/etc/cron.daily/logrotate:
error: catalina-foo:10 unknown group 'tomcat-admin'
error: found error in /srv/tomcat/foo/logs/catalina.out , skipping
error: skipping "/srv/tomcat/foo/logs/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
When I create the tomcat-admin group manually and add the following to the instance declaration in the manifest:
group => 'tomcat-admin',
The group ownership of the instance directories updates but when I run logrotate the same permissions error occurs:
error: skipping "/srv/tomcat/foo/logs/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
I can resolve this by specifying the logs_mode in the instance declaration:
logs_mode => '2750',
A quick fix would be to remove the group-write from the default mode of the file resource that creates the log/ directory.
More comprehensively, it would be good to update the 'create' line the logrotate.catalina.erb template to include the group parameter:
create 644 tomcat <%= @group =>
But I imagine you must have some reason for marking the logrotate file explicitly as 'unmanaged'?
On Debian Wheezy, when I set up a Tomcat instance like so:
class { "::tomcat": version => '7' }
tomcat::instance { 'foo': ensure => 'present', server_port => $tomcat_server_port, http_port => $tomcat_http_port, ajp_port => $tomcat_ajp_port }
The module creates /etc/logrotate.d/catalina-foo containing:
/srv/tomcat/foo/logs/catalina.out { copytruncate size 500M dateext rotate 53 compress delaycompress missingok create 644 tomcat tomcat-admin }
This generates an error from logrotate:
/etc/cron.daily/logrotate: error: catalina-foo:10 unknown group 'tomcat-admin' error: found error in /srv/tomcat/foo/logs/catalina.out , skipping error: skipping "/srv/tomcat/foo/logs/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
When I create the tomcat-admin group manually and add the following to the instance declaration in the manifest:
The group ownership of the instance directories updates but when I run logrotate the same permissions error occurs:
error: skipping "/srv/tomcat/foo/logs/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
I can resolve this by specifying the logs_mode in the instance declaration:
A quick fix would be to remove the group-write from the default mode of the file resource that creates the log/ directory.
More comprehensively, it would be good to update the 'create' line the logrotate.catalina.erb template to include the group parameter:
But I imagine you must have some reason for marking the logrotate file explicitly as 'unmanaged'?