/ Register

Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Problem with logrotate (and solution)

Discussion in 'Beta release code' started by wmtech, Jun 6, 2025.

Previous Thread Next Thread
Loading...
  1. Jun 6, 2025 #1
    wmtech

    wmtech Active Member

    187
    44
    28
    Jul 22, 2017
    Ratings:
    +139
    Local Time:
    11:26 AM
    At version 9 (and prob. 10 also) OSs (Alma, Rocky, etc.) the logrotate systemd unit file is hardened with
    Code (Text):
    ProtectSystem=full


    This creates a problem with the default centminmod setup where logs in /usr/local/nginx/logs needs to be rotated.

    "ProtectSystem=full" mounts the /usr, /boot, /efi and /etc read-only for all processes invoked by this unit (logrotate).

    When logrotate runs and needs to handle a file in "/usr/local/nginx/logs" it fails, stops and creates the error
    Code (Text):
    logrotate: error: unable to handle /usr/local/nginx/logs/error.log: Read-only file system


    It has to be started manually after that and will fail again when the next run gets to that log file.

    The solution is to either comment out
    Code (Text):
    #ProtectSystem=full

    in "/lib/systemd/system/logrotate.service" OR to add that entry into the file:
    Code (Text):
    ReadWritePaths=/usr/local/nginx/logs

    to allow processing logs in that directory.

    After that change you need to reload the daemon and restart logrotate:
    Code (Text):
    systemctl daemon-reload
systemctl restart logrotate


    Hope this helps other people seeing the same problem.
     
  2. Jun 8, 2025 #2
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    7:26 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Thanks for the bug report. Fixed in latest 140.00beta01, 132.00stable and 131.00stable updates, you can pull down via command: cmupdate and run and exit centmin.sh menu once.

    Manually you would need to remove your systemd service file edit first for your case.

    Folks only on EL9 like AlmaLinux/Rocky Linux 9, can also manually do fix via these steps

    Code (Text):
        # Create drop-in directory
    mkdir -p /etc/systemd/system/logrotate.service.d/

    # Create override file
cat > /etc/systemd/system/logrotate.service.d/centminmod.conf << 'EOF'
[Service]
ReadWritePaths=/usr/local/nginx/logs
EOF

    # Reload and restart
    systemctl daemon-reload
    systemctl restart logrotate


    Which should create a file at override file at /etc/systemd/system/logrotate.service.d/centminmod.conf with contents of
    Code (Text):
    [Service]
ReadWritePaths=/usr/local/nginx/logs

    after logrotate service restart, you should see the override file listed in Drop-In of status command
    Code (Text):
    systemctl status logrotate --no-pager -l

    It's normal to see for status = Active: inactive (dead) since as logrotate on EL9 runs on a timer so runs and exits after completion with code=exited, status=0/SUCCESS
    Code (Text):
    systemctl status logrotate --no-pager -l
○ logrotate.service - Rotate log files
     Loaded: loaded (/usr/lib/systemd/system/logrotate.service; static)
    Drop-In: /etc/systemd/system/logrotate.service.d
             └─centminmod.conf
     Active: inactive (dead) since Sat 2025-06-07 16:55:35 UTC; 6s ago
TriggeredBy: ● logrotate.timer
       Docs: man:logrotate(8)
             man:logrotate.conf(5)
    Process: 3844376 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=0/SUCCESS)
   Main PID: 3844376 (code=exited, status=0/SUCCESS)
        CPU: 49ms

    This only applies to EL9+, EL8 - like AlmaLinux/Rocky Linux 8 and CentOS 7 don't have this
     
Previous Thread Next Thread
Loading...

.