Rsyslog fills up /var/log/maillog with GBs in seconds in a CentOS 7 container

[andymwood]

I'm trying to set up an IMAP mail server in a Docker container running CentOS 7 and I'm encountering the problem as described in the title.

To reproduce use this Dockerfile:

FROM rsyslog/rsyslog_base_centos7
RUN yum -y install postfix maildrop dovecot
EXPOSE 25 110 143
COPY run.sh /run.sh
RUN chmod 755 /*.sh
RUN echo "maildrop:x:59:postfix" >> /etc/group
CMD /run.sh

and run.sh:

#!/bin/bash
rsyslogd
cd /etc/postfix
newaliases
for file in canonical \
		  	helo_access \
		  	relay_ccerts \
		  	relay \
		  	relocated \
		  	sender_canonical \
		  	transport \
		  	virtual
do
	postmap $file
done
postfix start
exec dovecot -F

And run with:

docker build -t mail .
docker run -d --name mail mail && sleep 5 && docker exec mail ls -hl /var/log/maillog

-rw------- 1 root root 2.5G Sep 25 07:54 /var/log/maillog

docker exec mail cat /var/log/messages

Sep 25 07:55:34 aa8628bbfcc6 rsyslogd: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.33.0 try http://www.rsyslog.com/e/2442 ]
Sep 25 07:55:34 aa8628bbfcc6 rsyslogd: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.33.0 try http://www.rsyslog.com/e/2222 ]
Sep 25 07:55:34 aa8628bbfcc6 rsyslogd:  [origin software="rsyslogd" swVersion="8.33.0" x-pid="8" x-info="http://www.rsyslog.com"] start

/var/log/maillog just keeps filling up very quickly, and the container is unusable. The problem didn't occur when I was using a CentOS 6 container.

I assume something's misconfigured somewhere. Can anyone help?

[rgerhards]

what is in your mail.log?

[andymwood]

Here's a sample

Sep 25 14:57:57 7175acb621a7 postfix/sendmail[10]: fatal: parameter inet_interfaces: no local interface found for ::1
Sep 25 14:57:57 7175acb621a7 postfix/postmap[12]: fatal: parameter inet_interfaces: no local interface found for ::1
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848591+00:00 7175acb621a7 rsyslogd: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.33.0 try http://www.rsyslog.com/e/2442 ]
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848602+00:00 7175acb621a7 rsyslogd: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.33.0 try http://www.rsyslog.com/e/2222 ]
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848606+00:00 7175acb621a7 rsyslogd:  [origin software="rsyslogd" swVersion="8.33.0" x-pid="8" x-info="http://www.rsyslog.com"] start
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848650+00:00 7175acb621a7 09-25T14:57:57.848591+00:00 7175acb621a7 rsyslogd: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.33.0 try http://www.rsyslog.com/e/2442 ]
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848660+00:00 7175acb621a7 09-25T14:57:57.848602+00:00 7175acb621a7 rsyslogd: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.33.0 try http://www.rsy
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848662+00:00 7175acb621a7 09-25T14:57:57.848606+00:00 7175acb621a7 rsyslogd:  [origin software="rsyslogd" swVersion="8.33.0" x-pid="8" x-info="http://www.rsyslog.com"] start
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848708+00:00 7175acb621a7 09-25T14:57:57.848650+00:00 7175acb621a7 09-25T14:57:57.848591+00:00 7175acb621a7 rsyslogd: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.33.0 try http://www.rsyslo
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848714+00:00 7175acb621a7 09-25T14:57:57.848660+00:00 7175acb621a7 09-25T14:57:57.848602+00:00 7175acb621a7 rsyslogd: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848715+00:00 7175acb621a7 09-25T14:57:57.848662+00:00 7175acb621a7 09-25T14:57:57.848606+00:00 7175acb621a7 rsyslogd:  [origin software="rsyslogd" swVersion="8.33.0" x-pid="8" x-info="http://www.rsyslog.com"] start
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848727+00:00 7175acb621a7 09-25T14:57:57.848708+00:00 7175acb621a7 09-25T14:57:57.848650+00:00 7175acb621a7 09-25T14:57:57.848591+00:00 7175acb621a7 rsyslogd: environment variable TZ is not set, auto correcting this to TZ=/etc/
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848732+00:00 7175acb621a7 09-25T14:57:57.848714+00:00 7175acb621a7 09-25T14:57:57.848660+00:00 7175acb621a7 09-25T14:57:57.848602+00:00 7175acb621a7 rsyslogd: command 'SystemLogSocketName' is currently not permitted - did you a
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848734+00:00 7175acb621a7 09-25T14:57:57.848715+00:00 7175acb621a7 09-25T14:57:57.848662+00:00 7175acb621a7 09-25T14:57:57.848606+00:00 7175acb621a7 rsyslogd:  [origin software="rsyslogd" swVersion="8.33.0" x-pid="8" x-info="ht
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848739+00:00 7175acb621a7 09-25T14:57:57.848727+00:00 7175acb621a7 09-25T14:57:57.848708+00:00 7175acb621a7 09-25T14:57:57.848650+00:00 7175acb621a7 09-25T14:57:57.848591+00:00 7175acb621a7 rsyslogd: environment variable TZ is
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848741+00:00 7175acb621a7 09-25T14:57:57.848732+00:00 7175acb621a7 09-25T14:57:57.848714+00:00 7175acb621a7 09-25T14:57:57.848660+00:00 7175acb621a7 09-25T14:57:57.848602+00:00 7175acb621a7 rsyslogd: command 'SystemLogSocketNam
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848749+00:00 7175acb621a7 09-25T14:57:57.848734+00:00 7175acb621a7 09-25T14:57:57.848715+00:00 7175acb621a7 09-25T14:57:57.848662+00:00 7175acb621a7 09-25T14:57:57.848606+00:00 7175acb621a7 rsyslogd:  [origin software="rsyslogd
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848753+00:00 7175acb621a7 09-25T14:57:57.848739+00:00 7175acb621a7 09-25T14:57:57.848727+00:00 7175acb621a7 09-25T14:57:57.848708+00:00 7175acb621a7 09-25T14:57:57.848650+00:00 7175acb621a7 09-25T14:57:57.848591+00:00 7175acb62
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848756+00:00 7175acb621a7 09-25T14:57:57.848741+00:00 7175acb621a7 09-25T14:57:57.848732+00:00 7175acb621a7 09-25T14:57:57.848714+00:00 7175acb621a7 09-25T14:57:57.848660+00:00 7175acb621a7 09-25T14:57:57.848602+00:00 7175acb62
Sep 25 14:57:57 7175acb621a7 09-25T14:57:57.848773+00:00 7175acb621a7 09-25T14:57:57.848749+00:00 7175acb621a7 09-25T14:57:57.848734+00:00 7175acb621a7
...
Sep 25 14:58:01 7175acb621a7 09-25T14:58:01.344371+00:00 7175acb621a7 09-25T14:58:01.344294+00:00 7175acb621a7 09-25T14:58:01.344217+00:00 7175acb621a7 09-25T14:58:01.344141+00:00 7175acb621a7 09-25T14:58:01.344063+00:00 7175acb621a7 09-25T14:58:01.343985+00:00 7175acb62
Sep 25 14:58:01 7175acb621a7 09-25T14:58:01.344374+00:00 7175acb621a7 09-25T14:58:01.344297+00:00 7175acb621a7 09-25T14:58:01.344219+00:00 7175acb621a7 09-25T14:58:01.344144+00:00 7175acb621a7 09-25T14:58:01.344065+00:00 7175acb621a7 09-25T14:58:01.343988+00:00 7175acb62
Sep 25 14:58:01 7175acb621a7 09-25T14:58:01.344377+00:00 7175acb621a7 09-25T14:58:01.344300+00:00 7175acb621a7 09-25T14:58:01.344222+00:00 7175acb621a7 09-25T14:58:01.344146+00:00 7175acb621a7 09-25T14:58:01.344068+00:00 7175acb621a7 09-25T14:58:01.343991+00:00 7175acb62
Sep 25 14:58:01 7175acb621a7 09-25T14:58:01.344380+00:00 7175acb621a7 09-25T14:58:01.344303+00:00 7175acb621a7 09-25T14:58:01.344225+00:00 7175acb621a7 09-25T14:58:01.344149+00:00 7175acb621a7 09-25T14:58:01.344071+00:00 7175acb621a7 09-25T14:58:01.343994+00:00 ...

[rgerhards]

aha! interesting! We will have a look asap, but it could take a small while...

[andymwood]

Just wondering if this issue is likely to be fixed soon? Or if there is a simple workaround?

Thanks.

[rgerhards]

Just wondering if this issue is likely to be fixed soon? Or if there is a simple workaround?

let me check - actually, there was very little demand for the containers and also nobody opted to help with maintaining them ... which in turns means I need to do this as well. My todo list is already too long ;-) Any help would really be appreciated. That said, I'll try to have a look either today or tomorrow.

[rgerhards]

ah, wait, this is not for one of our contains but more a general rsyslog config question (for a home-grown container)?

[andymwood]

I think so, yes. I'm simply adding a mail server to the container rsyslog_base_centos7 and accepting the default configuration for rsyslog.

[andymwood]

I've just diffed rsyslong.conf with a copy that comes with a normal CentOS 7 installation.

I've found if I delete the following lines, the problem seems to go away:

module(load="omstdout")
*.* :omstdout:

[rgerhards]

I guess you just don't see it in this case. What this does is send the log messages to stdout, where Docker picks them up by default. Do you use another pickup mechanism?

[andymwood]

I don't know anything about pickup mechanisms. I'm setting up and running the container exactly as described in the first post, so I assume I'm not using one.

Executing logger test inside the container is still recorded in /var/log/messages.

[rcmelendez]

Hi, I'm having the same issue in a docker container running CentOS 8. I pulled the image centos:centos8 from the Docker Hub and installed rsyslog per instructions in this Dockerfile. I also tried with the official image rsyslog/rsyslog_base_centos7 but the same happened.

As recommended here, I removed these lines from my rsyslog.conf file:

module(load="omstdout")
*.* :omstdout:

And the maillog file stopped filling up and I'm still able to see send messages in /var/log/messages.