Re: A better method than daisy-chaining logging files?

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

From: Joan Picanyol i Puig <lists-supervision@biaix.org>
To: "supervision@list.skarnet.org" <supervision@list.skarnet.org>
Subject: Re: A better method than daisy-chaining logging files?
Date: Tue, 18 Jun 2019 09:26:20 +0200	[thread overview]
Message-ID: <20190618072620.GA12330@grummit.biaix.org> (raw)
In-Reply-To: <a95105f3-8267-ec76-b494-26d46768fab1@heuristicsystems.com.au> <emdfede14a-17c4-47d6-98e1-609b50cf7666@elzian>

* Laurent Bercot <ska-supervision@skarnet.org> [20190618 08:22]:
> >FYI: The fifo queue permissions, which the jail sees
> >pr---w----  1 mylogger  www     0B May 31 13:27 apache24-error|
> 
> Ah, so the www group is the one that writes to the fifo. Got it.
> 
> Then you don't need mylogger to belong to the www group (and
> it's probably better for privilege separation that it doesn't),
> but you apparently need the logdir to belong to the primary group
> of the mylogger user. There is no reason for the logdir to belong
> to the www group.
> 
> The error you got still strikes me as weird, and shouldn't happen
> unless you have strange permissions for the logdir itself, or
> FreeBSD is doing something wonky with gid checking.

He is nullfs mounting some of these directories, wonkyness might happen.

> For my peace of mind, I'd still like to see the permissions on your
> logdir, and a ktrace of the error.

* Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> [20190618 09:16]:
> On the logger, the files, as requested are:
> 
> # ls -lrth /var/log/httpd | grep error ; ls -lrth  /var/log/httpd/error
> drwx------  2 mylogger  www   512B Jun 18 15:06 error/
> total 44
> -rw-r--r--  1 mylogger  www     0B Jun 18 15:06 state
> -rw-r--r--  1 mylogger  www     0B Jun 18 15:06 lock
> -rw-r--r--  1 mylogger  www    41K Jun 18 16:04 current
[...]
> -rw-r--r--  1 mylogger  www     0B Jun 18 15:06 lock
> -rwxr--r--  1 mylogger  www   2.7K Jun 18 16:59 @400000005d088c11012cc9f4.s*
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:03 state
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:03 current
> -rwxr--r--  1 mylogger  www    64B Jun 18 17:03 @400000005d088cd6113d5a5c.s*
> 
[...]
> # s6-svc -a /run/scan/apache24-error-log
>                              # lh /var/log/httpd | grep error ; lh
> /var/log/httpd/error
> drwx------  2 mylogger  www   512B Jun 18 17:05 error/
> total 4
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:04 lock
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:05 state
> -rwxr--r--  1 mylogger  www   304B Jun 18 17:05 processed*
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:05 current

Include -a to your ls flags, to show the directory's permissions for
completeness.

> with the resulting
> s6-log: warning: unable to finish processed .s to logdir
> /var/log/httpd/error: Operation not permitted
> 
> This is on a box that lacks development tools, so tracing will take some
> time to sort out; sorry. :/

Just add 

ktrace -id -f /var/tmp/s6-log.trace

before your s6-log invocation and send the output of

kdump -f /var/tmp/s6-log.trace

afterwards.

qvb
--
pica

next prev parent reply	other threads:[~2019-06-18  7:26 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-31  5:24 Dewayne Geraghty
2019-05-31  9:22 ` Laurent Bercot
2019-05-31 12:52   ` Brett Neumeier
2019-06-17  6:25     ` Dewayne Geraghty
2019-06-17 17:58       ` Laurent Bercot
2019-06-17 22:15         ` Dewayne Geraghty
2019-06-18  6:35           ` Laurent Bercot
2019-06-18  7:27             ` Dewayne Geraghty
2019-06-18  7:26         ` Joan Picanyol i Puig [this message]
2019-06-18  7:48           ` Dewayne Geraghty
2019-06-18 20:52             ` Joan Picanyol i Puig
2019-06-19  7:05               ` Dewayne Geraghty
2019-06-20  6:09                 ` Laurent Bercot
2019-06-18  7:53           ` Dewayne Geraghty

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190618072620.GA12330@grummit.biaix.org \
    --to=lists-supervision@biaix.org \
    --cc=supervision@list.skarnet.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).