When triggered by file size limit, native.log does not rotate correctly and logs are missing

Description

If the size of native.log >1MB, (almost all) logs are never written any more.

For example, the following evidence is with debug level logging,
Before:

After first authentication:

After second authentication:

After third authentication:

Next:

Next:

and so on.

The second attempt was logged by only one line and the third and later attempts were never logged in native.log.

This issue occurs with both prefork and worker mode.
Other environments:

Environment

CentOS 5

Activity

Former user 
March 9, 2015 at 12:09 PM

I gave it a try on RHEL 7 - and can confirm that it looks good (I triggered native.log rotation by setting log4j.appender.native_log.maxFileSize=1000 in native.logger). Also, the new native.logger was installed as expected, as I hadn't modified the version from 2.5.3.

Note that this snippet in /etc/init.d/shibd (which is improperly indented for the -amazon and -redhat cases, BTW - should be a TAB):

can just be dropped: the RPM install will create the directory with the proper user and permissions, there is no migration for pre-2.5 setups, and native.log rollover triggered by mod_shib will work fine as long as the apache user owns the directory (it will also override native.log files owned by root, if necessary).

Scott Cantor 
March 9, 2015 at 12:00 AM

Tested on opensuse 13, behaved as expected. Initial file is owned by root. After roll-over, the old file is renamed, still root-owned, and the new file is owned by wwwrun/www.

Scott Cantor 
February 26, 2015 at 4:29 PM

http://svn.shibboleth.net/view/cpp-sp?rev=3905&view=rev

Lots of testing needed, but this is something approximately correct. Will be producing new test packages for 2.5.4 shortly.

Scott Cantor 
February 26, 2015 at 2:01 PM

logrotate probably won't work unless it fully re-inits the Apache modules.

This has been a sore spot for a while, so I would rather just fix it. These logs are almost never used, so having them separate doesn't hurt anything.

It's a relatively small change apart from having to determine what to use in the chown command, but SUSE seems to always use wwwrun/www and Red Hat is apache/apache, so that should be good enough for now.

Former user 
February 26, 2015 at 8:43 AM

Hmm no, 0751 doesn't actually have the intended effect, as I just realized, so forget about this idea.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created February 24, 2015 at 10:55 AM
Updated March 20, 2015 at 1:12 AM
Resolved March 9, 2015 at 12:00 AM