ops(init): ship logrotate config so /var/log/decnet can't fill the disk

Without rotation, the syslog listener and per-host collector grow /var/log/decnet/ without bound — a noisy attacker (or an active probe storm) fills the disk in hours on a small VPS. New deploy/logrotate.d/decnet caps at 7 daily rotations or 100 MiB, whichever comes first, and uses copytruncate because the ingester and forwarder hold the files open via Python and won't reopen on a rename rotation. Wire install / remove into `decnet init` and `decnet init --deinit` alongside the existing tmpfiles.d / polkit handling.
2026-04-27 21:26:13 -04:00
parent 5415e98458
commit 673bc5b819
3 changed files with 90 additions and 0 deletions
--- a/deploy/logrotate.d/decnet
+++ b/deploy/logrotate.d/decnet
@@ -0,0 +1,28 @@
+# /etc/logrotate.d/decnet — installed by `decnet init`.
+#
+# Without this, /var/log/decnet/ grows unbounded — the syslog listener writes
+# every forwarded worker line, the collector tails every container's stdout,
+# and a noisy attacker (or an active probe storm) can fill the disk in hours.
+# Bound to 7 daily rotations + size cap so a single bad day doesn't run away.
+#
+# Files we rotate:
+#   - decnet.log:  master ingest sink (DECNET_INGEST_LOG_FILE).
+#   - agent.log:   per-worker collector sink (DECNET_AGENT_LOG_FILE).
+#   - *.log:       any other component sink under /var/log/decnet/.
+#
+# `copytruncate` is required: the ingester / forwarder hold the file open via
+# Python and would otherwise keep writing to the deleted inode after rotation.
+# `notifempty` avoids spurious .1 files on quiet hosts.
+
+/var/log/decnet/*.log {
+    daily
+    rotate 7
+    maxsize 100M
+    copytruncate
+    missingok
+    notifempty
+    compress
+    delaycompress
+    su decnet decnet
+    create 0640 decnet decnet
+}