Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Logrotate is unable to rotate logs due to incorrect file permissions #149

Closed
1 task done
hubertbanas opened this issue Nov 5, 2023 · 6 comments · Fixed by #151 · May be fixed by linuxserver/docker-nginx#97
Closed
1 task done

[BUG] Logrotate is unable to rotate logs due to incorrect file permissions #149

hubertbanas opened this issue Nov 5, 2023 · 6 comments · Fixed by #151 · May be fixed by linuxserver/docker-nginx#97
Assignees
@aptalca
Labels
awaiting-approval Stale exempt

Comments

@hubertbanas
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Seeing the following permission denied during daily cron execution:

11/05/2023 02:00:00 AM error: failed to rename /config/log/nginx/access.log to /config/log/nginx/access.log.1: Permission denied
11/05/2023 02:00:00 AM error: failed to rename /config/log/php/error.log to /config/log/php/error.log.1: Permission denied

The default file ownership and permissions on these files are as follow:

$ tree -fugCip config/log/

[drwxr-xr-x 1000     1000    ]  config/log
[-rw-r----- root     root    ]  config/log/logrotate.status
[drwxr-xr-x root     root    ]  config/log/nginx
[-rw-r--r-- root     root    ]  config/log/nginx/access.log
[-rw-r--r-- root     root    ]  config/log/nginx/error.log
[drwxr-xr-x root     root    ]  config/log/php
[-rw------- root     root    ]  config/log/php/error.log

The permission denied is observed due to logotate being executed as abc user

Here are the logrotate configuration files (notice su abc abc)

docker-baseimage-alpine-nginx: /root/etc/logrotate.d/nginx

/config/log/nginx/*.log {
        weekly
        rotate 14
        compress
        delaycompress
        nodateext
        notifempty
        missingok
        sharedscripts
        postrotate
                s6-svc -1 /run/service/svc-nginx
        endscript
        su abc abc
}

docker-baseimage-alpine-nginx: /root/etc/logrotate.d/php-fpm

/config/log/php/*.log {
        rotate 7
        weekly
        missingok
        notifempty
        delaycompress
        compress
        nodateext
        sharedscripts
        postrotate
                s6-svc -t /run/service/svc-php-fpm
        endscript
        su abc abc
}

Two approaches of fixing it that come to mind:

  • (1) running logrotate as root instead of abc
  • (2) changing log files ownership to abc user

Expected Behavior

Logrotate should be able to do its job during daily cronjob execution.

Steps To Reproduce

  1. Run default configuration
  2. Wait until 2 am for the cronjob execution
  3. Logs will show the following:
error: failed to rename /config/log/nginx/access.log to /config/log/nginx/access.log.1: Permission denied
error: failed to rename /config/log/php/error.log to /config/log/php/error.log.1: Permission denied

Environment

- OS: Debian 12
- How docker service was installed: via upstream provided at https://download.docker.com/linux/debian

Docker creation

---
version: "2.1"
services:
  nginx:
    image: lscr.io/linuxserver/nginx:latest
    container_name: nginx
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    volumes:
      - /volume/nginx/config:/config
    ports:
      - 80:80
      - 443:443
    restart: unless-stopped

Container logs

11/05/2023 02:00:00 AM error: failed to rename /config/log/nginx/access.log to /config/log/nginx/access.log.1: Permission denied
11/05/2023 02:00:00 AM error: failed to rename /config/log/php/error.log to /config/log/php/error.log.1: Permission denied
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 5, 2023

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@hubertbanas hubertbanas mentioned this issue Nov 5, 2023
Closed
1 task
@aptalca
Copy link
Member

aptalca commented Nov 5, 2023

Post a full container log

This is a problem specific to you

@hubertbanas
Copy link
Author

Here is the log from newly created image

[migrations] started
[migrations] 01-nginx-site-confs-default: executing...
[migrations] 01-nginx-site-confs-default: succeeded
[migrations] done
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗ 
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝ 

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────

Setting resolver to  127.0.0.11
Setting worker_processes to 1
generating self-signed keys in /config/keys, you can replace these with your own keys if required
..+............+.+.................+...+.......+...+++++++++++++++++++++++++++++++++++++++*..+...+.+..+.............+.........+..+...+.+............+..+...+....+.....+...+...+...+....+.................+....+..+.........+...+.......+++++++++++++++++++++++++++++++++++++++*..............+.+..+..........+..+.+....................++++++
.+...+...+............+.+.....+.+...+...+.....+.......+......+.....+.+...........+++++++++++++++++++++++++++++++++++++++*.+.+...+...+..+.......+......+...+++++++++++++++++++++++++++++++++++++++*........+...+............+.....+......+.......+..+.+.....+...............+......+.+...+..+..........+..+.......+...+..+.............+.....+...+.........+......+...+.+...............+.....+.+........+.+.........+..+............+...+.......+..+.+........+....+...+..++++++
-----
[custom-init] No custom files found, skipping...
[ls.io-init] done.

Here is newly created log directory with correct permissions as specified in UID/GID env variable

$ ls -nld /volume/web/web-app/config/log

drwxr-xr-x 4 1000 1000 4096 Nov  5 10:17 /volume/web/web-app/config/log

Here are newly created log files owned by root

$ tree -fugCip /volume/web/web-app/config/log/nginx/

[drwxr-xr-x root     root    ]  /volume/web/web-app/config/log/nginx
[-rw-r--r-- root     root    ]  /volume/web/web-app/config/log/nginx/access.log
[-rw-r--r-- root     root    ]  /volume/web/web-app/config/log/nginx/error.log

$ tree -fugCip /volume/web/web-app/config/log/php/

[drwxr-xr-x root     root    ]  /volume/web/web-app/config/log/php
[-rw------- root     root    ]  /volume/web/web-app/config/log/php/error.log

Host OS

$ cat /etc/os-release

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Docker version

$ docker version

Client: Docker Engine - Community
 Version:           24.0.7
 API version:       1.43
 Go version:        go1.20.10
 Git commit:        afdd53b
 Built:             Thu Oct 26 09:08:02 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.7
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.10
  Git commit:       311b9ff
  Built:            Thu Oct 26 09:08:02 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.24
  GitCommit:        61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
 runc:
  Version:          1.1.9
  GitCommit:        v1.1.9-0-gccaecfc
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Docker images

$ docker images

REPOSITORY                     TAG       IMAGE ID       CREATED       SIZE
lscr.io/linuxserver/nginx      latest    143517897833   3 days ago    151MB

Docker image inspect

$ docker image inspect lscr.io/linuxserver/nginx

[
    {
        "Id": "sha256:1435178978331874b78bdfebdd57aaa3fc8919b9c548b47efe42794d15193c05",
        "RepoTags": [
            "lscr.io/linuxserver/nginx:latest"
        ],
        "RepoDigests": [
            "lscr.io/linuxserver/nginx@sha256:b44e3ddf54cced97077b1b56acefbe9ef737d549baa4822bb6c924bcc62921b6"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2023-11-02T04:21:20.305298263Z",
        "Container": "",
        "ContainerConfig": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": null,
            "Cmd": null,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": null
        },
        "DockerVersion": "",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "443/tcp": {},
                "80/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "PS1=$(whoami)@$(hostname):$(pwd)\\$ ",
                "HOME=/root",
                "TERM=xterm",
                "S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0",
                "S6_VERBOSITY=1",
                "S6_STAGE2_HOOK=/docker-mods",
                "VIRTUAL_ENV=/lsiopy",
                "LSIO_FIRST_PARTY=true"
            ],
            "Cmd": null,
            "Image": "",
            "Volumes": {
                "/config": {}
            },
            "WorkingDir": "/",
            "Entrypoint": [
                "/init"
            ],
            "OnBuild": null,
            "Labels": {
                "build_version": "Linuxserver.io version:- 1.24.0-r7-ls246 Build-date:- 2023-11-02T04:20:22+00:00",
                "maintainer": "aptalca",
                "org.opencontainers.image.authors": "linuxserver.io",
                "org.opencontainers.image.created": "2023-11-02T04:20:22+00:00",
                "org.opencontainers.image.description": "[Nginx](https://nginx.org/) is a simple webserver with php support. The config files reside in  for easy user customization.",
                "org.opencontainers.image.documentation": "https://docs.linuxserver.io/images/docker-nginx",
                "org.opencontainers.image.licenses": "GPL-3.0-only",
                "org.opencontainers.image.ref.name": "d2e4598262abe3393aaeef067666e074c82b0994",
                "org.opencontainers.image.revision": "d2e4598262abe3393aaeef067666e074c82b0994",
                "org.opencontainers.image.source": "https://github.com/linuxserver/docker-nginx",
                "org.opencontainers.image.title": "Nginx",
                "org.opencontainers.image.url": "https://github.com/linuxserver/docker-nginx/packages",
                "org.opencontainers.image.vendor": "linuxserver.io",
                "org.opencontainers.image.version": "1.24.0-r7-ls246"
            }
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 151087021,
        "VirtualSize": 151087021,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/6ff49062acecf3c2c63dd6fe156263f4699f103bb3954d5c6cf52d4134f584ca/diff:/var/lib/docker/overlay2/73cbd1ca52c8d7eda125ce60280f503a2357b5d4928e5d398624f872ae93e168/diff:/var/lib/docker/overlay2/cdca3c19de42039ad6ae768f77513c523a0810a21d38c06b65f3f28bba3303f6/diff:/var/lib/docker/overlay2/1652a72915e8ecd3b8f8818b2c5ada38a528c56731dc473b107770565e2f48f8/diff:/var/lib/docker/overlay2/552c54092bc54429a8130e43ba3c8d80f2eb3f1665a6f2bc05872ff6b243592d/diff:/var/lib/docker/overlay2/444ac8a55cf4debece065d3900ede378199f699f1b66427583bd362d3e7c5d58/diff:/var/lib/docker/overlay2/5b8d3f23a6d185d18dda87e28a8bd2e0a082b8432cdde433ff59dc11b9b16414/diff",
                "MergedDir": "/var/lib/docker/overlay2/113f87c7da505677470320099c58697e434da2b550a70d6152bdc5a49d55f5a8/merged",
                "UpperDir": "/var/lib/docker/overlay2/113f87c7da505677470320099c58697e434da2b550a70d6152bdc5a49d55f5a8/diff",
                "WorkDir": "/var/lib/docker/overlay2/113f87c7da505677470320099c58697e434da2b550a70d6152bdc5a49d55f5a8/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:a06aa035b6a247f6220de5495e0f473d6393dc44bfb6de9ba6851a7f7e9ba2c5",
                "sha256:c185a7702ea002a28954b8f61b268f6b90a632412d3c85498e4283149c78c409",
                "sha256:237ca03f6f60fc58e5f77059bcced686c2c8ac9b71f4167f388c2edfcc43f2b8",
                "sha256:45c6071ac3764a367377f507fd5082e289235b8b579f557bc45511b0cb0745e8",
                "sha256:6bc677edad4cb335e040329731952da204d868006fd5018c8d75403d2de45b6f",
                "sha256:2233634dd1fe1b2039dc79abbe2c94bb0a88c9b8b5b3f1a2df92ead5b4efadcb",
                "sha256:f071d70abc26ecca92c5b33ecca1026f82d3405fa565a3cb8327ef566d38e2fb",
                "sha256:a9562ea0181f92fa936e45beed4eac08dcef0bf90741289e1af9e5bc1d9dd593"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

@aptalca
Copy link
Member

aptalca commented Nov 5, 2023

I stand corrected. We pushed an update to the baseimage a few months back and are no longer chowning log files, but just the folder. We rely on the downstream images to do the recursive chown, but Nginx does not currently do that. Which means if you create the container with a PUID and then change that later, you can end up with log files being owned by a different user.

Well fix it on our end.

@aptalca aptalca self-assigned this Nov 5, 2023
@hubertbanas
Copy link
Author

Thank you for the explanation.

Just to clarify ... the data above are from a brand new container spin up with new, never before used volume. There was never PID/GID change on my end.

@aptalca aptalca mentioned this issue Nov 6, 2023
Open
@nemchik nemchik mentioned this issue Nov 23, 2023
Merged
@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@nemchik nemchik added awaiting-approval Stale exempt and removed no-issue-activity labels Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aptalca aptalca

Labels
awaiting-approval Stale exempt
Projects
Issue & PR Tracker
Archived in project
Milestone
No milestone
4 participants
@aptalca @nemchik @hubertbanas @LinuxServer-CI