How to rotate the IPA PKI's Dogtag or Red Hat Certificate System logs using RHEL's logrotate feature
Environment
Red Hat Enterprise Linux Server release 7.6 (Maipo)
redhat-release-server-7.6-4.el7.x86_64
pki-ca-10.5.9-10.el7_6.noarch
Issue
The IPA PKI's Dogtag or Red Hat Certificate System logs keep growing over time.
Resolution
Add a logrotate configuration that will be used daily by /etc/cron.daily/logrotate
cat << EOF > /etc/logrotate.d/pkidebuglog
/var/log/pki/*/*/debug {
missingok
notifempty
sharedscripts
size 100k
compress
delaycompress
su pkiuser pkiuser
postrotate
/bin/systemctl restart pki-tomcatd@pki-tomcat.service > /dev/null 2>/dev/null || true
endscript
}
EOF
chcon system_u:object_r:etc_t:s0 /etc/logrotate.d/pkidebuglog
/usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
Root Cause
No default log rotation of the IPA PKI's Dogtag or Red Hat Certificate System logs.
Diagnostic Steps
ls -lZ /var/log/pki/*/*/debug*
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/rootca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/subca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/testinstance/ocsp/debug
ls -lh /var/log/pki/*/*/debug*
-rw-r-----. 1 pkiuser pkiuser 80M Apr 9 23:20 /var/log/pki/rootca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 81M Apr 9 23:21 /var/log/pki/subca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 36K Mar 2 22:47 /var/log/pki/testinstance/ocsp/debug
cat << EOF > /etc/logrotate.d/pkidebuglog
/var/log/pki/*/*/debug {
missingok
notifempty
sharedscripts
size 100k
delaycompress
su pkiuser pkiuser
postrotate
/bin/systemctl restart pki-tomcatd@pki-tomcat.service > /dev/null 2>/dev/null || true
endscript
}
EOF
chcon system_u:object_r:etc_t:s0 /etc/logrotate.d/pkidebuglog
ls -lZ /etc/logrotate.d/pkidebuglog
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/logrotate.d/pkidebuglog
/usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
ls -lZ /var/log/pki/*/*/debug*
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/rootca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/rootca1/ca/debug-20190409
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/subca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/subca1/ca/debug-20190409
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/testinstance/ocsp/debug
ls -lh /var/log/pki/*/*/debug*
-rw-r-----. 1 pkiuser pkiuser 0 Apr 9 23:23 /var/log/pki/rootca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 80M Apr 9 23:20 /var/log/pki/rootca1/ca/debug-20190409
-rw-r-----. 1 pkiuser pkiuser 0 Apr 9 23:23 /var/log/pki/subca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 81M Apr 9 23:21 /var/log/pki/subca1/ca/debug-20190409
-rw-r-----. 1 pkiuser pkiuser 36K Mar 2 22:47 /var/log/pki/testinstance/ocsp/debug
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
3 Comments
the RHEL's component should be pki-ca
On IDM servers, I had to change the postrotate command to :
/sbin/systemctl restart pki-tomcatd@pki-tomcat.service > /dev/null 2>/dev/null || true
With just the reload, no space was freed and the new log was not being written.
A few more changes to make this work:
1) Set the paths for logrotate on pkidebuglog to:
2) Omit
delaycompressto compress logs within the day.3) Then test with the following to force update the config and return verbose output: