When triggered by file size limit, native.log does not rotate correctly and logs are missing
Description
Environment
CentOS 5
Activity

Former user March 9, 2015 at 12:09 PM
I gave it a try on RHEL 7 - and can confirm that it looks good (I triggered native.log rotation by setting log4j.appender.native_log.maxFileSize=1000
in native.logger). Also, the new native.logger was installed as expected, as I hadn't modified the version from 2.5.3.
Note that this snippet in /etc/init.d/shibd (which is improperly indented for the -amazon and -redhat cases, BTW - should be a TAB):
can just be dropped: the RPM install will create the directory with the proper user and permissions, there is no migration for pre-2.5 setups, and native.log rollover triggered by mod_shib will work fine as long as the apache user owns the directory (it will also override native.log files owned by root, if necessary).
Scott Cantor March 9, 2015 at 12:00 AM
Tested on opensuse 13, behaved as expected. Initial file is owned by root. After roll-over, the old file is renamed, still root-owned, and the new file is owned by wwwrun/www.
Scott Cantor February 26, 2015 at 4:29 PM
http://svn.shibboleth.net/view/cpp-sp?rev=3905&view=rev
Lots of testing needed, but this is something approximately correct. Will be producing new test packages for 2.5.4 shortly.
Scott Cantor February 26, 2015 at 2:01 PM
logrotate probably won't work unless it fully re-inits the Apache modules.
This has been a sore spot for a while, so I would rather just fix it. These logs are almost never used, so having them separate doesn't hurt anything.
It's a relatively small change apart from having to determine what to use in the chown command, but SUSE seems to always use wwwrun/www and Red Hat is apache/apache, so that should be good enough for now.

Former user February 26, 2015 at 8:43 AM
Hmm no, 0751 doesn't actually have the intended effect, as I just realized, so forget about this idea.
If the size of native.log >1MB, (almost all) logs are never written any more.
For example, the following evidence is with debug level logging,
Before:
After first authentication:
After second authentication:
After third authentication:
Next:
Next:
and so on.
The second attempt was logged by only one line and the third and later attempts were never logged in native.log.
This issue occurs with both prefork and worker mode.
Other environments: