logrotate: /var/log/mail

[MichaelSp]

logrotate wants to know which user/group should be used for rotation because by default it's world writable or writable by group which is not "root".

/etc/cron.daily/logrotate:
error: skipping "/var/log/mail/mail.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail/rspamd.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
run-parts: /etc/cron.daily/logrotate exited with return code 1

Raising this issue here because the mount is at https://github.com/docker-mailserver/docker-mailserver-helm/blob/master/charts/docker-mailserver/templates/deployment.yaml#L263-L267

Logrotate config is at https://github.com/docker-mailserver/docker-mailserver/blob/1a938dfb15e94f43f1af5ddaf7b8276aba92a825/target/scripts/startup/setup.d/log.sh#L13-L38

Current mount definition

root@mail-docker-mailserver-5ff8b6b7c-7brm4:/var/log# ls -la
total 216
drwxr-xr-x 1 root    root      4096 Sep 29 06:48 .
drwxr-xr-x 1 root    root      4096 Sep 28 21:29 ..
-rw-r--r-- 1 root    root      4297 May 29 00:30 alternatives.log
drwxr-xr-x 1 root    root      4096 May 29 00:30 apt
-rw-r----- 1 root    adm       1027 Sep 29 09:17 auth.log
-rw-r----- 1 root    adm       3985 Sep 29 06:48 auth.log.1
-rw-rw---- 1 root    utmp         0 May 13 00:00 btmp
-rw-r----- 1 root    adm        429 Sep 29 09:17 cron.log
-rw-r----- 1 root    adm       2123 Sep 29 06:48 cron.log.1
drwxr-xr-x 2 root    root      4096 May 29 00:29 dbconfig-common
-rw-r--r-- 1 root    root    141271 Jun  5 15:16 dpkg.log
lrwxrwxrwx 1 root    root        26 Jun  5 15:16 fail2ban.log -> /var/log/mail/fail2ban.log
-rw-r--r-- 1 root    root         0 May 13 00:00 faillog
-rw-rw-r-- 1 root    utmp         0 May 13 00:00 lastlog
drwxrwxrwx 2 syslog  root      4096 Sep 27 19:41 mail                 # <<<--------- mounted as syslog root
lrwxrwxrwx 1 root    root        22 Jun  5 15:16 mail.log -> /var/log/mail/mail.log
drwxr-s--- 2 redis   adm       4096 May 29 00:30 redis
drwxr-x--- 2 _rspamd _rspamd   4096 Feb 26  2024 rspamd
drwxr-xr-x 1 root    root      4096 Sep 28 21:29 supervisor
-rw-r----- 1 root    adm        741 Sep 29 09:17 syslog
-rw-r----- 1 root    adm       2306 Sep 29 06:48 syslog.1
-rw-r----- 1 root    adm        116 Sep 29 06:48 user.log
-rw-rw-r-- 1 root    utmp         0 May 13 00:00 wtmp

Two potential solutions:

1. adjust permissions of the mountpoint
2. provide suggested config to logrotate

[jinnerbichler]

Having the same problem.

[cfis]

Sorry I missed this issue.

For potential solution #1 - the chart let's you set the securityContext for the pod. But as far as I know, that applies to all of a pod's volumeMounts. So I don't think there is anything the chart can do to change permissions per volume mount. Let me know if there is a way this can be done.

For potential solution #2, you'll need to submit a bug to the docker-mailserver project.