Docker container logrotate does not take effect

Time:2021-10-15

process

A log analysis script was added to syslog docker. The script uses the shortest editing distance algorithm to collect error logs and send them to the test environment alarm group. The script relies on logrotate. The expected error collection alarm was not seen the next morning. It was found that logrotate did not work

[email protected]:/srv/log/p10057_syslog/rsyslog$ cat analyze_error_log.log 
('log_path_not_exist', '/srv/log/rsyslog/ejoy_errors/error.log.xxxxxxx')

Adding a log analysis script does two things:

  • Call the analysis script with crontab
  • A new syslog docker image is built, and several Python libraries dependent on scripts are added

Guess:
Logrotate depends on crontab. The configuration of crontab overrides the regular execution of logrotate
Rollback docker image version. There was no crontab task before
In fact, this item has been checked during development. The reason why crontab is suspected is that there are no suspicious changes

ubuntu# crontab -l
no crontab for root

Finally, it is found that the logrotate.conf file has permissions:

[email protected]:/etc# /usr/sbin/logrotate -d -v /etc/logrotate.conf 
Ignoring /etc/logrotate.conf because of bad file mode.
Handling 0 logs
[email protected]:/etc# ls -l /etc/logrotate.conf 
-rw-rw-r-- 1 root root 351 Sep 29 03:47 /etc/logrotate.conf
[email protected]:/etc# chmod 644 /etc/logrotate.conf 
[email protected]:/etc# /usr/sbin/logrotate -d -v /etc/logrotate.conf 
reading config file /etc/logrotate.conf
Handling 1 logs
rotating pattern: /srv/log/rsyslog/*/*.log  4096 bytes (14 rotations)
empty log files are rotated, old logs are removed
considering log /srv/log/rsyslog/admin/access.log
  log does not need rotating
considering log /srv/log/rsyslog/admin/admin.log
....

That’s weird. Why does the permission of logrotate.conf change? Before that, I didn’t know there was a logrotate.conf file, let alone modify it
There is a line in syslog / dockerfile. The permission of logrotate.conf file in the image is determined by the permission of syslog / logrotate.conf on the build docker image machine:
COPY logrotate.conf /etc/logrotate.conf
The FileMode of logrotate.conf on the publishing machine is 644, while I am 664. Did I accidentally modify the FileMode of logrotate.conf? And FileMode is false, which causes me to ignore the modification of FileMode?

git config core.filemode false

Set core.filemode to true and you can’t see diff. after some attempts, you find a cold knowledge of GIT:

Git only records the executable bit of the file

https://medium.com/@tahteche/…
That is, for git, the FileMode is only 755 (user executable) and 644 (user not executable)

Well, did I accidentally change the FileMode of logrotate.conf? My logrotate.conf is really 664, and it’s really 644 on the packer
Recheck the checkout battle. The logrotate.conf of the new checkout is 664. This leads to a new problem

Umask and Usergroups_ ENAB

https://superuser.com/questio…

Found after trying
The difference is that my umask is 002 and the packer is 0022
My user_ Name equals group_ Name, and packer user_ Name and group_ Name is different

~ » touch aa
~ » ls -l aa
-rw-rw-r-- 1 enjolras enjolras 0 Sep 29 19:09 aa
~ » umask
002
[email protected]:~$ touch a
[email protected]:~$ ls -l a
-rw-r--r-- 1 platformdeploy platform 0 Sep 29 19:56 a
[email protected]:~$ umask
0022
less /etc/login.defs
Enable setting of the umask group bits to be the same as owner bits
(examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
the same as gid, and username is the same as the primary group name.
If set to yes, userdel will remove the user´s group if it contains no
more members, and useradd will create by default a group with the name
of the user.
USERGROUPS_ENAB yes

conclusion

In different environments, the file permissions from checkout are different. It is best to display the permissions of the specified file in dockerfile

Recommended Today

Swift advanced (XV) extension

The extension in swift is somewhat similar to the category in OC Extension can beenumeration、structural morphology、class、agreementAdd new features□ you can add methods, calculation attributes, subscripts, (convenient) initializers, nested types, protocols, etc What extensions can’t do:□ original functions cannot be overwritten□ you cannot add storage attributes or add attribute observers to existing attributes□ cannot add parent […]