/var/log/pki/pki-tomcat/ca/debug.*.log files are not cleaned up

[opoplawski]

This is from an IPA install. See also https://pagure.io/freeipa/issue/8971.

I have lots of debug.DATE.log files in /var/log/pki/pki-tomcat. These should get cleaned up automatically. Version/Release/Distribution

ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
389-ds-base-1.4.3.16-19.module_el8.4.0+884+e9b25896.x86_64
pki-ca-10.10.5-3.module_el8.4.0+816+beb6e9a3.noarch
krb5-server-1.18.2-8.el8.x86_64

[yrro]

Looks like none of the log files in /var/log/pki are being rotated by anything. I have catalina, localhost_access_log etc dating back 8 months (on RHEL 8.5 with pki-base-10.11.2-2.module+el8.5.0+12735+8eb38ccc.noarch).

[edit - rotation of these files can be configured by adding a maxDays attribute to the Valve element for org.apache.catalina.valves.AccessLogValve within /etc/pki/pki-tomcat/server.xml; that's a separate set of log files to than the one this issue was opened for]

[maltewhiite]

My FreeIPA server is almost dying because of -rw-r-----. 1 pkiuser pkiuser 70G Feb 11 11:59 debug which is located in /var/log/pki/pki-tomcat/ca What do I do? Can I safely delete the file? How do I remove this file without my FreeIPA server dying? My Server is almost filled up. It will also die soon if I don't stop this file from growing.

I inherited this FreeIPA from someone who is no longer at the company, and suddenly I have the responsibility for all user administration and maintenance of the FreeIPA server, and I only know Linux commands like cd and nano.

If I run ipa --version I get: VERSION: 4.6.8, API_VERSION: 2.237

What do I do?

[yrro]

My FreeIPA server is almost dying because of -rw-r-----. 1 pkiuser pkiuser 70G Feb 11 11:59 debug which is located in /var/log/pki/pki-tomcat/ca What do I do? Can I safely delete the file?

I'm pretty sure you can truncate the file with the truncate command. Maybe you'll also need to restart pki-tomcat@pki-tomcat to free the space up.

Can you post to freeipa-users about this - hopefully someone will know the proper way to check the PKI debug level & figure out why the file's not being rotated.

[yrro]

My FreeIPA server is almost dying because of -rw-r-----. 1 pkiuser pkiuser 70G Feb 11 11:59 debug which is located in /var/log/pki/pki-tomcat/ca

According to https://github.com/dogtagpki/pki/wiki/Configuring-Subsystem-Debug-Log these log files are rotated daily and purged after 7 days. But that doesn't happen for me either.

Here's a script I run daily to clean up these files as well as the other subsystem-specific log files which are not otherwise rotated.

#!/bin/bash

set -eu -o pipefail

DRY_RUN=${DRY_RUN:-1}
DEBUG_RETAIN_DAYS=${DEBUG_RETAIN_DAYS:-60}
RLF_RETAIN_DAYS=${RLF_RETAIN_DAYS:-14}

if [[ $DRY_RUN -ne 0 ]]; then
    echo 'This is a dry-run; no files will be removed'
fi

for subsystem in acme ca kra pki; do
    dir="/var/log/pki/pki-tomcat/$subsystem"

    # debug logs are rotated daily, so we can simply delete everything except
    # the last N logfiles. According to
    # <https://github.com/dogtagpki/pki/wiki/Configuring-Subsystem-Debug-Log>,
    # these files are purged after 7 days, but even through the files at
    # </usr/share/pki/*/webapps/*/WEB-INF/classes/logging.properties> set
    # "org.apache.juli.FileHandler.maxDays = 7", log rotation is not observed
    # with <idm-pki-*-11.2.1-1.el9.noarch>.
    (find "$dir" -name 'debug.????-??-??.log' -print0 || true) | LC_COLLATE=C sort -z | head -z -n "-$DEBUG_RETAIN_DAYS"

    # com.netscape.cms.logging.RollingLogFile logs are rotated after 30 days or
    # 2000 KiB; so we have to examine modification times to decide which files
    # to delete. There is an 'expirationTime' property for each instance of
    # com.netscape.cms.logging.RollingLogFile in </etc/pki/pki-tomcat/*/CS.cfg>
    # but a comment in RollingLogFile.java says that it is not supported, and
    # there's no CS.cfg file for acma/pki subsystems so this property can't be
    # set for them anyway.
    for logfile in selftests.log system transactions signedAudit/{ca_audit,kra_cert-kra_audit}; do
        path="$dir/$logfile"
        if [[ -f $path ]]; then
            datum=$(stat -c %Y "$path")
            find "$dir" -path "$path.*" -not -newermt "@$((datum - "$RLF_RETAIN_DAYS" * 86400))" -print0
        fi
    done
done \
    | \
while IFS= read -r -d $'\0' file _rest; do
    echo "Removing $file"
    if [[ $DRY_RUN -eq 0 ]]; then
        rm "$file"
    fi
done

# vim: ts=8 sts=4 sw=4 et

[nmaludy]

Same issue here. Would be great if they were cleaned up, or had a standard logrotate config.

[milaflq]

We are experiencing the same behavior and it causes problems.

This issue has been opened in 2021 and still no development on it.

Running "idm-pki-ca-10.14.3-1.module_el8.8.0+3499+bdda178f.noarch" and we don't see the log file rotation but it's configured in "logging.properties"

Is there any way to bump this issue so it's taken care of?

Thanks

[tomdus123]

We are experiencing the same behavior. ipa --version VERSION: 4.11.0, API_VERSION: 2.253

Any update on this issue? Thanks Tomas