From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2637
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Joan Picanyol i Puig <lists-supervision@biaix.org>
Newsgroups: gmane.comp.sysutils.supervision.general
Subject: Re: A better method than daisy-chaining logging files?
Date: Tue, 18 Jun 2019 09:26:20 +0200
Message-ID: <20190618072620.GA12330@grummit.biaix.org>
References: <6b30c85a-b49b-d7ed-f5a8-ba9ad54d421f@heuristicsystems.com.au> <emdfede14a-17c4-47d6-98e1-609b50cf7666@elzian> <a95105f3-8267-ec76-b494-26d46768fab1@heuristicsystems.com.au> <16c909e2-9b84-63c8-7c60-380befe28f01@heuristicsystems.com.au> <em7988d39c-b7f1-4c41-8413-be91240e0c52@elzian> <CAGSetNuDw_Uy_2x-r-Oj4XGEXbeBzg5vg0dH0y-pC4_OU+Lgbw@mail.gmail.com> <8447f17e-0960-196d-bdf5-64a3d203cff0@heuristicsystems.com.au> <em673139b5-4f09-4e29-8ff2-68a29299ea0b@elzian> <6b30c85a-b49b-d7ed-f5a8-ba9ad54d421f@heuristicsystems.com.au> <emdfede14a-17c4-47d6-98e1-609b50cf7666@elzian>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="162925"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mutt/1.5.11
To: "supervision@list.skarnet.org" <supervision@list.skarnet.org>
Original-X-From: supervision-return-2227-gcsg-supervision=m.gmane.org@list.skarnet.org Tue Jun 18 09:38:53 2019
Return-path: <supervision-return-2227-gcsg-supervision=m.gmane.org@list.skarnet.org>
Envelope-to: gcsg-supervision@m.gmane.org
Original-Received: from alyss.skarnet.org ([95.142.172.232])
	by blaine.gmane.org with smtp (Exim 4.89)
	(envelope-from <supervision-return-2227-gcsg-supervision=m.gmane.org@list.skarnet.org>)
	id 1hd8hh-000gIy-2M
	for gcsg-supervision@m.gmane.org; Tue, 18 Jun 2019 09:38:53 +0200
Original-Received: (qmail 4379 invoked by uid 89); 18 Jun 2019 07:39:17 -0000
Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm
Original-Sender: <supervision@list.skarnet.org>
Precedence: bulk
List-Post: <mailto:supervision@list.skarnet.org>
List-Help: <mailto:supervision-help@list.skarnet.org>
List-Unsubscribe: <mailto:supervision-unsubscribe@list.skarnet.org>
List-Subscribe: <mailto:supervision-subscribe@list.skarnet.org>
List-Id: <supervision.list.skarnet.org>
Original-Received: (qmail 4372 invoked from network); 18 Jun 2019 07:39:17 -0000
Mail-Followup-To: "supervision@list.skarnet.org" <supervision@list.skarnet.org>
Content-Disposition: inline
In-Reply-To: <a95105f3-8267-ec76-b494-26d46768fab1@heuristicsystems.com.au> <emdfede14a-17c4-47d6-98e1-609b50cf7666@elzian>
Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2637
Archived-At: <http://permalink.gmane.org/gmane.comp.sysutils.supervision.general/2637>

* Laurent Bercot <ska-supervision@skarnet.org> [20190618 08:22]:
> >FYI: The fifo queue permissions, which the jail sees
> >pr---w----  1 mylogger  www     0B May 31 13:27 apache24-error|
> 
> Ah, so the www group is the one that writes to the fifo. Got it.
> 
> Then you don't need mylogger to belong to the www group (and
> it's probably better for privilege separation that it doesn't),
> but you apparently need the logdir to belong to the primary group
> of the mylogger user. There is no reason for the logdir to belong
> to the www group.
> 
> The error you got still strikes me as weird, and shouldn't happen
> unless you have strange permissions for the logdir itself, or
> FreeBSD is doing something wonky with gid checking.

He is nullfs mounting some of these directories, wonkyness might happen.

> For my peace of mind, I'd still like to see the permissions on your
> logdir, and a ktrace of the error.

* Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> [20190618 09:16]:
> On the logger, the files, as requested are:
> 
> # ls -lrth /var/log/httpd | grep error ; ls -lrth  /var/log/httpd/error
> drwx------  2 mylogger  www   512B Jun 18 15:06 error/
> total 44
> -rw-r--r--  1 mylogger  www     0B Jun 18 15:06 state
> -rw-r--r--  1 mylogger  www     0B Jun 18 15:06 lock
> -rw-r--r--  1 mylogger  www    41K Jun 18 16:04 current
[...]
> -rw-r--r--  1 mylogger  www     0B Jun 18 15:06 lock
> -rwxr--r--  1 mylogger  www   2.7K Jun 18 16:59 @400000005d088c11012cc9f4.s*
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:03 state
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:03 current
> -rwxr--r--  1 mylogger  www    64B Jun 18 17:03 @400000005d088cd6113d5a5c.s*
> 
[...]
> # s6-svc -a /run/scan/apache24-error-log
>                              # lh /var/log/httpd | grep error ; lh
> /var/log/httpd/error
> drwx------  2 mylogger  www   512B Jun 18 17:05 error/
> total 4
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:04 lock
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:05 state
> -rwxr--r--  1 mylogger  www   304B Jun 18 17:05 processed*
> -rw-r--r--  1 mylogger  www     0B Jun 18 17:05 current

Include -a to your ls flags, to show the directory's permissions for
completeness.

> with the resulting
> s6-log: warning: unable to finish processed .s to logdir
> /var/log/httpd/error: Operation not permitted
> 
> This is on a box that lacks development tools, so tracing will take some
> time to sort out; sorry. :/

Just add 

ktrace -id -f /var/tmp/s6-log.trace

before your s6-log invocation and send the output of

kdump -f /var/tmp/s6-log.trace

afterwards.

qvb
--
pica