fluent
install: set umask to 022 before writing the GPG key to avoid permission issues
On hosts with a "non-standard" umask (for security), the key file can be created with unexpencted permissions which on some distributions (Ubuntu 24.04 confirmed) causes errors suggesting that NO_PUBKEY is available. Refer to https://github.com/fluent/fluent-bit/issues/10161
Fixes https://github.com/fluent/fluent-bit/issues/10161
Enter [N/A] in the box, if an item is not applicable to your change.
Testing Before we can approve your change; please submit the following in a comment:
- [N/A] Example configuration file for the change
- [x] Debug log output from testing the change
- [N/A] Attached Valgrind output that shows no leaks or memory corruption was found
Set umask to 077 and create a test file to demonstrate resulting permissions (rw-------):
$ umask 077
$ touch test
$ ll test
-rw------- 1 phs phs 0 Jun 3 14:09 test
$ rm test
Run the old command, demonstrate same permissions are set:
$ curl $RELEASE_KEY | gpg --dearmor > key-with-umask077.gpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3175 100 3175 0 0 4161 0 --:--:-- --:--:-- --:--:-- 4161
$ ll
total 4.0K
drwxr-xr-x 2 phs phs 80 Jun 3 14:09 .
drwxrwxrwt 14 root root 320 Jun 3 14:08 ..
-rw------- 1 phs phs 2.3K Jun 3 14:09 key-with-umask077.gpg
Wrapped in the subshell + umask gives expected permissions which avoid the apt error on 24.04:
$ (umask 022 ; curl $RELEASE_KEY | gpg --dearmor > key-with-umask022.gpg)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3175 100 3175 0 0 10748 0 --:--:-- --:--:-- --:--:-- 10762
$ ll
total 8.0K
drwxr-xr-x 2 phs phs 80 Jun 3 14:09 .
drwxrwxrwt 14 root root 320 Jun 3 14:08 ..
-rw-r--r-- 1 phs phs 2.3K Jun 3 14:09 key-with-umask022.gpg
-rw------- 1 phs phs 2.3K Jun 3 14:09 key-with-umask077.gpg
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
- [N/A] Run local packaging test showing all targets (including any new ones) build.
- [N/A] Set
ok-package-testlabel to test for all targets (requires maintainer to do).
Documentation
- [N/A] Documentation required for this feature
Backporting
- [N/A] Backport to latest stable release.
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.
Changes look ok to me but you'll have to satisfy the DCO check and also ensure the commit follows the contribution guidelines.
I don't think this will impact existing systems that do not require the umask but can we just do a quick test and document it here?
@fukawi2 can you also provide a docs PR for those folks who will be doing this manually rather than via the install script?
- https://docs.fluentbit.io/manual/installation/linux/debian#server-gpg-key
- https://docs.fluentbit.io/manual/installation/linux/ubuntu#server-gpg-key