<div dir="ltr"><div dir="ltr">On Fri, 18 Oct 2019 at 12:11, Lennart Sorensen <<a href="mailto:lsorense@csclub.uwaterloo.ca" target="_blank">lsorense@csclub.uwaterloo.ca</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, Oct 17, 2019 at 01:59:18PM -0400, Giles Orr via talk wrote:<br>
> We have a bunch of new(ish) Debian 10 VMs, and logrotate is failing to<br>
> rotate our non-standard logs. Unfortunately we deleted all the old Debian<br>
> 9 VMs before I noticed this problem, so they're not readily available for<br>
> comparison. The logrotate config files worked fine on Debian 9<br>
> (provisioning is with Ansible, so it's consistent). The failures aren't<br>
> detailed enough to help. Here's the config:<br>
> <br>
> # /etc/logrotate.d/ruby<br>
> /opt/rubyapp/log/*.log {<br>
> daily<br>
> missingok<br>
> rotate 28<br>
> compress<br>
> delaycompress<br>
> copytruncate<br>
> }<br>
> <br>
> The parent configuration is standard Debian 10:<br>
> <br>
> # /etc/logrotate.conf<br>
> # (system-supplied comments removed)<br>
> weekly<br>
> rotate 4<br>
> create<br>
> include /etc/logrotate.d<br>
> <br>
> Unfortunately my paranoia is such that I'm redacting or modifying machine<br>
> names and folder names ... I apologize for that. But I don't think the<br>
> path involved is the problem.<br>
> <br>
> Here's one of the errors:<br>
> <br>
> # systemctl status logrotate.service<br>
> ● logrotate.service - Rotate log files<br>
> Loaded: loaded (/lib/systemd/system/logrotate.service; static;<br>
> vendor preset: enabled)<br>
> Active: failed (Result: exit-code) since Thu 2019-10-17 00:00:17<br>
> EDT; 12h ago<br>
> Docs: man:logrotate(8)<br>
> man:logrotate.conf(5)<br>
> Process: 29004 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf<br>
> (code=exited, status=1/FAILURE)<br>
> Main PID: 29004 (code=exited, status=1/FAILURE)<br>
> <br>
> Oct 17 00:00:01 acctserver systemd[1]: Starting Rotate log files...<br>
> Oct 17 00:00:14 acctserver logrotate[8621]: error: unable to open<br>
> /opt/rubyapp/log/newrelic_agent.log.1 for compression<br>
> Oct 17 00:00:14 acctserver logrotate[8621]: error: unable to open<br>
> /opt/rubyapp/log/puma.stderr.log.1 for compression<br>
> Oct 17 00:00:14 acctserver logrotate[8621]: error: unable to open<br>
> /opt/rubyapp/log/puma.stdout.log.1 for compression<br>
> Oct 17 00:00:14 acctserver logrotate[8621]: error: unable to open<br>
> /opt/rubyapp/log/traffic.log.1 for compression<br>
> Oct 17 00:00:17 acctserver systemd[1]: logrotate.service: Main process<br>
> exited, code=exited, status=1/FAILURE<br>
> Oct 17 00:00:17 acctserver systemd[1]: logrotate.service: Failed with<br>
> result 'exit-code'.<br>
> Oct 17 00:00:17 acctserver systemd[1]: Failed to start Rotate log files.<br>
> <br>
> Here's the folder contents:<br>
> <br>
> # cd /opt/rubyapp/log<br>
> # ls -l<br>
> -rw-rw-r--+ 1 root root 1982 Oct 16 15:08 newrelic_agent.log<br>
> -rw-rw-r--+ 1 root root 7194 Oct 16 13:37 newrelic_agent.log.1<br>
> -rw-rw-r--+ 1 root root 2549 Oct 10 17:45 newrelic_agent.log.2.gz<br>
> -rw-rw-r--+ 1 root root 154290 Oct 17 12:34 puma.stderr.log<br>
> -rw-rw-r--+ 1 root root 573253 Oct 16 13:37 puma.stderr.log.1<br>
> -rw-rw-r--+ 1 root root 512648 Oct 10 17:45 puma.stderr.log.2.gz<br>
> -rw-rw-r--+ 1 root root 238 Oct 16 15:08 puma.stdout.log<br>
> -rw-rw-r--+ 1 root root 722 Oct 16 13:37 puma.stdout.log.1<br>
> -rw-rw-r--+ 1 root root 701 Oct 10 17:45 puma.stdout.log.2.gz<br>
> -rw-rw-r--+ 1 root root 4747006453 Oct 17 12:37 traffic.log<br>
> -rw-rw-r--+ 1 root root 15668065757 Oct 10 17:55 traffic.log.1<br>
> -rw-rw-r--+ 1 root root 850646513 Sep 20 18:12 traffic.log.2.gz<br>
> <br>
> I note that in /var/log/ - where logrotate continues to work fine - that<br>
> files are owned mostly root:adm (what is 'adm', and does it matter in this<br>
> context?) and the permissions are 640 rather than 664. There are ACLs<br>
> attached to the files/folder shown above ... does _that_ matter? Where<br>
> this gets weirder is that if I run 'logrotate --force<br>
> /etc/logrotate.d/ruby' it gets rotated fine. It runs fine if run by hand,<br>
> it fails if run on a SystemD timer. Which suggests a difference in<br>
> permissions, but don't timers run as root:root?<br>
> <br>
> Any thoughts appreciated. As you can see, these are damn big logs, and we<br>
> have this problem across multiple machines so I'd really like to fix it ...<br>
> <br>
> Errors on other servers aren't always consistent with this: a fix for this<br>
> may or may not help with them, so I may be coming back for more.<br>
> <br>
> Thanks all.<br>
<br>
Maybe systemd runs the logrotate with some priviledges dropped and<br>
perhaps your ACLs are affecting things. What are the permissions on<br>
the log directory itself?<br></blockquote><div><br></div><div>Good point ...:<br></div><div><br></div><div># getfacl log/ <br># file: log/<br># owner: builder<br># group: builder<br>user::rwx<br>group::rwx #effective:r-x<br>group:deployers:rwx #effective:r-x<br>mask::r-x<br>other::r-x<br>default:user::rwx<br>default:group::rwx<br>default:group:deployers:rwx<br>default:mask::rwx<br>default:other::r-x<br></div><div><br></div><div>The ownership of /opt/rubyapp/ (and all its children) is modified to allow a specific non-privileged users to be able to do deployments.</div><div><br></div><div>How do I determine the exact permissions that SystemD runs its timers with? I haven't dug deeply for that - I've mostly been looking at logrotate itself. I notice there's a 'su <user> <group>' option for logrotate: I haven't tried yet, but I thought 'su root root' would be good but probably wouldn't work because if it doesn't already have those perms it probably can't get them. But this suggests that 'su builder deployers' might work? Except, except ... everything in the folder still claims to be owned root.root (but is group writable ...).</div><div><br></div><div>(Michael G - still parsing yours out, I'll get back to you. This was more immediately answerable.)<br></div></div><br>-- <br><div dir="ltr">Giles<br><a href="https://www.gilesorr.com/" target="_blank">https://www.gilesorr.com/</a><br><a href="mailto:gilesorr@gmail.com" target="_blank">gilesorr@gmail.com</a></div></div>