From c92378d7881927d46ff5d485edcf25989c0c4170 Mon Sep 17 00:00:00 2001
From: Doug Szumski <doug@stackhpc.com>
Date: Tue, 17 Mar 2020 11:16:38 +0000
Subject: [PATCH] Make Fluentd config folders readable

Currently, config folders lack the execute bit so Fluentd
cannot read the config and just does nothing when it starts up. This
change explicitly sets the execute bit on folders which need it,
rather than doing it in a more generic way which is more risky from
a security perspective.

Change-Id: Ia840f4b67043df4eaa654f47673dcdc973f13d9c
Closes-Bug: #1867754
---
 ansible/roles/common/templates/fluentd.json.j2 | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/common/templates/fluentd.json.j2 b/ansible/roles/common/templates/fluentd.json.j2
index a827dc32b2..0dc78be3db 100644
--- a/ansible/roles/common/templates/fluentd.json.j2
+++ b/ansible/roles/common/templates/fluentd.json.j2
@@ -22,6 +22,14 @@
     {% set fluentd_cmd = '/usr/sbin/td-agent' %}
 {% endif %}
 
+{%- macro config_directory_permissions(dir) -%}
+        {
+            "path": "{{ fluentd_dir }}/{{ dir }}",
+            "owner": "{{ fluentd_user }}:{{ fluentd_user }}",
+            "perm": "0700"
+        }
+{%- endmacro -%}
+
 {
     "command": "{{ fluentd_cmd }}",
     "config_files": [
@@ -52,7 +60,12 @@
             "path": "/var/lib/fluentd/data",
             "owner": "{{ fluentd_user }}:{{ fluentd_user }}",
             "recurse": true
-        }
+        },
+        {# Allow Fluentd to read configuration from folders #}
+        {{ config_directory_permissions("input") }},
+        {{ config_directory_permissions("filter") }},
+        {{ config_directory_permissions("format") }},
+        {{ config_directory_permissions("output") }}
     ]
 
 }