Skip to content

Logrotate fails when persistence is not enabled in the Helm chart deployment #249

New issue
New issue
Open
Open
Logrotate fails when persistence is not enabled in the Helm chart deployment#249
@badnetmask

Description

@badnetmask
badnetmask
opened on Nov 4, 2025

I don't have persistence enabled in my Helm chart deployment because I don't need it, but because of that, the pod mounts an emptyDir which is created with 777 permissions, which logrotate does not like, so I get an error message every single day:

/etc/cron.daily/logrotate:
error: skipping "/var/log/alternatives.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
(...)
run-parts: /etc/cron.daily/logrotate exited with return code 1

The fix for this, in my case, was to set a postStart command in the Helm values:

  lifecycle:
    postStart:
      exec:
        command:
          - /bin/sh
          - -c
          - chmod 755 /var/log

I have two possible suggestions for improvement, which I think you would be in a better position to decide, depending on your project objectives. I believe either one should be fine.

a) Simply document the fix as a comment in values.yaml:

lifecycle:
  # postStart hook to run after container starts
  # When persistence is disabled (persistence.enabled: false), the chart
  # automatically fixes /var/log permissions (chmod 755) to prevent
  # logrotate errors with emptyDir volumes. You can add additional commands
  # here which will run AFTER the automatic permission fix.
  postStart: {}
  # Example:
  #   postStart:
  #     exec:
  #       command:
  #         - /bin/sh
  #         - -c
  #         - chmod 755 /var/log

OR

b) Patch the file statefulset.yaml to add the fix and merge whatever the user passes as postStart:

    lifecycle:
      # If a container has a preStop hook configured, that runs before the
      # container enters the Terminated state.
      preStop:
        exec:
          command:
            - bash
            - -c
            - touch /tmp/container_is_terminating && while ! [[ "`mailq`" == *empty* ]]; do echo "Flushing queue..." && postfix flush; sleep 1; done; killall5 -15 supervisord
      {{- if or .Values.lifecycle.postStart (not .Values.persistence.enabled) }}
      postStart:
        exec:
          command:
            - /bin/sh
            - -c
            - |
              {{- if not .Values.persistence.enabled }}
              # Fix /var/log permissions when using emptyDir (persistence disabled)
              chmod 755 /var/log
              {{- end }}
              {{- if .Values.lifecycle.postStart.exec }}
              # User-provided postStart commands
              {{ join "\n" .Values.lifecycle.postStart.exec.command | nindent 20 }}
              {{- end }}
      {{- end }}

I probably have my nindent incorrect, but I hope you get the idea.

Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions