Unverified Commit af051e9a authored by Maciej Delmanowski's avatar Maciej Delmanowski

Merge branch 'drybjed-journald-persistent-change'

parents b7e9fb34 84dded4d
Pipeline #146780572 failed with stages
in 209 minutes and 13 seconds
......@@ -36,7 +36,7 @@ New DebOps roles
- The :ref:`debops.journald` role can be used to manage the
:command:`systemd-journald` service, supports configuration of Forward Secure
Sealing and configures persistent storage of the log files. The role is
Sealing and can configure persistent storage of the log files. The role is
included by default in the :file:`common.yml` playbook.
- The :ref:`debops.dpkg_cleanup` role can create :command:`dpkg` hooks that
......
......@@ -49,9 +49,17 @@ journald__storage: 'auto'
# Set the desired state of the persistent journal storage directory
# (:file:`/var/log/journal/`). If set to ``absent``, the directory will be
# removed by the role.
#
# By default the role will not enable persistent journal if the
# :file:`/var/log/journal/` directory is not already present, but it will be
# kept persistent if it is used. This is due to slow :command:`journalctl` and
# :command:`systemctl` command operation with large persistent journals.
# See https://github.com/systemd/systemd/issues/2460 for more details.
journald__persistent_state: '{{ "absent"
if (journald__storage == "none")
else "present" }}'
else ("present"
if (ansible_local.journald.persistent|d())|bool
else "absent") }}'
# ]]]
# ]]]
# Forward Secure Sealing [[[
......
......@@ -16,11 +16,11 @@ Getting started
Forward Secure Sealing
----------------------
The :ref:`debops.journald` role configures Forward Secure Sealing functionality
of the Journal by default. The verification keys are saved in the
:file:`secret/journald/fss/` directories on the Ansible Controller. The role
can be used in an "alternative" mode where Ansible checks the log integrity by
running the command:
When the persistent logs are enabled, the :ref:`debops.journald` role
configures Forward Secure Sealing functionality of the Journal by default. The
verification keys are saved in the :file:`secret/journald/fss/` directories on
the Ansible Controller. The role can be used in an "alternative" mode where
Ansible checks the log integrity by running the command:
.. code-block:: console
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment