I have got a Traefik instance runnig in Docker, and I have defined the access logs to be written to a file on a mounted directory.
After some weeks of working, it turns out that Traefik does not do any logfile rotation out of the box. There are some configurations that could do so, but I did not really get the hang of them, particularly since I wanted the logfiles to be rotated daily, logrotate style. So I learned how to do exactly that.
Logrotate Configuration
I have defined my Logrotate configuration file as follows:
/path/to/traefik/access.log {
daily
rotate 30
missingok
notifempty
postrotate
docker kill --signal="USR1" traefik
endscript
So what happens:
- The logfile should be rotated daily.
- I want to keep 30 old logfiles, or a month of logfile data.
- A note in between: I don’t do compression of the old logfiles. There is not so much going on that this would be important.
missingok: This states that it is fine if the file does not exist. This is actually a non-required statement here, as I know that the file exists.notifempty: Again a null statement, as I know that some monitoring requests happen multiple times a day. But should there not be any request a full day, then don’t rotate the file.- postrotate: This is the important thing here, I will discuss that in the next section.
The postrotate script
So my main problem was: Just renaming the file is pointless, as Traefik just continues writing the old file; they don’t use the filename but the file handle.
Thankfully, Traefik has provided for this case by defining a user-defined signal. I am just sending the USR1 signal to the Traefik Container, and everything is fine.
Using docker kill here first was a bit confusing for me, as I definitely did not want to kill the container. But turns out, this command does not directly kill the container, it instead sends the defined signal (which is SIGKILL or something like that by default) into the application. So we can reuse this concept to send some other signal too!
Logrotate in an own container
This is probably not relevant to you. I did not want to have Logrotate run on the host machine, so I need to run Logrotate in an own container. Turns out, this is not very hard.
My Dockerfile essentially looks like that:
FROM debian:12
RUN apt update && \
apt install -y logrotate cron &&
apt clean
# Install Docker
RUN apt install -y apt-transport-https ca-certificates \
curl gnupg2 software-properties-common && \
curl -fsSL https://download.docker.com/linux/debian/gpg \
| gpg --dearmor \
| tee /usr/share/keyrings/docker-archive-keyring.gpg > /dev/null && \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian bookworm stable" \
> /etc/apt/sources.list.d/docker.list && \
apt update && \
apt install -y docker-ce && \
apt clean
COPY logrotate-traefik /etc/logrotate.d/traefik
CMD ["cron", "-f"]
What happens in the container:
- Install Logrotat and Cron
- Install Docker. This is required, as the postrotate script invokes a Docker command. Let’s not discuss the security of the Docker Socket here; I realize the problem and I am willing to take the risk on this system.
- Copy the Logrotate file as defined above to the correct position
Now build this container and run it. Don’t forget to mount two things:
- The docker socket
/var/run/docker.sock. Otherwise the postrotae script won’t be able to run. - The directory with the Traefik logfile, obviously.