Bug 1385287

Summary:	/var/log/lastlog appears to be huge on ipa client
Product:	Red Hat Enterprise Linux 7	Reporter:	Mohammed Arafa <bugzilla>
Component:	ipa	Assignee:	IPA Maintainers <ipa-maint>
Status:	CLOSED NOTABUG	QA Contact:	Kaleem <ksiddiqu>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.2	CC:	bugzilla, dkupka, kdudka, pvoborni, rcritten
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-10-24 13:36:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Mohammed Arafa 2016-10-15 22:16:38 UTC

Description of problem:
i got a physical machine and the rest are VMs. Most of my VMs have  /var/log/lastlog at the 11g

i could not find a logrotate config for lastlog in /etc

i found references online to placing a logrotate config for last log into logrotate.conf . however, those same references state this config has been in rhel for ages. this might be a regression

kvm : -rw-r--r--. 1 root root 285K Oct 15 23:56 /var/log/lastlog
ipa : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:52 /var/log/lastlog
zenoss : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:45 /var/log/lastlog
docker : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 285K Oct 12 04:57 /var/log/lastlog
gitlab : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:37 /var/log/lastlog
jenkins : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 03:26 /var/log/lastlog
spacewalk : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:58 /var/log/lastlog
cachet : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:49 /var/log/lastlog


i also viewed the log on a couple of VMs and they had entries from nov 2015 and aug 2015 respectively

-------

NOTE:
while wrtiing this up, and to collect data, i logged into the docker vm which only has 285K size.
i normally log in by root. this time, i did an su to my user and then checked the size.
this is what i found:

[marafa.EGIT] ➤ ./multissh.sh ls -lh /var/log/lastlog
ipa : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:52 /var/log/lastlog
zenoss : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:45 /var/log/lastlog
docker : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 16 00:08 /var/log/lastlog
gitlab : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:37 /var/log/lastlog
jenkins : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 03:26 /var/log/lastlog
spacewalk : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:58 /var/log/lastlog
cachet : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:49 /var/log/lastlog

i am using free IPA 4.2
Version-Release number of selected component (if applicable):
[root@ipa ~]# rpm -qa |grep -i ipa
ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.13.0-40.el7_2.12.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
libipa_hbac-1.13.0-40.el7_2.12.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
python-libipa_hbac-1.13.0-40.el7_2.12.x86_64

How reproducible:
everytime

Steps to Reproduce:
1. register client to freeipa
2. login to client as a user
3. check size

Actual results:
last log is 11g

Expected results:
last log should not be over half a gig. and it should be rotated monthly

Additional info:

Comment 2 Kamil Dudka 2016-10-18 18:13:14 UTC

If you do not have any entry for /var/log/lastlog in logrotate's configuration, it will not be rotated.  Are you saying that the entry used to be included on a default RHEL-7 installation?  If yes, which package provided it?

In any case, logrotate works as designed.

Comment 3 Mohammed Arafa 2016-10-19 01:45:03 UTC

i am saying that on an ipa client before logging in as a user lastlog is only 285k in size
after logging in as an ipa user lastlog size becomes 11g

Comment 4 Kamil Dudka 2016-10-19 06:55:25 UTC

I am switching the component to ipa then.

Did you try to check the size by du(1) instead of ls(1)?

If ls shows big size just because the file is sparse, this is likely NOTABUG.

Comment 5 Mohammed Arafa 2016-10-19 22:57:32 UTC

it is indeed 40K from du

so why does ipa change this? it shouldnt

Comment 6 David Kupka 2016-10-24 13:36:19 UTC

From man 8 lastlog:
NOTE
       The lastlog file is a database which contains info on the last login of each user. You should not rotate it. It is a sparse file, so its size on the disk is usually much smaller than the one shown by "ls -l" (which can indicate a really big file if you have in passwd users with a high UID). You can display its real size with "ls -s".

IPA server creates ID range starting from random number by default during installation. You can use --idstart  (and --idmax) to override this. This means that there's quite high chance that IPA users will have high UIDs and lastlog will appear to take huge amount of disk space.