Problem: Log rotation for `opa.log` missing after updating Kelvin REST API

Knowledge Base Community
, , ,
1

Problem: Log Rotation for opa.log Missing After Updating Kelvin REST API to 2.0.0 on UCS 5.2-2

After updating a UCS 5.2-2 server and upgrading the Kelvin REST API from version 1.10.3 to 2.0.0, you noticed that the log rotation for opa.log is no longer functioning. Previously, the rotation was handled via logrotate inside the Docker container, and UCR variables for this configuration still exist:

/kelvin # ucr search opa
logrotate/opa/compress:
logrotate/opa/create:
logrotate/opa/missingok:
logrotate/opa/notifempty:
logrotate/opa/rotate/count: 30
logrotate/opa/rotate: daily

However, there is no corresponding configuration file in /etc/logrotate.d/:

/kelvin # ls -ls /etc/logrotate.d/
total 8
      4 -rw-r--r--    1 root     root           140 Jun 12  2024 acpid
      4 -rw-r--r--    1 root     root            43 Jul  6  2023 openrc

As a result, the opa.log file is not being rotated anymore.

Solution:

Your observation regarding the missing log rotation is correct and expected. No manual intervention is required. This behavior is the result of deliberate product changes implemented with the update.

The main reasons are as follows:

1. Removal of the OPA Service in Kelvin REST API 2.0.0

Starting with Kelvin REST API 2.0.0, the internal OPA (Open Policy Agent) service has been removed.
As a consequence, the associated opa.log file is no longer generated, and therefore, rotation is obsolete.
The existing UCR variables (logrotate/opa/*) inside the Docker container are now without function.

Reference:
UCS@school Kelvin REST API Changelog

2. Changed Docker Logging in UCS 5.2

With the introduction of UCS 5.2, the default Docker container logging behavior was modified. Logs are now forwarded to the host system’s journald service instead of being stored as separate JSON log files under /var/lib/docker/containers/.
This change replaces any container-specific logrotate mechanisms for standard log outputs.

Reference:
Univention Bugzilla – Bug 56058

3. Optional Logging Configuration

Although this specific case does not require any changes (since opa.log no longer exists), it is possible to restore the previous Docker logging behavior if needed for other use cases or troubleshooting.
Instructions for enabling the old /var/log/daemon.log logging can be found here:

Reference:
How to re-enable /var/log/daemon.log logging on UCS 5.2

Conclusion

The absence of opa.log rotation is the intended and correct behavior following the product update.
The system is operating as designed, and no further action is necessary.