CEPH logs are writable by group which is not "root"

Raymond Burns

Member
Apr 2, 2013
333
3
18
Houston, Texas, United States
After my upgrade following the wiki, all of the ownership permissions were changed to "ceph" user.
Now I have tons of emails daily with the following errors

Code:
/etc/cron.daily/logrotate:
error: ceph.logrotate:1 duplicate log entry for /var/log/ceph/ceph.audit.log
error: skipping "/var/log/ceph/ceph.audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-mon.6.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.0.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.110.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.113.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.114.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.115.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.116.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.117.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.118.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ceph/ceph-osd.admin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
run-parts: /etc/cron.daily/logrotate exited with return code 1

Any ideas on what I need to do to stop the emails?
Possible issues this may cause?
 
you probably have an old, buggy, leftover logrotate snippet lying around:
Code:
error: ceph.logrotate:1 duplicate log entry for /var/log/ceph/ceph.audit.log
 
In my case, some old nodes have the files /etc/logrotate.d/ceph and /etc/logrotate.d/ceph.logrotate
I just remove the file /etc/logrotate.d/ceph from this old nodes and the problem was fixed.
 
Yesterday i did an apt-get update && apt-get dist-upgrade on my nodes pve-4.4-13 now pve-4.4-18 and got the same error.
Code:
error: ceph.logrotate:1 duplicate log entry for /var/log/ceph/ceph.audit.log
i have tow ceph logrotate files
-rw-r--r-- 1 root root 228 Oct 4 17:18 ceph-common.logrotate
-rw-r--r-- 1 root root 228 Mar 7 2017 ceph.logrotate
can i remove the older one?
 
yes. seems like that cleanup fix was still not backported to Jewel :-/