From 23eda626f2e04856721888b668e38019be0c3127 Mon Sep 17 00:00:00 2001
From: Xu Liu <xliu2@vmware.com>
Date: Sat, 9 Mar 2024 02:25:30 +0800
Subject: [PATCH] Fix log rotation in UBI images (#6052)

logrotate needs to run as the same user as OVS to get the proper
permissions for log files. As Antrea runs OVS as root, we disable
libcapng to make logrotate also run as root.

Fixes: #6046

Signed-off-by: Xu Liu <xliu2@vmware.com>
---
 build/images/ovs/Dockerfile.ubi |  5 ++++-
 test/e2e/basic_test.go          | 12 ++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/build/images/ovs/Dockerfile.ubi b/build/images/ovs/Dockerfile.ubi
index cf3a424b012..3690e7e73be 100644
--- a/build/images/ovs/Dockerfile.ubi
+++ b/build/images/ovs/Dockerfile.ubi
@@ -32,7 +32,10 @@ RUN cd /tmp/openvswitch* && \
     sed -e "s/@VERSION@/$OVS_VERSION/" rhel/openvswitch-fedora.spec.in > /tmp/ovs.spec && \
     yum-builddep -y /tmp/ovs.spec && ./boot.sh && \
     ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc && \
-    make rpm-fedora && mkdir -p /tmp/ovs-rpms && \
+    # logrotate needs to run as the same user as OVS to get the proper permissions of log files.
+    # As Antrea runs OVS as root, we disable libcapng to make logrotate also run as root. 
+    # See https://github.com/openvswitch/ovs/blob/v2.17.7/rhel/openvswitch-fedora.spec.in#L26-L27.
+    RPMBUILD_OPT="--without libcapng" make rpm-fedora && mkdir -p /tmp/ovs-rpms && \
     mv /tmp/openvswitch-$OVS_VERSION/rpm/rpmbuild/RPMS/*/*.rpm  /tmp/ovs-rpms && \
     rm -rf /tmp/openvswitch*
 
diff --git a/test/e2e/basic_test.go b/test/e2e/basic_test.go
index 058d4c54567..10f1ed3b6ff 100644
--- a/test/e2e/basic_test.go
+++ b/test/e2e/basic_test.go
@@ -56,6 +56,7 @@ func TestBasic(t *testing.T) {
 	t.Run("testDeletePreviousRoundFlowsOnStartup", func(t *testing.T) { testDeletePreviousRoundFlowsOnStartup(t, data) })
 	t.Run("testGratuitousARP", func(t *testing.T) { testGratuitousARP(t, data, data.testNamespace) })
 	t.Run("testClusterIdentity", func(t *testing.T) { testClusterIdentity(t, data) })
+	t.Run("testLogRotate", func(t *testing.T) { testLogRotate(t, data) })
 }
 
 // testPodAssignIP verifies that Antrea allocates IP addresses properly to new Pods. It does this by
@@ -892,3 +893,14 @@ func testClusterIdentity(t *testing.T, data *TestData) {
 	assert.NoError(t, err, "Failed to retrieve cluster identity information within %v", timeout)
 	assert.NotEqual(t, uuid.Nil, clusterUUID)
 }
+
+func testLogRotate(t *testing.T, data *TestData) {
+	nodeName := nodeName(0)
+	podName := getAntreaPodName(t, data, nodeName)
+	cmd := []string{"logrotate", "-vf", "/etc/logrotate.d/openvswitch-switch"}
+	stdout, stderr, err := data.RunCommandFromPod(antreaNamespace, podName, ovsContainerName, cmd)
+	if err != nil {
+		t.Fatalf("Error when running logrotate command in Pod '%s': %v, stdout: %s, stderr: %s", podName, err, stdout, stderr)
+	}
+	t.Logf("Successfully ran logrotate command in Pod '%s': stdout: %s, stderr: %s", podName, stdout, stderr)
+}