gravitational · vapopov · Jul 18, 2024 · Jun 21, 2024 · Jun 28, 2024 · Jun 29, 2024
diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx
@@ -705,7 +705,7 @@ It is recommended to set resource requests/limits for each container based on th
 |----------|--------------------------------------------------|
 | `string` | `cluster.local` |
 
-`global.clusterDomain` sets the the domain suffix used by the Kubernetes DNS service. 
+`global.clusterDomain` sets the the domain suffix used by the Kubernetes DNS service.
 This is used to resolve service names in the cluster.
 
 `values.yaml` example:
@@ -1527,6 +1527,23 @@ See the [Teleport config file reference](../../reference/config.mdx) for more de
     extraFields: ["timestamp", "level"]
   ```
 
+### `log.watch_log_file`
+
+| Type   | Default value | `teleport.yaml` equivalent    |
+|--------|---------------|-------------------------------|
+| `bool` | `false`       | `teleport.log.watch_log_file` |
+
+`log.watch_log_file` enables/disables the file shared logger's watching functionality to reopen the log file
+if it is renamed or removed. Must be used in conjunction with the output set as a file path.
+
+`values.yaml` example:
+
+  ```yaml
+  log:
+    output: /var/log/teleport.log
+    watch_log_file: true
+  ```
+
 ## `nodeSelector`
 
 | Type     | Default value |

diff --git a/examples/chart/teleport-cluster/.lint/log-extra.yaml b/examples/chart/teleport-cluster/.lint/log-extra.yaml
@@ -3,4 +3,5 @@ log:
   format: json
   level: DEBUG
   output: /var/lib/teleport/test.log
+  watch_log_file: true
   extraFields: ["level", "timestamp", "component", "caller"]
diff --git a/examples/chart/teleport-cluster/templates/auth/_config.common.tpl b/examples/chart/teleport-cluster/templates/auth/_config.common.tpl
@@ -62,6 +62,9 @@ teleport:
   log:
     severity: {{ $logLevel }}
     output: {{ .Values.log.output }}
+    {{- if .Values.log.watch_log_file }}
+    watch_log_file: {{ .Values.log.watch_log_file }}
+    {{- end }}
     format:
       output: {{ .Values.log.format }}
       extra_fields: {{ .Values.log.extraFields | toJson }}

diff --git a/examples/chart/teleport-cluster/templates/proxy/_config.common.tpl b/examples/chart/teleport-cluster/templates/proxy/_config.common.tpl
@@ -9,6 +9,9 @@ teleport:
   log:
     severity: {{ $logLevel }}
     output: {{ .Values.log.output }}
+    {{- if .Values.log.watch_log_file }}
+    watch_log_file: {{ .Values.log.watch_log_file }}
+    {{- end }}
     format:
       output: {{ .Values.log.format }}
       extra_fields: {{ .Values.log.extraFields | toJson }}

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
@@ -1283,6 +1283,7 @@ matches snapshot for log-extra.yaml:
             output: json
           output: /var/lib/teleport/test.log
           severity: DEBUG
+          watch_log_file: true
       version: v3
 matches snapshot for log-legacy.yaml:
   1: |

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
@@ -362,6 +362,7 @@ matches snapshot for log-extra.yaml:
             output: json
           output: /var/lib/teleport/test.log
           severity: DEBUG
+          watch_log_file: true
       version: v3
 matches snapshot for proxy-listener-mode-multiplex.yaml:
   1: |

diff --git a/examples/chart/teleport-kube-agent/.lint/log-extra.yaml b/examples/chart/teleport-kube-agent/.lint/log-extra.yaml
@@ -5,4 +5,5 @@ log:
   format: json
   level: DEBUG
   output: /var/lib/teleport/test.log
+  watch_log_file: true
   extraFields: ["level", "timestamp", "component", "caller"]
diff --git a/examples/chart/teleport-kube-agent/templates/_config.tpl b/examples/chart/teleport-kube-agent/templates/_config.tpl
@@ -21,6 +21,9 @@ teleport:
   log:
     severity: {{ $logLevel }}
     output: {{ .Values.log.output }}
+    {{- if .Values.log.watch_log_file }}
+    watch_log_file: {{ .Values.log.watch_log_file }}
+    {{- end }}
     format:
       output: {{ .Values.log.format }}
       extra_fields: {{ .Values.log.extraFields | toJson }}

diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap
@@ -1062,6 +1062,7 @@ matches snapshot for log-extra.yaml:
               output: json
             output: /var/lib/teleport/test.log
             severity: DEBUG
+            watch_log_file: true
           proxy_server: proxy.example.com:3080
         version: v3
     kind: ConfigMap
@@ -1188,6 +1189,7 @@ matches snapshot for pdb.yaml:
               output: json
             output: /var/lib/teleport/test.log
             severity: DEBUG
+            watch_log_file: true
           proxy_server: proxy.example.com:3080
         version: v3
     kind: ConfigMap

diff --git a/go.mod b/go.mod
@@ -84,6 +84,7 @@ require (
 	github.com/elastic/go-elasticsearch/v8 v8.14.0
 	github.com/elimity-com/scim v0.0.0-20240320110924-172bf2aee9c8
 	github.com/evanphx/json-patch v5.9.0+incompatible
+	github.com/fsnotify/fsnotify v1.7.0
 	github.com/fsouza/fake-gcs-server v1.49.2
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/ghodss/yaml v1.0.0
@@ -325,7 +326,6 @@ require (
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect

diff --git a/integrations/event-handler/go.mod b/integrations/event-handler/go.mod
@@ -129,6 +129,7 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect

diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum
@@ -938,6 +938,8 @@ github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6
 github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=

diff --git a/integrations/terraform/go.mod b/integrations/terraform/go.mod
@@ -174,6 +174,7 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect

diff --git a/integrations/terraform/go.sum b/integrations/terraform/go.sum
@@ -1090,6 +1090,8 @@ github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6
 github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fsouza/fake-gcs-server v1.49.2 h1:fukDqzEQM50QkA0jAbl6cLqeDu3maQjwZBuys759TR4=
 github.com/fsouza/fake-gcs-server v1.49.2/go.mod h1:17SYzJEXRcaAA5ATwwvgBkSIqIy7r1icnGM0y/y4foY=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=

diff --git a/lib/config/configuration.go b/lib/config/configuration.go
@@ -26,6 +26,7 @@ import (
 	"crypto/x509"
 	"errors"
 	"io"
+	"io/fs"
 	"log/slog"
 	"maps"
 	"net"
@@ -71,6 +72,13 @@ import (
 	logutils "github.com/gravitational/teleport/lib/utils/log"
 )
 
+const (
+	// logFileDefaultMode is the preferred permissions mode for log file.
+	logFileDefaultMode fs.FileMode = 0o644
+	// logFileDefaultFlag is the preferred flags set to log file.
+	logFileDefaultFlag = os.O_WRONLY | os.O_CREATE | os.O_APPEND
+)
+
 // CommandLineFlags stores command line flag values, it's a much simplified subset
 // of Teleport configuration (which is fully expressed via YAML config file)
 type CommandLineFlags struct {
@@ -756,12 +764,12 @@ func applyLogConfig(loggerConfig Log, cfg *servicecfg.Config) error {
 	var w io.Writer
 	switch loggerConfig.Output {
 	case "":
-		w = os.Stderr
+		w = logutils.NewSharedWriter(os.Stderr)
 	case "stderr", "error", "2":
-		w = os.Stderr
+		w = logutils.NewSharedWriter(os.Stderr)
 		cfg.Console = io.Discard // disable console printing
 	case "stdout", "out", "1":
-		w = os.Stdout
+		w = logutils.NewSharedWriter(os.Stdout)
 		cfg.Console = io.Discard // disable console printing
 	case teleport.Syslog:
 		w = os.Stderr
@@ -779,14 +787,22 @@ func applyLogConfig(loggerConfig Log, cfg *servicecfg.Config) error {
 
 		logger.ReplaceHooks(make(log.LevelHooks))
 		logger.AddHook(hook)
+		// If syslog output has been configured and is supported by the operating system,
+		// then the shared writer is not needed because the syslog writer is already
+		// protected with a mutex.
 		w = sw
 	default:
-		// assume it's a file path:
-		logFile, err := os.Create(loggerConfig.Output)
+		// Assume this is a file path.
+		sharedWriter, err := logutils.NewFileSharedWriter(loggerConfig.Output, logFileDefaultFlag, logFileDefaultMode)
 		if err != nil {
-			return trace.Wrap(err, "failed to create the log file")
+			return trace.Wrap(err, "failed to init the log file shared writer")
+		}
+		w = logutils.NewWriterFinalizer[*logutils.FileSharedWriter](sharedWriter)
+		if loggerConfig.WatchLogFile {
+			if err := sharedWriter.RunWatcherReopen(); err != nil {
+				return trace.Wrap(err)
+			}
 		}
-		w = logFile
 	}
 
 	level := new(slog.LevelVar)
@@ -815,12 +831,6 @@ func applyLogConfig(loggerConfig Log, cfg *servicecfg.Config) error {
 		return trace.Wrap(err)
 	}
 
-	// If syslog output has been configured and is supported by the operating system,
-	// then the shared writer is not needed because the syslog writer is already
-	// protected with a mutex.
-	if len(logger.Hooks) == 0 {
-		w = logutils.NewSharedWriter(w)
-	}
 	var slogLogger *slog.Logger
 	switch strings.ToLower(loggerConfig.Format.Output) {
 	case "":

diff --git a/lib/config/fileconf.go b/lib/config/fileconf.go
@@ -539,6 +539,9 @@ type Log struct {
 	Severity string `yaml:"severity,omitempty"`
 	// Format defines the logs output format and extra fields
 	Format LogFormat `yaml:"format,omitempty"`
+	// WatchLogFile is used to close and re-open the log file by filesystem notification
+	// to react on rename or remove event, might be used in log rotation.
+	WatchLogFile bool `yaml:"watch_log_file,omitempty"`
 }
 
 // LogFormat specifies the logs output format and extra fields

diff --git a/lib/service/servicecfg/config.go b/lib/service/servicecfg/config.go
@@ -222,9 +222,11 @@ type Config struct {
 	// Log optionally specifies the logger.
 	// Deprecated: use Logger instead.
 	Log utils.Logger
+
 	// Logger outputs messages using slog. The underlying handler respects
 	// the user supplied logging config.
 	Logger *slog.Logger
+
 	// LoggerLevel defines the Logger log level.
 	LoggerLevel *slog.LevelVar