logrotate殺プロセス事件 YAPC::Okinawa 2018 前夜祭 LT/Mystery of logrotate's death

logrotateࡴɹࣄ݅ @kazeburo ϓϩ ηε

Someday 3:30 AM [CRITICAL] Fluentd’s position ﬁle has not been
updated for several minutes. Alert!! AppXXX

Jan 24 03:24:18 appXXX logrotate: ALERT exited abnormally with [1]
We found these error msg in /var/log/message.

• The files appear to be rotated. • But `postrotate`
was not executed. • The daemon kept writing logs to the old file. • Fluentd read a new file, but no logs are written. /var/log/httpd/*log { compress daily delaycompress missingok ifempty rotate 7 dateext sharedscripts su root root postrotate /sbin/service httpd graceful > \ /dev/null 2>/dev/null || true endscript

How works logrotate • Find log files to rotate. •
Rename old log files. • Create new logfiles with òpen(name, O_CREAT |O_EXCL)`. • exec `postrotate`. DIED HERE NOT EXCUTED

O_CREAT|O_EXCL • O_CREAT • ϑΝΠϧ͕ଘࡏ͠ͳ͔ͬͨ৔߹͸࡞੒ (create) ͢Δɻ • O_EXCL •
͜ͷݺͼग़͠ͰϑΝΠϧ͕࡞੒͞ΕΔ͜ͱΛอূ͢Δɻ͜ͷϑϥά ͕ O_CREAT ͱ Ұॹʹࢦఆ͞Εɺ pathname ͷϑΝΠϧ͕طʹଘࡏͨ͠৔ ߹ɺ open() ͸ࣦഊ ͢Δɻ

ɾɾɾͭ·Γ

Someone created a ﬁle during the moment between rename and
create at 3:30 AM!!!

ͳɾɾɾͳΜ (ུ

• PHP͸ϦΫΤετॲཧ͕ऴΘΔͱجຊશͯͷϝϞϦΛղ์͢Δ • File descriptorΛϦΫΤετΛ௒͑ͯอ࣋͢Δ͜ͱ͕Ͱ͖ͳ͍ • Monologͱ͍͏loggerϥΠϒϥϦͰ͸౎౓O_CREATΛ͚ͭͯϑΝΠϧ։͘ • ͭ·Γrename௚ޙʹloggerΛ࢖͏ͱɺlogrotate͕࡞੒͢ΔΑΓ΋ૣ͘ϑΝΠϧ Λ࡞ͬͯ͠·͏ɻ3࣌൒ʹ

• logrotate͕ऴΘΔ·ͰϦΫΤετΛࢭΊΔ • logrotate supports `prerotate` & `lastaction`. • logrotateʹpatchΛ͋ͯͯO_EXCLΛ࡟আ
• logroateͷڍಈΛ֎͔Βมߋͯ͠O_EXCLΛ࡟আ ࠾༻

LD_PRELOAD ؀ڥม਺ LD_PRELOAD Λ࢖͏ͱϓϩάϥϜͷ࣮ߦલʹ ೚ҙͷڞ༗ΦϒδΣΫτ(ϥΠϒϥϦ)ΛಡΈࠐΈɺ ϓϩάϥϜͷڍಈʹมߋΛՃ͑Δ͜ͱ͕Ͱ͖Δ

https://github.com/kazeburo/no_excl_open int open(const char *pathname, int flags, ...) { static
int (*func_open)(const char *, int, mode_t); va_list ap; mode_t mode; int fd; if (!func_open) func_open = dlsym (RTLD_NEXT, "open"); va_start(ap, flags); mode = va_arg(ap, int); va_end(ap); // O_RDWR and ! O_TRUNC if ( (flags & O_CREAT) != 0 && (flags & O_RDWR) != 0 && (flags & O_TRUNC) == 0 ) { flags = flags & ~O_EXCL; // ͜͜ͰO_EXCLΛআڈ } fd = func_open(pathname, flags, mode); return fd; }

/etc/cron.daily/logrotate #!/bin/sh LD_PRELOAD=/path/to/open_no_excl.so /usr/sbin/logrotate \ -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf EXITVALUE=$? if
[ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" fi exit 0

✌ ഊ๺Λ஌Γ͍ͨ

logrotate殺プロセス事件 YAPC::Okinawa 2018 前夜祭 LT/Myst...

logrotate殺プロセス事件 YAPC::Okinawa 2018 前夜祭 LT/Mystery of logrotate's death

kazeburo

More Decks by kazeburo

Other Decks in Technology

Featured

Transcript

logrotateࡴɹࣄ݅ @kazeburo ϓϩ ηε

Someday 3:30 AM [CRITICAL] Fluentd’s position ﬁle has not been

Jan 24 03:24:18 appXXX logrotate: ALERT exited abnormally with [1]

• The ﬁles appear to be rotated. • But `postrotate`

How works logrotate • Find log ﬁles to rotate. •

O_CREAT|O_EXCL • O_CREAT • ϑΝΠϧ͕ଘࡏ͠ͳ͔ͬͨ৔߹͸࡞੒ (create) ͢Δɻ • O_EXCL •

ɾɾɾͭ·Γ

Someone created a ﬁle during the moment between rename and

ͳɾɾɾͳΜ (ུ

• logrotate͕ऴΘΔ·ͰϦΫΤετΛࢭΊΔ • logrotate supports `prerotate` & `lastaction`. • logrotateʹpatchΛ͋ͯͯO_EXCLΛ࡟আ

LD_PRELOAD ؀ڥม਺ LD_PRELOAD Λ࢖͏ͱϓϩάϥϜͷ࣮ߦલʹ ೚ҙͷڞ༗ΦϒδΣΫτ(ϥΠϒϥϦ)ΛಡΈࠐΈɺ ϓϩάϥϜͷڍಈʹมߋΛՃ͑Δ͜ͱ͕Ͱ͖Δ

https://github.com/kazeburo/no_excl_open int open(const char *pathname, int flags, ...) { static

/etc/cron.daily/logrotate #!/bin/sh LD_PRELOAD=/path/to/open_no_excl.so /usr/sbin/logrotate \ -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf EXITVALUE=$? if

✌ ഊ๺Λ஌Γ͍ͨ