logrotate

Updated on 24 Jul 2021

service

Error on Start up

When I start up Ubuntu, I am presented with an error in the start up screen. Failed to start Rotate log files

The reason for this is a hardening of the security aspects of the service. If we have a look at this file /lib/systemd/system/logrotate.system

[Unit]
Description=Rotate log files
Documentation=man:logrotate(8) man:logrotate.conf(5)
ConditionACPower=true

[Service]
Type=oneshot
ExecStart=/usr/sbin/logrotate /etc/logrotate.conf

# performance options
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7

# hardening options
#  details: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
#  no ProtectHome for userdir logs
#  no PrivateNetwork for mail deliviery
#  no ProtectKernelTunables for working SELinux with systemd older than 235
#  no MemoryDenyWriteExecute for gzip on i686
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectSystem=full
RestrictRealtime=true

We’ll see this line 2nd from the end.

ProtectSystem=full

What this means is that the logrotate service will only have access to the /var/log directory or subdirectories. Outside of this and logrotate won’t work; hence a possible reason my logrotate failed to start.

systemctl status

Before making any assumptions let’s see the status of logrotate

systemctl status logrotate

In this case there is an error in writing to the mysql log files. This is within the /var/log directory, so it must be something else.

Permissions

If I get a directory listing I can see that the mysql folder and files are owned by mysql and have a group of adm. logrotate runs under the adm user, and we can see here that group doesn’t have write permissions to the file. This explains the error message we were seeing before.

We can change the permissions and restart the service.

And we can see that everything works as expected now.

Unfortunately the next time the machine restarts, MySQL will alter the ownership of the log file again and we are back at square one. When I get the opportunity, I will update my notes when I find a solution.