boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Config.hcl doesn't react to SIGHUP

Open Breisi opened this issue 2 years ago • 2 comments
trafficstars

Hi there,

We have configured audit logging to a file (boundary.ndjson) in the config.hcl. We also want to use logrotation to rotate the logs written to the log file. Logrotate renames the old file (e.g. boundary.ndjson-20230705) and creates a new file with the name boundary.ndjson. After rotating the file, logrotate sends a SIGHUP signal to boundary config.hcl, so that the config.hcl is read again and writes the logs to the newly created file. The problem is, that boundary continues to write to the old file (boundary.ndjson-20230705). Our first thought was that if there are no changes in the config.hcl, boundary has no reason to read it again after receiving the HUP signal and thats why it continues writting to the old file.

To test this assumption, we changed the file name from boundary.ndjson to boundary.ndjson-1 in the config.hcl to figure out if SIGHUP works when there are changes in the config file. In fact we were able to see the read process of the config.hcl file with strace after sending the SIGHUP. It also reads the config file correctly. However, changes in the config file are not applied and it also continues writting to the old file (boundary.ndjson).

Steps to Reproduce boundary version 0.13.0 Config for logging in config.hcl:

events {
  observations_enabled = true
  sysevents_enabled = true
  audit_enabled = true
  sink {
    name = "audit-sink"
    description = "Audits sent to a file"
    event_types = ["*"]
    format = "cloudevents-json"
    audit_config {
      audit_filter_overrides {
        sensitive = ""
        secret    = ""
      }
    }
    file {
      path = "/var/log/boundary"
      file_name = "boundary.ndjson"
    }
  }
}

Logrotate config:

/root/container_logs/boundary.ndjson {
        weekly
        rotate 52
        compress
        delaycompress
        dateext
        postrotate
                pidboundary=$(pidof boundary server)
                docker exec boundary kill -HUP $pidboundary
        endscript
}

Expected behavior The config.hcl should after receiving a SIGHUP signal from logrotate reread the config file and and change the writing to the new logfile.

Breisi avatar Jul 05 '23 13:07 Breisi

Hi, thanks for the report. Currently only a few fields from the config are re-read on SIGHUP. They are documented here and here. As a work-around you could use the copytruncate option for logrotate. However, the logrotate docs do note:

that there is a very small time slice between copying the file and truncating it, so some logging data might be lost.

Another alternative, that avoids this limitation, is to configure boundary perform the rotation by setting the rotate options in the file stanza.

Given how common the use of logrotate is, and the noted limitation of copytrunctate, I will leave this open as a potential enhancement though.

tmessi avatar Jul 05 '23 14:07 tmessi

Hey, thank you for your quick response and recommended workarounds. We would really appreciate the implementation of handling the SIGHUP signal for logging in the future.

Breisi avatar Jul 06 '23 13:07 Breisi