puppet-tripleo/releasenotes/notes/logrotate-containers-purge-56143a979ba80b51.yaml
Bogdan Dobrelya 5a58ca5d32 Rework GDPR compliant logrotate config
Set the logrotate maxage parameter to purge_after_days
as well.

Rework additional retention rules of files in
/var/log/containers in the containerized logrotate
postrotate script. The rules are based on any of the
listed criteria met:

* time of last access of contents (atime) exceeds
purge_after_days,
* time of last modification of contents (mtime) exceeds
purge_after_days,
* time of last modification of the inode (metadata, ctime)
exceeds purge_after_days.

Forcibly purge expired files with each containerized
logrotate run triggered via cron. Note that the files creation
time (the Birth attribute) is not taken into account as it
cannot be accessed normally by system operators (depends on FS
type). Retention policies based on the creation time must
be managed elsewhere.

Related-Bug: #1771543

Change-Id: I9afa22f7dd344a29747206b286520a76d70d704b
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-05-24 17:31:15 +00:00

39 lines
1.5 KiB
YAML

---
upgrade:
- |
Rotated logs of containerized services in /var/log/containers
will be purged with the next containerized logrotate run
triggered via cron, if the rotated logs have been kept longer
than `purge_after_days` (defaults to a 14 days).
The logrotate maxage parameter is set to `purge_after_days`
as well.
The size parameter does not honor time-based
constraints and is disabled as not GDPR compliant. From now on,
it configures maxsize instead. Minsize is set to a 1 byte to
put all /var/log/containers logs under the containerized
logrotate control.
New param `rotation` additionally allows to alter logrotate
rotation interval, like 'hourly' or 'weekly'.
security:
- |
Retention rules of files in /var/log/containers additionally
defined in the containerized logrotate postrotate script and
based on any of the listed criteria met:
* time of last access of contents (atime) exceeds
`purge_after_days`,
* time of last modification of contents (mtime) exceeds
`purge_after_days`,
* time of last modification of the inode (metadata, ctime)
exceeds `purge_after_days`.
Expired files will be purged forcibly with each containerized
logrotate run triggered via cron. Note that the files creation
time (the Birth attribute) is not taken into account as it
cannot be accessed normally by system operators (depends on FS
type). Retention policies based on the creation time must
be managed elsewhere.