From 837a35f52f49c8be4f64c950b95f5509ea3d07b1 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 17 Aug 2025 15:23:09 -0400 Subject: [PATCH] Fix logrotate duplicate entries error in privacy role MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The privacy role was creating logrotate configs that duplicated the default Ubuntu rsyslog logrotate rules, causing deployment failures with errors like 'duplicate log entry for /var/log/syslog'. Changes: - Disable default rsyslog logrotate config before applying privacy configs - Consolidate system log rotation into single config file - Add missingok flag to handle logs that may not exist on all systems - Remove forced immediate rotation that was triggering the error This ensures privacy-enhanced log rotation works without conflicts. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- README.md | 2 +- roles/privacy/tasks/log_rotation.yml | 15 ++++++++++++--- roles/privacy/templates/privacy-logrotate.j2 | 12 +++++++++--- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index aab1f93b..1199c5b5 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo ## Features -* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) +* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, MacOS, and Linux * Supports [WireGuard](https://www.wireguard.com/) for all of the above, in addition to Android and Windows 11 * Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients * Generates Apple profiles to auto-configure iOS and macOS devices for IPsec - no client software required diff --git a/roles/privacy/tasks/log_rotation.yml b/roles/privacy/tasks/log_rotation.yml index bf39de03..a6c2d5f0 100644 --- a/roles/privacy/tasks/log_rotation.yml +++ b/roles/privacy/tasks/log_rotation.yml @@ -2,6 +2,16 @@ # Aggressive log rotation configuration for privacy # Reduces log retention time and implements more frequent rotation +- name: Check if default rsyslog logrotate config exists + stat: + path: /etc/logrotate.d/rsyslog + register: rsyslog_logrotate + +- name: Disable default rsyslog logrotate to prevent conflicts + command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled + when: rsyslog_logrotate.stat.exists + changed_when: rsyslog_logrotate.stat.exists + - name: Configure aggressive logrotate for system logs template: src: privacy-logrotate.j2 @@ -46,6 +56,5 @@ owner: root group: root -- name: Force immediate log rotation to apply new settings - command: /usr/sbin/logrotate -f /etc/logrotate.conf - changed_when: false +# Note: We don't force immediate rotation as it can cause conflicts +# The new settings will apply on the next scheduled rotation diff --git a/roles/privacy/templates/privacy-logrotate.j2 b/roles/privacy/templates/privacy-logrotate.j2 index 7c8a1a7c..d7469873 100644 --- a/roles/privacy/templates/privacy-logrotate.j2 +++ b/roles/privacy/templates/privacy-logrotate.j2 @@ -1,12 +1,17 @@ # Privacy-enhanced logrotate configuration # This configuration enforces aggressive log rotation for privacy # Generated by Algo VPN privacy role +# Replaces the default rsyslog logrotate configuration +# Main system logs (may not all exist on every system) /var/log/syslog /var/log/messages /var/log/daemon.log /var/log/debug /var/log/user.log +/var/log/mail.log +/var/log/mail.err +/var/log/mail.warn { # Rotate {{ privacy_log_rotation.rotate_count }} times before deletion rotate {{ privacy_log_rotation.rotate_count }} @@ -28,6 +33,9 @@ delaycompress {% endif %} + # Missing files are ok (not all systems have all logs) + missingok + # Don't rotate if empty notifempty @@ -40,8 +48,6 @@ # Execute after rotation postrotate # Send SIGHUP to rsyslog - if [ -f /var/run/rsyslogd.pid ]; then - kill -HUP `cat /var/run/rsyslogd.pid` - fi + /usr/bin/killall -HUP rsyslogd 2>/dev/null || true endscript } \ No newline at end of file