NGINX Container Log Rotation Strategy

rudijs · April 7, 2015, 10:29am

Hi,

I may upgrade this post to my blog but before I do it would be great to hear any feedback on this subject.

I’m using an NGINX container which exposes /var/log/nginx as a volume and a Logstash container which uses this volume processes the logs into Elasticsearch.

So that’s all well and good.

What’s happening then is the logging is being done inside the container, not by a volume mounted from the host system.

Not wanting the container size to bloat due to the logs, I need them to rotate and be pruned.

NGINX installs with a logrotate conf file and for it to work all that it needs is cron.

So the container is running two processes:

NGINX
Cron

So in the Dockerfile instead of:

CMD ["nginx"]

I use a start script:

CMD ["/etc/init.d/docker-start.sh"]

Which simply starts cron, which in turn enables NGINX log rotation, and starts NGINX.

#!/bin/sh

#includes lsb functions
. /lib/lsb/init-functions

# Start cron for needed regular logrotate
CRON=`which cron`
log_daemon_msg "Starting ${CRON}"
$CRON

# Start NGINX
log_daemon_msg "Starting NGINX"
nginx
```

I don't actually have this in production only development.

I know best practice is to have a single running process inside a docker container, however, in this case, two processes seems to be a good fit.

Using the two containers this way is very portable and just drops onto the host without any "external" configuration (ie. host mounted volumes).

How does this approach grab you?

Makes good sense?

Total craziness?

Any and all feedback very much appreciated.

Cheers.

saching · April 30, 2015, 12:20pm

In my case, I am using host volume to store Nginx logs and only Nginx image to start container.
Trying to figure out how to rotate Nginx logs.

rufus · May 5, 2015, 1:59am

Have you seen the new --log-driver options in Docker Enginer 1.6?
http://docs.docker.com/reference/run/#logging-drivers-log-driver

samsaffron · May 5, 2015, 6:23am

one concern with your strategy is that you are using cron vs anacron, if you deploy daily it can leave you in a bit of a bind as your daily/weekly and so on may never hit.

in discourse docker we use anacron/cron

github.com

discourse/discourse_docker/blob/master/templates/web.template.yml#L192-L207


      (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/rails "$@")
     fi


- file:
   path: /usr/local/bin/rake
   chmod: +x
   contents: |
     #!/bin/bash
     (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec bin/rake "$@")


- file:
   path: /etc/update-motd.d/10-web
   chmod: +x
   contents: |
     #!/bin/bash
     echo

if you are launching nginx by simply running nginx I am uncertain you will reopen files after a rotation you need to review the logrotate file, I think it counts on nginx being launched via init.d.

@rufus I am curious to see if the log driver can do the trick here, one concern with nginx is that it it piping to 2 log files (errors and access) so somehow we would need to capture that on the other end.

rudijs · May 5, 2015, 7:17am

@sam nice tip on cron vs. anacron, I’ll be following up on that.

With the current setup I’ve described, the logs are inside the container so with each deploy the logs are blown away with the container.

Log rotation is there really just to prevent the container size blowing out.

I’m also running a logstash shipper inside the container (which I did not mention) so the log entries are sent off in real time to a logstash server.

samsaffron · May 5, 2015, 7:35am

Definately check that it is properly sending the signal to NGINX on rotation, we has so many issues with 0 sized access.log files cause the USR1 did not get through to NGINX.