From 3c964e4a1fdd842251d0e83493c7bcc4b54d12d5 Mon Sep 17 00:00:00 2001
From: Xu Liu <xliu2@vmware.com>
Date: Sat, 9 Mar 2024 02:25:30 +0800
Subject: [PATCH] Fix log rotation in UBI images (#6052)

logrotate needs to run as the same user as OVS to get the proper
permissions for log files. As Antrea runs OVS as root, we disable
libcapng to make logrotate also run as root.

Fixes: #6046

Signed-off-by: Xu Liu <xliu2@vmware.com>
---
 build/images/ovs/Dockerfile.ubi |  5 ++++-
 test/e2e/basic_test.go          | 12 ++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/build/images/ovs/Dockerfile.ubi b/build/images/ovs/Dockerfile.ubi
index cf3a424b012..3690e7e73be 100644
--- a/build/images/ovs/Dockerfile.ubi
+++ b/build/images/ovs/Dockerfile.ubi
@@ -32,7 +32,10 @@ RUN cd /tmp/openvswitch* && \
     sed -e "s/@VERSION@/$OVS_VERSION/" rhel/openvswitch-fedora.spec.in > /tmp/ovs.spec && \
     yum-builddep -y /tmp/ovs.spec && ./boot.sh && \
     ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc && \
-    make rpm-fedora && mkdir -p /tmp/ovs-rpms && \
+    # logrotate needs to run as the same user as OVS to get the proper permissions of log files.
+    # As Antrea runs OVS as root, we disable libcapng to make logrotate also run as root. 
+    # See https://github.com/openvswitch/ovs/blob/v2.17.7/rhel/openvswitch-fedora.spec.in#L26-L27.
+    RPMBUILD_OPT="--without libcapng" make rpm-fedora && mkdir -p /tmp/ovs-rpms && \
     mv /tmp/openvswitch-$OVS_VERSION/rpm/rpmbuild/RPMS/*/*.rpm  /tmp/ovs-rpms && \
     rm -rf /tmp/openvswitch*
 
diff --git a/test/e2e/basic_test.go b/test/e2e/basic_test.go
index b9258a2ca7a..f6d27804c4d 100644
--- a/test/e2e/basic_test.go
+++ b/test/e2e/basic_test.go
@@ -56,6 +56,7 @@ func TestBasic(t *testing.T) {
 	t.Run("testDeletePreviousRoundFlowsOnStartup", func(t *testing.T) { testDeletePreviousRoundFlowsOnStartup(t, data) })
 	t.Run("testGratuitousARP", func(t *testing.T) { testGratuitousARP(t, data, data.testNamespace) })
 	t.Run("testClusterIdentity", func(t *testing.T) { testClusterIdentity(t, data) })
+	t.Run("testLogRotate", func(t *testing.T) { testLogRotate(t, data) })
 }
 
 // testPodAssignIP verifies that Antrea allocates IP addresses properly to new Pods. It does this by
@@ -892,3 +893,14 @@ func testClusterIdentity(t *testing.T, data *TestData) {
 	assert.NoError(t, err, "Failed to retrieve cluster identity information within %v", timeout)
 	assert.NotEqual(t, uuid.Nil, clusterUUID)
 }
+
+func testLogRotate(t *testing.T, data *TestData) {
+	nodeName := nodeName(0)
+	podName := getAntreaPodName(t, data, nodeName)
+	cmd := []string{"logrotate", "-vf", "/etc/logrotate.d/openvswitch-switch"}
+	stdout, stderr, err := data.RunCommandFromPod(antreaNamespace, podName, ovsContainerName, cmd)
+	if err != nil {
+		t.Fatalf("Error when running logrotate command in Pod '%s': %v, stdout: %s, stderr: %s", podName, err, stdout, stderr)
+	}
+	t.Logf("Successfully ran logrotate command in Pod '%s': stdout: %s, stderr: %s", podName, stdout, stderr)
+}