CyberArk Conjur is released as an appliance and shipped as container images to have a fast setup without errors.
The supported container runtimes are the following:
- docker 20.10 or later
- mirantis container runtime 20.10
- podman 3.x,4.x
Working on several Conjur environments inside our labs or customers we have noted that logs rotation (conjur, nginx, cluster, etc) wasn't performed on podman but that was working correctly on Docker.
After some investigation with the beloved CyberArk support team, we found the solution:
conjur container needs to be re-created adding the capabilities AUDIT_WRITE :
podman run \ ... --cap-add AUDIT_WRITE \ ... registry.tld/conjur-appliance:12.9.0
To avoid some noise inside the nginx logs it's also required to add the following permission inside every Conjur container:
chmod 701 /opt/cyberark/dap/log/nginx
The CyberArk support team was great as usual to assist us and to work together to find the solution.
These issues are now tracked on the CyberArk docs and should be addressed soon.
In case you had the same issue I recommend to contact the CyberArk support to get confirmation if this solution could apply also to your environment.