2b223de04b
This reimplements commit 67a7dc70f2885b7db2a42bc28c25ece0bbeba3e4. Copytruncate becomes a default for containerized logrotate. The solution based on signals processing goes away. As long as key deployment framework components heat-engine and mistral-engine do not tolerate SIGHUP copytruncate should be used. There is more openstack services, like neutron-server, nova-scheduler that cannot handle SIGHUP nicely yet. Nor can we fall back to that predates the containerization of services because of the following reasons: * We cannot and should not use the restart command in postrotate as it was before containerization of services. For that a container needs to be privileged and granted a docker socket bind-mount, which is a total security antipattern and defeats the very purpose of containerization. Things may change with future adoption of Podman and/or kubelet control plane though. If/when that happens, we might consider an option for postrotate to terminate a process with SIGTERM, to have the process instantly respawned via its systemd unit/kubelet restart policies. * Individual services' logrotate configs worth nothing, when still being handled by a central logrotation container running crond. And it needs to remain centralized as individual containers neither do run crond nor contain logrotate, nor lightweight containers following 12-factors apps recommendations should do anything like that. Nor the host logrotate/crond can do rotation of logs for containers as we do/ should not install required packages on the host, but only in containers. See also the spec [0] explaining the reasoning better. All of that makes copytruncate a global choice for logs rotation of containerized services as we just cannont be sure, if a service foo *really* does correct processing of SIGHUP. We leave that option for future implementation in the hope things get fixed eventually. As well as the aforementioned systemd/kublet option, or the option to provide stdout only logging [0] and let the logrotate thing go. [0] https://review.openstack.org/#/c/462900 Closes-Bug: #1795411 Related-Bug: #1276694 Change-Id: Ibdad7859a389d0ff37bbf7bfd9f4c521a05a5ea1 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
30 lines
843 B
Plaintext
30 lines
843 B
Plaintext
/var/log/containers/*/*log /var/log/containers/*/*/*log /var/log/containers/*/*err {
|
|
<%= @rotation %>
|
|
rotate <%= @rotate %>
|
|
maxage <%= @purge_after_days %>
|
|
# minsize 1 is required for GDPR compliance, all files in
|
|
# /var/log/containers not managed with logrotate will be purged!
|
|
minsize 1
|
|
# Do not use size as it's not compatible with time-based rotation rules
|
|
# required for GDPR compliance.
|
|
maxsize <%= @maxsize %>
|
|
missingok
|
|
notifempty
|
|
<%- if @copytruncate %>
|
|
copytruncate
|
|
<%- end %>
|
|
<%- if @delaycompress %>
|
|
delaycompress
|
|
<%- end %>
|
|
<%- if @compress %>
|
|
compress
|
|
<%- end %>
|
|
sharedscripts
|
|
postrotate
|
|
/usr/bin/find /var/log/containers -type f \
|
|
\( -mtime +<%= @purge_after_days %> -or \
|
|
-atime +<%= @purge_after_days %> -or \
|
|
-ctime +<%= @purge_after_days %> \) -exec rm -f {} \;;
|
|
endscript
|
|
}
|