Bug 1385287 - /var/log/lastlog appears to be huge on ipa client
Summary: /var/log/lastlog appears to be huge on ipa client
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-15 22:16 UTC by Mohammed Arafa
Modified: 2016-10-24 13:36 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-24 13:36:19 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 771286 0 medium CLOSED Lastlog file size increases when UIDs are large. 2021-02-22 00:41:40 UTC

Internal Links: 771286

Description Mohammed Arafa 2016-10-15 22:16:38 UTC 
Description of problem:
i got a physical machine and the rest are VMs. Most of my VMs have  /var/log/lastlog at the 11g

i could not find a logrotate config for lastlog in /etc

i found references online to placing a logrotate config for last log into logrotate.conf . however, those same references state this config has been in rhel for ages. this might be a regression

kvm : -rw-r--r--. 1 root root 285K Oct 15 23:56 /var/log/lastlog
ipa : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:52 /var/log/lastlog
zenoss : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:45 /var/log/lastlog
docker : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 285K Oct 12 04:57 /var/log/lastlog
gitlab : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:37 /var/log/lastlog
jenkins : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 03:26 /var/log/lastlog
spacewalk : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:58 /var/log/lastlog
cachet : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:49 /var/log/lastlog


i also viewed the log on a couple of VMs and they had entries from nov 2015 and aug 2015 respectively

-------

NOTE:
while wrtiing this up, and to collect data, i logged into the docker vm which only has 285K size.
i normally log in by root. this time, i did an su to my user and then checked the size.
this is what i found:

[marafa.EGIT] ➤ ./multissh.sh ls -lh /var/log/lastlog
ipa : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:52 /var/log/lastlog
zenoss : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:45 /var/log/lastlog
docker : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 16 00:08 /var/log/lastlog
gitlab : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 15 23:37 /var/log/lastlog
jenkins : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 03:26 /var/log/lastlog
spacewalk : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:58 /var/log/lastlog
cachet : X11 forwarding request failed on channel 0
-rw-r--r--. 1 root root 11G Oct 12 04:49 /var/log/lastlog

i am using free IPA 4.2
Version-Release number of selected component (if applicable):
[root@ipa ~]# rpm -qa |grep -i ipa
ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.13.0-40.el7_2.12.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
libipa_hbac-1.13.0-40.el7_2.12.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
python-libipa_hbac-1.13.0-40.el7_2.12.x86_64

How reproducible:
everytime

Steps to Reproduce:
1. register client to freeipa
2. login to client as a user
3. check size

Actual results:
last log is 11g

Expected results:
last log should not be over half a gig. and it should be rotated monthly

Additional info:
Comment 2 Kamil Dudka 2016-10-18 18:13:14 UTC 
If you do not have any entry for /var/log/lastlog in logrotate's configuration, it will not be rotated.  Are you saying that the entry used to be included on a default RHEL-7 installation?  If yes, which package provided it?

In any case, logrotate works as designed.
Comment 3 Mohammed Arafa 2016-10-19 01:45:03 UTC 
i am saying that on an ipa client before logging in as a user lastlog is only 285k in size
after logging in as an ipa user lastlog size becomes 11g
Comment 4 Kamil Dudka 2016-10-19 06:55:25 UTC 
I am switching the component to ipa then.

Did you try to check the size by du(1) instead of ls(1)?

If ls shows big size just because the file is sparse, this is likely NOTABUG.
Comment 5 Mohammed Arafa 2016-10-19 22:57:32 UTC 
it is indeed 40K from du

so why does ipa change this? it shouldnt
Comment 6 David Kupka 2016-10-24 13:36:19 UTC 
From man 8 lastlog:
NOTE
       The lastlog file is a database which contains info on the last login of each user. You should not rotate it. It is a sparse file, so its size on the disk is usually much smaller than the one shown by "ls -l" (which can indicate a really big file if you have in passwd users with a high UID). You can display its real size with "ls -s".

IPA server creates ID range starting from random number by default during installation. You can use --idstart  (and --idmax) to override this. This means that there's quite high chance that IPA users will have high UIDs and lastlog will appear to take huge amount of disk space.
Note You need to log in before you can comment on or make changes to this bug.