Bug 1266105
| Summary: | Logrotate for nginx broken due to new "su" directive in logrotate. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Andrew Holway <andrew.holway> |
| Component: | nginx | Assignee: | Nobody's working on this, feel free to take it <nobody> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | affix, andrew.holway, athmanem, bperkins, jeremy, jkaluza, pavel.lisy, wtogami |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-09-24 17:10:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andrew Holway
2015-09-24 13:32:52 UTC
Please post the output of this command: # ls -la /var/log/nginx/ I'm only able to reproduce this problem after explicitly running `chmod 777 /var/log/nginx`, so my guess is that the permissions for your /var/log/nginx directory are not the default. [root@ip-10-141-12-10 log]# ls -la /var/log/nginx/ total 264 drwx------. 2 nginx nginx 39 Sep 24 13:05 . drwxr-xr-x. 9 root root 4096 Sep 24 13:00 .. -rw-r--r--. 1 root root 92114 Sep 24 14:31 access.log -rw-r--r--. 1 root root 171747 Sep 24 13:13 error.log Actually, I am seeing this problem on one of our boxes. I managed to reproduce it on a clean instance but now, of course, on the newest instance I've created things are working ok. Sorry about that. pebkac.
I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have changed it to 700 to match the test box and now I see the below error.
[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwx------. 3 nginx nginx 54 Sep 14 09:37 .
drwxr-xr-x. 10 root root 4096 Sep 20 03:45 ..
-rw-r--r--. 1 nginx nginx 21862030 Sep 24 15:33 access.log
-rw-r--r--. 1 nginx nginx 11369804 Sep 24 15:33 error.log
drwxrwx---. 2 nginx nginx 4096 Sep 24 12:12 tracking
[root@tracktor-prod-a-041 log]# logrotate -d /etc/logrotate.d/nginx
reading config file /etc/logrotate.d/nginx
Handling 1 logs
rotating pattern: /var/log/nginx/*log after 1 days (10 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/nginx/access.log
log needs rotating
considering log /var/log/nginx/error.log
log needs rotating
rotating log /var/log/nginx/access.log, log->rotateCount is 10
dateext suffix '-20150924'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/nginx/access.log.10.gz to /var/log/nginx/access.log.11.gz (rotatecount 10, logstart 1, i 10),
renaming /var/log/nginx/access.log.9.gz to /var/log/nginx/access.log.10.gz (rotatecount 10, logstart 1, i 9),
renaming /var/log/nginx/access.log.8.gz to /var/log/nginx/access.log.9.gz (rotatecount 10, logstart 1, i 8),
renaming /var/log/nginx/access.log.7.gz to /var/log/nginx/access.log.8.gz (rotatecount 10, logstart 1, i 7),
renaming /var/log/nginx/access.log.6.gz to /var/log/nginx/access.log.7.gz (rotatecount 10, logstart 1, i 6),
renaming /var/log/nginx/access.log.5.gz to /var/log/nginx/access.log.6.gz (rotatecount 10, logstart 1, i 5),
renaming /var/log/nginx/access.log.4.gz to /var/log/nginx/access.log.5.gz (rotatecount 10, logstart 1, i 4),
renaming /var/log/nginx/access.log.3.gz to /var/log/nginx/access.log.4.gz (rotatecount 10, logstart 1, i 3),
renaming /var/log/nginx/access.log.2.gz to /var/log/nginx/access.log.3.gz (rotatecount 10, logstart 1, i 2),
renaming /var/log/nginx/access.log.1.gz to /var/log/nginx/access.log.2.gz (rotatecount 10, logstart 1, i 1),
renaming /var/log/nginx/access.log.0.gz to /var/log/nginx/access.log.1.gz (rotatecount 10, logstart 1, i 0),
rotating log /var/log/nginx/error.log, log->rotateCount is 10
dateext suffix '-20150924'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/nginx/error.log.10.gz to /var/log/nginx/error.log.11.gz (rotatecount 10, logstart 1, i 10),
renaming /var/log/nginx/error.log.9.gz to /var/log/nginx/error.log.10.gz (rotatecount 10, logstart 1, i 9),
renaming /var/log/nginx/error.log.8.gz to /var/log/nginx/error.log.9.gz (rotatecount 10, logstart 1, i 8),
renaming /var/log/nginx/error.log.7.gz to /var/log/nginx/error.log.8.gz (rotatecount 10, logstart 1, i 7),
renaming /var/log/nginx/error.log.6.gz to /var/log/nginx/error.log.7.gz (rotatecount 10, logstart 1, i 6),
renaming /var/log/nginx/error.log.5.gz to /var/log/nginx/error.log.6.gz (rotatecount 10, logstart 1, i 5),
renaming /var/log/nginx/error.log.4.gz to /var/log/nginx/error.log.5.gz (rotatecount 10, logstart 1, i 4),
renaming /var/log/nginx/error.log.3.gz to /var/log/nginx/error.log.4.gz (rotatecount 10, logstart 1, i 3),
renaming /var/log/nginx/error.log.2.gz to /var/log/nginx/error.log.3.gz (rotatecount 10, logstart 1, i 2),
renaming /var/log/nginx/error.log.1.gz to /var/log/nginx/error.log.2.gz (rotatecount 10, logstart 1, i 1),
renaming /var/log/nginx/error.log.0.gz to /var/log/nginx/error.log.1.gz (rotatecount 10, logstart 1, i 0),
fscreate context set to system_u:object_r:httpd_log_t:s0
renaming /var/log/nginx/access.log to /var/log/nginx/access.log.1
creating new /var/log/nginx/access.log mode = 0644 uid = 997 gid = 995
fscreate context set to system_u:object_r:httpd_log_t:s0
renaming /var/log/nginx/error.log to /var/log/nginx/error.log.1
creating new /var/log/nginx/error.log mode = 0644 uid = 997 gid = 995
running postrotate script
running script with arg /var/log/nginx/*log : "
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
"
compressing log with: /bin/gzip
removing old log /var/log/nginx/access.log.11.gz
error: error opening /var/log/nginx/access.log.11.gz: No such file or directory
Those errors can be ignored and are a consequence of not using the full logrotate configuration file (which includes the dateext option). Try a dry-run with the full logrotate configuration instead and you shouldn't see any errors: # logrotate -d -f /etc/logrotate.conf Then try rotating for real and the nginx logs should be rotated: # logrotate -f /etc/logrotate.conf Also, it should still work with `logrotate -f /etc/logrotate.d/nginx` despite the error message. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25183610 Sep 24 15:51 access.log -rw-r--r--. 1 nginx nginx 13179052 Sep 24 15:51 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking [root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.d/nginx error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25202598 Sep 24 15:51 access.log -rw-r--r--. 1 nginx nginx 13187444 Sep 24 15:51 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25330817 Sep 24 15:52 access.log -rw-r--r--. 1 nginx nginx 13267932 Sep 24 15:52 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking You have new mail in /var/spool/mail/centos [root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.conf error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 24 15:52 .. -rw-r--r--. 1 nginx nginx 25373079 Sep 24 15:52 access.log -rw-r--r--. 1 nginx nginx 13292871 Sep 24 15:52 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking Deja vu! ;-) (Andrew Holway from comment #3) > I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have > changed it to 700 to match the test box |