search

YunoHost-Apps / synapse_ynh

Matrix server (synapse) package for YunoHost
https://matrix.org/
GNU General Public License v3.0
79 stars 43 forks source link

Logrotate fails because missing su #459

Closed utzer closed 3 days ago

utzer commented 1 month ago

The log /var/log/matrix-synapse/homeserver.log and /var/log/matrix-synapse/turnserver.log are not rotated, so after some time the homeserver.log grows to a really big size.

As a mitigation I tried to run logrotate for matrix-synapse, by executing logrotate /etc/logrotate.d/synapse, which returned this:

error: skipping "/var/log/matrix-synapse/homeserver.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/matrix-synapse/turnserver.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

The permissions of the folder /var/log/matrix-synapse are set strangely, but I assume this is some kind of upstream problem, permissions are: drwxrwxrwx+ 1 synapse root 88 May 7 17:55 matrix-synapse/

The logrotate config /etc/logrotate.d/synapse looks like this:

/var/log/matrix-synapse/*.log {
        # Rotate if the logfile exceeds 100Mo
    size 100M
        # Keep 12 old log maximum
    rotate 12
        # Compress the logs with gzip
    compress
        # Compress the log at the next cycle. So keep always 2 non compressed logs
    delaycompress
        # Copy and truncate the log to allow to continue write on it. Instead of move the log.
    copytruncate
        # Do not do an error if the log is missing
    missingok
        # Not rotate if the log is empty
    notifempty
        # Keep old logs in the same dir
    noolddir

}

I added these lines:

# use user synapse root
su synapse root

New files looks like this:

/var/log/matrix-synapse/*.log {
        # Rotate if the logfile exceeds 100Mo
    size 100M
        # Keep 12 old log maximum
    rotate 12
        # Compress the logs with gzip
    compress
        # Compress the log at the next cycle. So keep always 2 non compressed logs
    delaycompress
        # Copy and truncate the log to allow to continue write on it. Instead of move the log.
    copytruncate
        # Do not do an error if the log is missing
    missingok
        # Not rotate if the log is empty
    notifempty
        # Keep old logs in the same dir
    noolddir
        # use user synapse root
    su synapse root

}

Please add this fix, if it was not already fixed.

Josue-T commented 1 month ago

Hello,

Well the fix might be probably to add something like this here

chmod u=rwX,g=rX,o= -R /var/log/matrix-"$app"

https://github.com/YunoHost-Apps/synapse_ynh/blob/1b5764f4083f94ad6821cce8bebcaa70068e3481/scripts/_common.sh#L264

Can you check if with this permission the issue is solved ?

utzer commented 3 weeks ago

Hello, sorry I did not respond so long, I don't think setting the logs permission is the issue, but running logrote with that permission is what would solve the problem.

Changing the permission of the log file to something other than synapse:root did in the past cause a crash for synapse, the log file permission has been set incorrectly during an update some months back.

utzer commented 3 weeks ago

I guess this applies ynh_use_logrotate [--logfile=/log/file] [--specific_user=user/group], especially the last part [--specific_user=user/group]. This is from here.

Maybe it is enough to remove logrotate config once during an update and then add it again with the correct user/group.