From 76f71d28f77327b5e74a3bda46aa60b35c2f1aea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de> Date: Tue, 22 Mar 2022 12:02:32 +0100 Subject: [PATCH] feat: deploy service to move old SubApp logfiles from previous to log archive --- files/etc/systemd/user/move_old_logs.timer | 6 ++++ files/move_old_logs.sh | 25 ++++++++++++++ handlers/main.yml | 3 ++ tasks/install_move_logs.yml | 29 ++++++++++++++++ tasks/main.yml | 4 +++ .../etc/systemd/user/move_old_logs.service.j2 | 33 +++++++++++++++++++ 6 files changed, 100 insertions(+) create mode 100644 files/etc/systemd/user/move_old_logs.timer create mode 100644 files/move_old_logs.sh create mode 100644 tasks/install_move_logs.yml create mode 100644 templates/etc/systemd/user/move_old_logs.service.j2 diff --git a/files/etc/systemd/user/move_old_logs.timer b/files/etc/systemd/user/move_old_logs.timer new file mode 100644 index 0000000..f0b9b83 --- /dev/null +++ b/files/etc/systemd/user/move_old_logs.timer @@ -0,0 +1,6 @@ +[Unit] +Description=timer for move_old_logs.service +[Timer] +# run once a year, on the 1st of January at 05:00:00am. +OnCalendar=*-1-1 05:00:00 +Unit=move_old_logs.service diff --git a/files/move_old_logs.sh b/files/move_old_logs.sh new file mode 100644 index 0000000..141043f --- /dev/null +++ b/files/move_old_logs.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# This script is intended to be run regularly and move logfiles from previous +# years to an archive directory. Logfiles from the current year are NOT moved, +# so they can be easily found. + +START_YEAR="2015" +CURRENT_YEAR="$( date +%Y )" +PREVIOUS_YEAR="$(( CURRENT_YEAR - 1 ))" + +cd "/var/log/subapp/${HOSTNAME}/" || exit 1 + +# create directories for old logfiles +for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do + mkdir -p "old/${YEAR}" +done + +# move all old logfiles +for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do + mv "Protokoll_SLUBArchiv_Erfolgreich-${YEAR}*.log" "old/${YEAR}/" + mv "Protokoll_SLUBArchiv_FEHLER-${YEAR}*.log" "old/${YEAR}/" + mv "sips.log.${YEAR}-*.lz" "old/${YEAR}/" + mv "subapp.log.${YEAR}-*.lz" "old/${YEAR}/" + mv "webservice.log.${YEAR}-*.lz" "old/${YEAR}/" +done diff --git a/handlers/main.yml b/handlers/main.yml index 18dca89..d6cd015 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -42,3 +42,6 @@ - name: create PIDfiles command: systemd-tmpfiles --create +- name: daemon-reload + systemd: + daemon_reload: true diff --git a/tasks/install_move_logs.yml b/tasks/install_move_logs.yml new file mode 100644 index 0000000..2998513 --- /dev/null +++ b/tasks/install_move_logs.yml @@ -0,0 +1,29 @@ +--- +- name: install timer and script for moving old logs to archive + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "/{{ item.path }}" + mode: "{{ item.mode }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + loop: + - path: "etc/systemd/user/move_old_logs.timer" + mode: "0644" + - path: "usr/local/bin/move_old_logs.sh" + mode: "0755" + notify: daemon-reload + +- name: install service for moving old logs to archive + ansible.builtin.template: + src: "etc/systemd/user/move_old_logs.service.j2" + dest: "/etc/systemd/user/move_old_logs.service" + mode: 0755 + owner: "root" + group: "root" + notify: daemon-reload + +- name: enable timer for moving old logs to archive + ansible.builtin.systemd: + name: "move_old_logs.timer" + state: started + enabled: true diff --git a/tasks/main.yml b/tasks/main.yml index fd82728..192bd59 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -65,6 +65,10 @@ import_tasks: "install_ta_tools.yml" tags: [ta, apt] +- name: install scripts and services for moving old logs to archive + import_tasks: "install_move_logs.yml" + tags: [log, cleanup] + - name: cleanup remainders of METS-based SubApp import_tasks: cleanup_legacy.yml tags: [cleanup] diff --git a/templates/etc/systemd/user/move_old_logs.service.j2 b/templates/etc/systemd/user/move_old_logs.service.j2 new file mode 100644 index 0000000..86f890d --- /dev/null +++ b/templates/etc/systemd/user/move_old_logs.service.j2 @@ -0,0 +1,33 @@ +[Unit] +Description=move_old_logs.sh +After=remote-fs.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/move_old_logs.sh +User={{ vault_subapp_user }} +Group={{ vault_subapp_group }} + +### Security features +# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html +ProtectSystem=strict +ProtectHome=read-only +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +## RemoveIPC=true +## PrivateMounts=true +## MountFlags= +## SystemCallFilter is a Whitelist!!! +#SystemCallFilter=@debug,@file-system +#SystemCallErrorNumber=1337 + +[Install] +WantedBy=multi-user.target -- GitLab