Why is kill -HUP used in logrotate in RHEL? Is it necessary in all cases?

Question

I see for syslog logging, kill -HUP is used.

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

I understood that -HUP is used because daemons like syslog, when they catch the SIGHUP, will try to restart itself and thus all the openfiles will be refreshed.

I do not understand why they need to be refreshed.

If syslog does only appending new log to the log files, the open files would be in write mode. If that is the case, when the log switching happens and at some point when the old log file entry in the filesystem is removed, won't it be creating a new file automatically when it needs to append a new log line (as afterall syslog service is running as root)?

I think the difference is more in the understanding of w and u modes. I am unable to come to a quick conclusion on it.

Also, why use only kill -HUP, why not restarting the service. Will there be any difference?

Answer 1

Generally services keep the log files opened while they are running. This mean that they do not care if the log files are renamed/moved or deleted they will continue to write to the open file handled.

When logrotate move the files, the services keep writing to the same file.

Example: crond will write to /var/log/cron.log. Then logrotate will rename the file to /var/log/cron.log.1, so crond will keep writing to the open file /var/log/cron.log.1.

Sending the HUP signal to crond will force him to close existing file handle and open new file handle to the original path /var/log/cron.log which will create a new file.

The use of the HUP signal instead of another one is at the discretion of the program. Some services like php-fpm will listen to the USR1 signal to reopen it's file handle without terminating itself.

Answer 2

When you move a file, programs that had that file open still have the same file open at the new location, and would continue appending to the old log file. The kill -HUP doesn't necessarily make it restart itself (for syslog it does, but for e.g. a cron daemon that manages its own logs, it simply controls the log file itself), but may simply cause it to close the file and open the file by name, which is the important part for this script. Doing a hard restart of syslogd would also mean the syslog service is unavailable while the restart is happening, while using a signal that syslogd knows how to handle allows it to do whatever it needs for the "restart" to be transparent.