Bug 1266105
Summary: | Logrotate for nginx broken due to new "su" directive in logrotate. | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Andrew Holway <andrew.holway> |
Component: | nginx | Assignee: | Nobody's working on this, feel free to take it <nobody> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | affix, andrew.holway, athmanem, bperkins, jeremy, jkaluza, pavel.lisy, wtogami |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-09-24 17:10:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Andrew Holway
2015-09-24 13:32:52 UTC
Please post the output of this command: # ls -la /var/log/nginx/ I'm only able to reproduce this problem after explicitly running `chmod 777 /var/log/nginx`, so my guess is that the permissions for your /var/log/nginx directory are not the default. [root@ip-10-141-12-10 log]# ls -la /var/log/nginx/ total 264 drwx------. 2 nginx nginx 39 Sep 24 13:05 . drwxr-xr-x. 9 root root 4096 Sep 24 13:00 .. -rw-r--r--. 1 root root 92114 Sep 24 14:31 access.log -rw-r--r--. 1 root root 171747 Sep 24 13:13 error.log Actually, I am seeing this problem on one of our boxes. I managed to reproduce it on a clean instance but now, of course, on the newest instance I've created things are working ok. Sorry about that. pebkac. I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have changed it to 700 to match the test box and now I see the below error. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwx------. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 21862030 Sep 24 15:33 access.log -rw-r--r--. 1 nginx nginx 11369804 Sep 24 15:33 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 12:12 tracking [root@tracktor-prod-a-041 log]# logrotate -d /etc/logrotate.d/nginx reading config file /etc/logrotate.d/nginx Handling 1 logs rotating pattern: /var/log/nginx/*log after 1 days (10 rotations) empty log files are not rotated, old logs are removed considering log /var/log/nginx/access.log log needs rotating considering log /var/log/nginx/error.log log needs rotating rotating log /var/log/nginx/access.log, log->rotateCount is 10 dateext suffix '-20150924' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' renaming /var/log/nginx/access.log.10.gz to /var/log/nginx/access.log.11.gz (rotatecount 10, logstart 1, i 10), renaming /var/log/nginx/access.log.9.gz to /var/log/nginx/access.log.10.gz (rotatecount 10, logstart 1, i 9), renaming /var/log/nginx/access.log.8.gz to /var/log/nginx/access.log.9.gz (rotatecount 10, logstart 1, i 8), renaming /var/log/nginx/access.log.7.gz to /var/log/nginx/access.log.8.gz (rotatecount 10, logstart 1, i 7), renaming /var/log/nginx/access.log.6.gz to /var/log/nginx/access.log.7.gz (rotatecount 10, logstart 1, i 6), renaming /var/log/nginx/access.log.5.gz to /var/log/nginx/access.log.6.gz (rotatecount 10, logstart 1, i 5), renaming /var/log/nginx/access.log.4.gz to /var/log/nginx/access.log.5.gz (rotatecount 10, logstart 1, i 4), renaming /var/log/nginx/access.log.3.gz to /var/log/nginx/access.log.4.gz (rotatecount 10, logstart 1, i 3), renaming /var/log/nginx/access.log.2.gz to /var/log/nginx/access.log.3.gz (rotatecount 10, logstart 1, i 2), renaming /var/log/nginx/access.log.1.gz to /var/log/nginx/access.log.2.gz (rotatecount 10, logstart 1, i 1), renaming /var/log/nginx/access.log.0.gz to /var/log/nginx/access.log.1.gz (rotatecount 10, logstart 1, i 0), rotating log /var/log/nginx/error.log, log->rotateCount is 10 dateext suffix '-20150924' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' renaming /var/log/nginx/error.log.10.gz to /var/log/nginx/error.log.11.gz (rotatecount 10, logstart 1, i 10), renaming /var/log/nginx/error.log.9.gz to /var/log/nginx/error.log.10.gz (rotatecount 10, logstart 1, i 9), renaming /var/log/nginx/error.log.8.gz to /var/log/nginx/error.log.9.gz (rotatecount 10, logstart 1, i 8), renaming /var/log/nginx/error.log.7.gz to /var/log/nginx/error.log.8.gz (rotatecount 10, logstart 1, i 7), renaming /var/log/nginx/error.log.6.gz to /var/log/nginx/error.log.7.gz (rotatecount 10, logstart 1, i 6), renaming /var/log/nginx/error.log.5.gz to /var/log/nginx/error.log.6.gz (rotatecount 10, logstart 1, i 5), renaming /var/log/nginx/error.log.4.gz to /var/log/nginx/error.log.5.gz (rotatecount 10, logstart 1, i 4), renaming /var/log/nginx/error.log.3.gz to /var/log/nginx/error.log.4.gz (rotatecount 10, logstart 1, i 3), renaming /var/log/nginx/error.log.2.gz to /var/log/nginx/error.log.3.gz (rotatecount 10, logstart 1, i 2), renaming /var/log/nginx/error.log.1.gz to /var/log/nginx/error.log.2.gz (rotatecount 10, logstart 1, i 1), renaming /var/log/nginx/error.log.0.gz to /var/log/nginx/error.log.1.gz (rotatecount 10, logstart 1, i 0), fscreate context set to system_u:object_r:httpd_log_t:s0 renaming /var/log/nginx/access.log to /var/log/nginx/access.log.1 creating new /var/log/nginx/access.log mode = 0644 uid = 997 gid = 995 fscreate context set to system_u:object_r:httpd_log_t:s0 renaming /var/log/nginx/error.log to /var/log/nginx/error.log.1 creating new /var/log/nginx/error.log mode = 0644 uid = 997 gid = 995 running postrotate script running script with arg /var/log/nginx/*log : " /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true " compressing log with: /bin/gzip removing old log /var/log/nginx/access.log.11.gz error: error opening /var/log/nginx/access.log.11.gz: No such file or directory Those errors can be ignored and are a consequence of not using the full logrotate configuration file (which includes the dateext option). Try a dry-run with the full logrotate configuration instead and you shouldn't see any errors: # logrotate -d -f /etc/logrotate.conf Then try rotating for real and the nginx logs should be rotated: # logrotate -f /etc/logrotate.conf Also, it should still work with `logrotate -f /etc/logrotate.d/nginx` despite the error message. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25183610 Sep 24 15:51 access.log -rw-r--r--. 1 nginx nginx 13179052 Sep 24 15:51 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking [root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.d/nginx error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25202598 Sep 24 15:51 access.log -rw-r--r--. 1 nginx nginx 13187444 Sep 24 15:51 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25330817 Sep 24 15:52 access.log -rw-r--r--. 1 nginx nginx 13267932 Sep 24 15:52 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking You have new mail in /var/spool/mail/centos [root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.conf error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 24 15:52 .. -rw-r--r--. 1 nginx nginx 25373079 Sep 24 15:52 access.log -rw-r--r--. 1 nginx nginx 13292871 Sep 24 15:52 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking Deja vu! ;-) (Andrew Holway from comment #3) > I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have > changed it to 700 to match the test box |