Struggling with logrotate and unicorn
normalperson at yhbt.net
Tue Apr 12 14:59:02 EDT 2011
Emmanuel Gomez <emmanuel.gomez at gmail.com> wrote:
> On Apr 12, 2011, at 10:58 AM, Eric Wong wrote:
> > Emmanuel Gomez <emmanuel.gomez at gmail.com> wrote:
> >> I have confirmed that logrotate creates the logs with a 0600 umask
> >> and the uid/gid of my unprivileged user (per my logrotate config,
> >> loosely based on the example logrotate.conf from 3.4 or 3.5).
> > Did the permissions of the old (rotated) log files change?
> No, they remained owned by root.
Remained owned by root? Yes that sounds like the problem.
> >> The problem occurs when I send a USR1 signal to the master process
> >> (as root, because the master is running as root) after the logs
> >> have been rotated. As near as I can tell, after that the Unicorn
> >> master chowns the logs to root ownership. Then, the workers attempt
> >> to chown the logs back to ownership by the unprivileged user, which
> >> repeatedly fails, spewing megabytes of errors that look like:
> > The rotation error handling should probably just exit! the worker
> > and rely on the master to restart it...
> That would probably be better behavior, although in this specific case
> the worker would immediately die on respawn because the log is still
> owned by root and unwriteable by my unprivileged user.
> I did find a resolution: in the after_fork block, I had copied the
> code to switch users from the GitHub blog post on unicorn
> (https://github.com/blog/517-unicorn). I didn't see
> Unicorn::Worker#user, which implements the same code with the addition
> of a call to Unicorn::Util.chown_logs. When I replace the inline
> GitHub-blog-derived code with a call to Unicorn::Worker#user, it
Yes, the old versions of Unicorn didn't change users at all.
I always knew user-switching is a pain in the ass to deal with due to
issues like this. Due to work on Rainbows! (designed to run on port
80) and users starting as root anyways (due to init scripts), I needed
add this feature.
> My understanding is that this (after_fork/Unicorn::Util.chown_logs)
> shouldn't be executed on USR1; I don't see how the
> Unicorn::Util.chown_logs call on after_fork (startup) would make a
> difference w/r/t rotation (much later), but my understanding is
> obviously incomplete, because it works.
It's the rotation that attempts to chown since it thinks (incorrectly)
that it's in the master process. I'll make that more robust and release
3.6.0 sometime this week with (hopefully) a few other minor
> Thanks for your reply, I'm off to comment on the GitHub blog post to
> try to warn others to use Unicorn::Worker#user instead of the example
> code in after_fork.
Thanks, that seems to be a general problem with people relying on
blog/mailing list posts instead of consistently updated documentation.
More information about the mongrel-unicorn