Incus log file and directory permissions

ganto · December 22, 2023, 2:02pm

I’m maintaining the Incus RPM package for Fedora on COPR. Yesterday I got this request to add startup directory creation for /var/log/incus to the Incus systemd services. This made me dig into the /var/log/incus directory more:

Do we even need /var/log/incus/incusd.log at all? My current Incus systemd unit is mainly based on incus.service which defines the log via --logfile. Is there any additional benefit compared to only using journald? I tested --logfile=/dev/null and the systemd journal still contains the incusd log messages. Or is there even a better way to disable logging into a file?
As there are other logs (dnsmasq, container logs) in /var/log/incus what would be the appropriate permissions for this directory?

The Gentoo lxd.services systemd unit included a mkdir since years and changed the group to lxd (admin group) but with permissions of 0700 this doesn’t really have any effect.

I was thinking of /var/log/incus ownership root:incus-admin and permissions of 0750 but then saw that the incus-user instance logs are there too and not accessible by a regular user if I do so. Any suggestions?

stgraber · December 22, 2023, 3:01pm

Not passing --logfile should do what you want. There’s no real downside to using the journal alone.

stgraber · December 22, 2023, 3:03pm

700 as there may be sensitive data in there, not just IP/MAC addresses but also full LXC and QEMU configs and the like.

stgraber · December 22, 2023, 3:04pm

Because a lot of that stuff is security sensitive, Incus actually has logic to slam the correct permissions on every startup.

It will apply amongst other things:

/var/lib/incus => 0711
/var/log/incus => 0700
/var/cache/incus => 0700

ganto · December 22, 2023, 3:28pm

Ok, thanks. In this case I’ll just remove --logfile and don’t think any further about the directory permissions as they are enforced by Incus anyway.