Bug 146597
Summary: | httpd logs not rotating | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephan Borg <wolff_borg> | ||||||||||
Component: | logrotate | Assignee: | Peter Vrabec <pvrabec> | ||||||||||
Status: | CLOSED NOTABUG | QA Contact: | |||||||||||
Severity: | medium | Docs Contact: | |||||||||||
Priority: | medium | ||||||||||||
Version: | 3 | CC: | dwalsh | ||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2005-02-11 10:18:52 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
Stephan Borg
2005-01-30 09:10:29 UTC
Sorry, just realised that *.log is not going to find any logs in /var/log/httpd/ Changed to *_log and appears not to get an error now - not sure if its working - will find out next week. I can't reproduce it. Send me content of your /etc/logrotate.d/httpd, /etc/logrotate.conf and verbose output from logrotate Created attachment 110460 [details]
State prior to logrotation error
I tried to create the state prior to the error - and the last line of
logrotate.txt shows verbose out of the error occurring.
The only difference I found, is that logrotate would always show this error
when executed repeatedly.
Three points I should mention:
1 - I have SELinux enabled, not sure how this affects log rotation.
2 - I have custom httpd scripts, whose naming convention maybe causing the
error.
3 - When the logrotate error occurs, it appears that all logs are rotated, but
services such as httpd and syslogd are not restarted correctly. This was how I
noticed the error in the first place.
I still can't reproduce it even with your logrotate.conf, httpd and logs. Could u send me your debug output(logrotate -d). Which root shell do u use? What did u mean by "logrotate would always show this error when executed repeatedly". I use bash shell. I can't reproduce the error consistently now either. After I applied the first work around - the error disappeared and I've only got it to come back once since then. Whereas, prior to the work around - everytime I ran logrotate, it would give me 'error running shared postrotate script for /var/log/httpd/*log' and not restart any services. If you wish, we can close off this bug - and if it reoccurs, I won't touch it and log another bug. Created attachment 110789 [details]
Debug output from logrotate
Problem reoccured this week during cron log rotation. Have attached debug
logrotate output as requested. Will leave in broken state should you require
further testing.
Created attachment 110869 [details]
modified logrotate
Try reproduce the bug with this modified(added more verbose messages)
logrotate.
need output of this
# ./logrotate -v -f /etc/logrotate.conf
Created attachment 110894 [details]
Output of verbose logrotate
As requested.
Logrotate fail to execlp temporary file from /tmp. I think SELinux cause your problem, try to disable it, or allow logrotate to exec files from /tmp Please do not disable SELinux. You can turn SELinux into permissive mode by setenforce 0, or changing the /etc/selinux/config file. logrotate should be running with full privs in a targeted system. Are you seeing any AVC messages in the /var/log/messages file? Dan OK - discovered what it was. I have mounted my /tmp parition with the noexec attribute - apparently this was causing all the trouble. Not sure what the right way forward is from here - should executable scripts be allowed from within /tmp ? I think, it is not so secure to allow execute scripts from /tmp. I don't know SELinux enought but it may be right thing to limit this. To be honest, I don't believe this to be an SELinux problem, but rather a logrotate problem. I guess someone with intimiate knowledge of logrotate can confirm. Mounting /tmp with noexec is like locking up your bike with a string. It might slow down an attacker for a second or two at most. Don't bother; it's not worth the breakage it can cause for legitimate applications. |