How to rotate the IPA PKI's Dogtag or Red Hat Certificate System logs using RHEL's logrotate feature

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux Server release 7.6 (Maipo)
redhat-release-server-7.6-4.el7.x86_64
pki-ca-10.5.9-10.el7_6.noarch

Issue

The IPA PKI's Dogtag or Red Hat Certificate System logs keep growing over time.

Resolution

Add a logrotate configuration that will be used daily by /etc/cron.daily/logrotate

cat << EOF > /etc/logrotate.d/pkidebuglog
/var/log/pki/*/*/debug {
    missingok
    notifempty
    sharedscripts
    size 100k
    compress
    delaycompress
    su pkiuser pkiuser
    postrotate
        /bin/systemctl restart pki-tomcatd@pki-tomcat.service > /dev/null 2>/dev/null || true
    endscript
}
EOF

chcon system_u:object_r:etc_t:s0 /etc/logrotate.d/pkidebuglog
/usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf

Root Cause

No default log rotation of the IPA PKI's Dogtag or Red Hat Certificate System logs.

Diagnostic Steps

ls -lZ /var/log/pki/*/*/debug*
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/rootca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/subca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/testinstance/ocsp/debug

ls -lh /var/log/pki/*/*/debug*
-rw-r-----. 1 pkiuser pkiuser 80M Apr  9 23:20 /var/log/pki/rootca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 81M Apr  9 23:21 /var/log/pki/subca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 36K Mar  2 22:47 /var/log/pki/testinstance/ocsp/debug

cat << EOF > /etc/logrotate.d/pkidebuglog
/var/log/pki/*/*/debug {
    missingok
    notifempty
    sharedscripts
    size 100k
    delaycompress
    su pkiuser pkiuser
    postrotate
        /bin/systemctl restart pki-tomcatd@pki-tomcat.service > /dev/null 2>/dev/null || true
    endscript
}
EOF

chcon system_u:object_r:etc_t:s0 /etc/logrotate.d/pkidebuglog

ls -lZ /etc/logrotate.d/pkidebuglog
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/logrotate.d/pkidebuglog
/usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf

ls -lZ /var/log/pki/*/*/debug*
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/rootca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/rootca1/ca/debug-20190409
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/subca1/ca/debug
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/subca1/ca/debug-20190409
-rw-r-----. pkiuser pkiuser system_u:object_r:pki_tomcat_log_t:s0 /var/log/pki/testinstance/ocsp/debug

ls -lh /var/log/pki/*/*/debug*
-rw-r-----. 1 pkiuser pkiuser   0 Apr  9 23:23 /var/log/pki/rootca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 80M Apr  9 23:20 /var/log/pki/rootca1/ca/debug-20190409
-rw-r-----. 1 pkiuser pkiuser   0 Apr  9 23:23 /var/log/pki/subca1/ca/debug
-rw-r-----. 1 pkiuser pkiuser 81M Apr  9 23:21 /var/log/pki/subca1/ca/debug-20190409
-rw-r-----. 1 pkiuser pkiuser 36K Mar  2 22:47 /var/log/pki/testinstance/ocsp/debug

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments