[Pacemaker] Cluster failure with mod_security using rotatelogs

Tim Serong tserong at novell.com
Mon Oct 11 01:31:07 UTC 2010 

On 10/11/2010 at 10:17 AM, Markus Schlup <markus at qbik.ch> wrote: 
> Hi all
>  
> I'm running a cluster-based Apache reverse proxy with the mod_security  
> module. I would like to rotate the logfiles with rotatelogs as follows: 
>  
> CustomLog "|/usr/sbin/rotatelogs -l /var/log/httpd/access_log.%Y-%m-%d  
> 86400" common 
>  
> And especially the mod_security log with 
>  
> SecAuditLog  "|/usr/sbin/rotatelogs -l  
> /var/log/httpd/modsec_audit_log.%Y-%m-%d 86400" 
>  
> As soon as I change the mod_security log to this (instead of just using  
> "SecAuditLog /var/log/httpd/modsec_audit_log") the resource does not  
> start anymore. 
>  
> When trying to debug and start the apache resource by hand with 
>  
> OCF_ROOT=/usr/lib/ocf OCF_RESKEY_configfile=/etc/httpd/conf/httpd.conf  
> OCF_RESKEY_statusurl=http://localhost:80/server-status sh -x  
> /usr/lib/ocf/resource.d/heartbeat/apache start 
>  
> it stops after 
>  
> ... 
> + for p in '"$PORT"' '"$Port"' 80 
> + CheckPort 80 
> + ocf_is_decimal 80 
> + case "$1" in 
> + true 
> + '[' 80 -gt 0 ']' 
> + PORT=80 
> + break 
> + echo 127.0.0.1:80 
> + grep : 
> + '[' Xhttp://localhost:80/server-status = X ']' 
> + test /etc/httpd/run/httpd.pid 
> + : OK 
> + case $COMMAND in 
> + start_apache 
> + silent_status 
> + '[' -f /etc/httpd/run/httpd.pid ']' 
> + : No pid file 
> + false 
> + ocf_run /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf 
> ++ /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf 
>  
> The resource is in fact started but the command does not finish - so I  
> guess that's the reason why the cluster fails in this setup ... strange  
> enough using the rotatelogs directives for the Apache error and access  
> logs is not an issue and works as expected. 
>  
> Does someone know how to fix that problem? 

I've not seen that before, but, just to rule out one possibility...  What
happens if you just run:

  /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf

Does that ever return?  If no, I'd suggest apache is broken.  If yes,
I'd start pointing my finger towards ocf_run or the RA.

HTH,

Tim


-- 
Tim Serong <tserong at novell.com>
Senior Clustering Engineer, OPS Engineering, Novell Inc.

More information about the Pacemaker mailing list