review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Cedric Brandily <zzelle@gmail.com>
	Tue, 3 Mar 2015 22:26:52 +0000 (22:26 +0000)
committer	Cedric Brandily <zzelle@gmail.com>
	Wed, 1 Apr 2015 20:41:07 +0000 (22:41 +0200)
commit	fbc22784149cd6b3ca6d8161e360d3d7c10d94ac
tree	47cb167a49315989e1a86652830875deef69a939	tree \| snapshot
parent	1a089e6059a381a9cb90a17cf17d44e144d30430	commit \| diff

Allow metadata proxy to log with nobody user/group

Currently metadata proxy cannot run with nobody user/group as
metadata proxy (as other services) uses WatchedFileHandler handler to
log to file which does not support permissions drop (the process must
be able to r/w after permissions drop to "watch" the file).

This change allows to enable/disable log watch in metadata proxies with
the new option metadata_proxy_log_watch. It should be disabled when
metadata_proxy_user/group is not allowed to read/write metadata proxy
log files. Option default value is deduced from metadata_proxy_user:

* True if metadata_proxy_user is agent effective user id/name,
* False otherwise.

When log watch is disabled and logrotate is enabled on metadata proxy
logging files, 'copytruncate' logrotate option must be used otherwise
metadata proxy logs will be lost after the first log rotation.

DocImpact
Change-Id: I40a7bd82a2c60d9198312fdb52e3010c60db3511
Partial-Bug: #1427228

etc/neutron.conf		diff \| blob \| history
neutron/agent/common/config.py		diff \| blob \| history
neutron/agent/linux/daemon.py		diff \| blob \| history
neutron/agent/linux/utils.py		diff \| blob \| history
neutron/agent/metadata/driver.py		diff \| blob \| history
neutron/agent/metadata/namespace_proxy.py		diff \| blob \| history
neutron/tests/unit/agent/linux/test_utils.py		diff \| blob \| history
neutron/tests/unit/agent/metadata/test_driver.py		diff \| blob \| history
neutron/tests/unit/test_metadata_namespace_proxy.py		diff \| blob \| history