New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dev.icinga.com #11855] logrotate uses incorrect group on CentOS 7 #4240
Comments
Updated by dgoetz on 2016-06-01 14:17:51 +00:00 So the create directive is wrong when Icinga 2 expects ownership icinga:icingacmd, but this is only for creation of the new file after rotation and before the postscript. Can you try "su icinga icingacmd" in the logrotation and if it works fine? Also I am quite not sure if the su directive is required at all. Typically it is used to avoid insecure privileges Icinga 2 does not assign to the log directory. |
Updated by wols on 2016-06-06 10:58:45 +00:00 Is patched on Gentoo icinga-2.4.10-r1 and works. A pull request is here https://github.com/wols/icinga2/pull/1 |
Updated by mfriedrich on 2016-06-06 12:46:57 +00:00
|
Updated by mfriedrich on 2016-06-06 12:47:07 +00:00
|
Updated by mfriedrich on 2016-06-06 15:58:02 +00:00
That's the config of a fresh centos Docker container with icinga2 v2.4.10 installed.
I would rather suspect the package setting the wrong directory ownership (icinga:icingacmd) for /var/log/icinga2 which somehow influences the file creation/rotation here in combination with SELinux. |
Updated by rbu on 2016-06-07 20:01:32 +00:00 dnsmichi wrote:
I can confirm that is the same configuration I had a problem with. Can you reproduce the issue in your container? I can also confirm now that setting this config fixes the bug:
The system in question has SELinux disabled. The problem is that icinga changes the file ownership (group) when it is restarted. I understand that running as user "icinga", logrotate should have the permission to write to the directory in question. So no idea why this happens. |
Updated by gbeutner on 2016-06-13 06:55:06 +00:00
|
I can confirm this on SLES 12 SP1. The configuration should use icinga:icingacmd instead of icinga:icinga for rotating the logs. |
Sorry for that double post. This logrotate config works for me on SLES 12 SP1:
It's a slightly modified version of the config which ships with the official package. |
Hi, I get a similar issue on Ubuntu 16.04 :
Replacing |
I guess there isn't a specific generic solution for this, packages might need to provide different configuration adjustments here. Modify at your own will in the meantime, we won't fix this here. |
I agree, but could this bug be sent / assigned to packaging team ? |
This issue has been migrated from Redmine: https://dev.icinga.com/issues/11855
Created by rbu on 2016-05-29 09:31:40 +00:00
Assignee: mfriedrich
Status: Assigned
Target Version: (none)
Last Update: 2016-06-13 06:55:06 +00:00 (in Redmine)
logrotate errors on the first day:
Then, on subsequent days, it errors with:
The directory after the logrotate run looks like this:
The user ids are as follows:
The logorate script contains:
The root of the problem seems to be the following: Icinga, when started for the first time and at every service restart (with systemctl), will ensure that its log file is owned by icinga:icingacmd (994:991). logrotate changes to icinga:icinga (994:992) and performs the following actions:
That is where it fails.
My first guess for a resolution would be that if icinga2 wants the group to be icingacmd, then the logrotate recipe must use that group too.
Versions:
This issue is a reoccurrence of #8868, but due to another cause it seems to me.
Relations:
The text was updated successfully, but these errors were encountered: