%s.%s", log, timestamp)`
`456`	`460`	`if err := c.osInterface.Rename(log, rotated); err != nil {`
`457`		`- return fmt.Errorf("failed to rotate log %q to %q: %v", log, rotated, err)`
	`461`	`+ return fmt.Errorf("failed to rotate log %q to %q: %w", log, rotated, err)`
`458`	`462`	`}`
`459`	`463`	`if err := c.runtimeService.ReopenContainerLog(ctx, id); err != nil {`
`460`	`464`	`// Rename the rotated log back, so that we can try rotating it again`
`@@ -466,7 +470,7 @@ func (c *containerLogManager) rotateLatestLog(ctx context.Context, id, log strin`
`466`	`470`	`// log.`
`467`	`471`	`klog.ErrorS(renameErr, "Failed to rename rotated log", "rotatedLog", rotated, "newLog", log, "containerID", id)`
`468`	`472`	`}`
`469`		`- return fmt.Errorf("failed to reopen container log %q: %v", id, err)`
	`473`	`+ return fmt.Errorf("failed to reopen container log %q: %w", id, err)`
`470`	`474`	`}`
`471`	`475`	`return nil`
`472`	`476`	`}`