opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/logrotate/tasks/main.yaml
Ian Wienand 1e2ea795c2
logrotate: don't use filename to generate config file 
I noticed on our hosts some logrotate files named '*.1234.conf' --
these are coming from callers of logrotate role specifying
'/var/log/program/*.log', where the '*' is turning into a literal
filename.  I didn't really consider this case.

Having a file-name starting with '*' may technically be fine, but is a
bad idea for everyone's sanity and it's potential to foot-gun some
sort of operation that suddenly wipes out a lot more than you wanted
to.

Let's just use the hash of the name to be unambiguous and still
idempotent.  Make it more git-ish by using the same 7 digits as a
default short-hash.

Change-Id: I13d376f85a25a7b8c3a0bc0dcbabd916e8a9774a
2023-02-14 07:03:17 +11:00

39 lines
1.4 KiB
YAML
Raw Blame History

- name: Check for filename
fail:
msg: Must set logrotate_file_name for logfile to rotate
when: logrotate_file_name is not defined
- assert:
that:
- logrotate_frequency in ('hourly', 'daily', 'weekly', 'monthly', 'yearly', 'size')
fail_msg: Invalid logrotate_frequency
- assert:
that:
- logrotate_size
fail_msg: Must specify size for rotation
when: logrotate_frequency == 'size'
# Hash the full path to avoid any conflicts but remain idempotent.
- name: Create a unique config name
set_fact:
# NOTE(ianw) 2023-02-13 : we missed that this makes files with
# names like "*.1234.conf" when using wild-cards. Below we have
# dropped using the file-name component. After we've removed them
# we can drop this.
_old_logrotate_generated_config_file_name: "{{ logrotate_file_name | basename }}.{{ (logrotate_file_name|hash('sha1'))[0:5] }}.conf"
logrotate_generated_config_file_name: "{{ (logrotate_file_name | hash('sha1'))[0:6] }}.conf"
- name: Clear out potentially confusing config files
file:
state: absent
path: '{{ _old_logrotate_generated_config_file_name }}'
- name: 'Install {{ logrotate_file_name }} rotatation config file'
template:
src: logrotate.conf.j2
dest: '/etc/logrotate.d/{{ logrotate_config_file_name|default(logrotate_generated_config_file_name) }}'
owner: root
group: root
mode: 0644
View Git Blame Copy Permalink