Changing Caddy Log Permissions for Promtail

MarlonJMejia · August 1, 2024, 8:54am

Issue

Hi, while attempting to use promtail to gather logs for caddy I have experience a permission issue with promtail not being able to gather the logs.

1998 chmod +X /var/log/caddy/
1999 chmod 644 /var/log/caddy/*

The above was done and I was able to give access to promtail to view the logs.
However after I restarted the instance, caddy once again re-assigned the same permission values to the logs.

Is there no declarative way in the caddyfile to deny this from happening?

Installation

Installation was done via apt.
Service is configured to run at boot via systemd.
I have in fact, use xcaddy to customize the original binary and replaced it due to needing other things.

cp caddy $(which caddy)

I’ve tried looking at the docs but I might have missed any settings that related to permissions on logs, I’ve also tried searching here but no results.

Attempted permanent fix

I’ve attempted to use setfacl but no dice, it either denies caddy or other users.

setfacl -R -m u::rw,g::rw,o:rx /var/log/caddy/
setfacl -R -d -m u::rw,g::rw,o:rx /var/log/caddy/

Forza · August 1, 2024, 9:31am

Are you sure it is caddy and not your service manager (systemd et al) that resets the permissions? I have mine at 644 and they do not change on restart. I use OpenRC as service manager and logrotate to manage my logs.

MarlonJMejia · August 11, 2024, 11:58pm

Not really sure what systemd would be doing here.
All the logs are custom and thus made by the caddy executable.

Whitestrake · August 12, 2024, 1:44am

I think you should be able to just set your user/group/umask in the service configuration.

See: systemd.exec

MarlonJMejia · August 12, 2024, 12:28pm

Default permissions when files are created don’t match systemd defaults.

468 -rw------- 1 caddy caddy 477632 Aug 12 12:16 access.log

I’ve tried adding a umask as well, and sadly… caddy just re-adds the permissions (once again).

francislavoie · August 14, 2024, 12:23am

We recently merged a change that would allow changing the log file permissions, but it’s not in any released version yet. See logging: Allow setting log file permissions by ririsoft · Pull Request #6314 · caddyserver/caddy · GitHub You could build from the master branch for now if you need this right away.

MarlonJMejia · August 14, 2024, 2:56am

Thanks @francislavoie

I am willing to test the branch, but not so sure how I would about building it with the require plugin/modules I have.

Sucks to not be able how to code (in go) but I’ll review the code to see how it was done and look into building caddy from master as well.

francislavoie · August 14, 2024, 3:10am

If you’re using xcaddy, just do xcaddy build master and add your --with after that. That’s all.

MarlonJMejia · August 14, 2024, 4:09am

Yeah, ended up being how I was able to compile with the master branch, pretty effortless!

Caddyfile log section as an example:

    log {
            output file /var/log/caddy/access.log {
                    roll_size 100MiB
                    roll_keep 5
                    mode 0664
                    #level INFO
            }
    }

system · September 13, 2024, 4:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.