So you can see that the real path should be examined for deleted (open and unlined) logs is /var/log/ and not /var/log/containers. The latter is only used to apply the logrotation over the bind-mounted host path. It cannot affect any host logs outside of /var/log/containers, so the change I5029a4b9c76268455812696290aaf82f1a0c2c23 needs to be partially discarded.
The change I5029a4b9c76268 455812696290aaf 82f1a0c2c23 had caused a regression so that
the filter is stopped working and matches nothing.
The postscript command is executed inside of the logrotate-crond container, like this way:
()[root@ 5c78303fb8c2 /]# /sbin/lsof -nPs +L1 +D /var/log/containers 2>&1 | awk '/\S+\s+ [0-9]+\ s.*\/var\ /log\/. *\(deleted\ )/ {print}' neutron/ server. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) glance/ api.log. 1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) keystone/ keystone. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) keystone/ keystone. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) httpd/keystone_ wsgi_admin_ access. log.1 (deleted) nova/nova- api-metadata. log.1 (deleted) neutron/ server. log.1 (deleted) neutron/ server. log.1 (deleted) neutron/ server. log.1 (deleted) neutron/ server. log.1 (deleted)
neutron-s 2572 neutron 5w REG 252,1 234 0 8419523 /var/log/
httpd 2862 root 10w REG 252,1 3287 0 549003 /var/log/
glance-ap 3026 glance 3w REG 252,1 131 0 29510206 /var/log/
httpd 3192 keystone 10w REG 252,1 3287 0 549003 /var/log/
httpd 3193 keystone 10w REG 252,1 3287 0 549003 /var/log/
httpd 3194 keystone 10w REG 252,1 3287 0 549003 /var/log/
httpd 3194 keystone 11w REG 252,1 2853 0 96570982 /var/log/
httpd 3195 keystone 10w REG 252,1 3287 0 549003 /var/log/
httpd 3195 keystone 11w REG 252,1 2853 0 96570982 /var/log/
httpd 3197 48 10w REG 252,1 3287 0 549003 /var/log/
httpd 3198 48 10w REG 252,1 3287 0 549003 /var/log/
httpd 3199 48 10w REG 252,1 3287 0 549003 /var/log/
httpd 3200 48 10w REG 252,1 3287 0 549003 /var/log/
httpd 3201 48 10w REG 252,1 3287 0 549003 /var/log/
httpd 3202 48 10w REG 252,1 3287 0 549003 /var/log/
httpd 3203 48 10w REG 252,1 3287 0 549003 /var/log/
httpd 3204 48 10w REG 252,1 3287 0 549003 /var/log/
nova-api- 3810 nova 3w REG 252,1 129 0 26281737 /var/log/
neutron-s 5129 neutron 5w REG 252,1 234 0 8419523 /var/log/
neutron-s 5130 neutron 5w REG 252,1 234 0 8419523 /var/log/
neutron-s 5131 neutron 5w REG 252,1 234 0 8419523 /var/log/
neutron-s 5132 neutron 5w REG 252,1 234 0 8419523 /var/log/
So you can see that the real path should be examined for deleted (open and unlined) logs is /var/log/ and not /var/log/ containers. The latter is only used to apply the logrotation over the bind-mounted host path. It cannot affect any host logs outside of /var/log/ containers, so the change I5029a4b9c76268 455812696290aaf 82f1a0c2c23 needs to be partially discarded.