CyberArk Conjur is released as an appliance and distributed as container images to enable fast, error-free setup.
The supported container runtimes include:
- Docker 20.10 or later
- Mirantis Container Runtime 20.10
- Podman 3.x, 4.x
While working with multiple Conjur environments in our labs and at customer sites, we noticed that log rotation (for Conjur, Nginx, cluster, etc.) did not function correctly on Podman, although it worked as expected on Docker.
After some investigation with the excellent CyberArk support team, we identified the solution:
The Conjur container needs to be re-created with the AUDIT_WRITE capability added:
podman run \
...
--cap-add AUDIT_WRITE \
...
registry.tld/conjur-appliance:12.9.0
To minimize noise in the Nginx logs, it is also necessary to set the following permission inside every Conjur container:
chmod 701 /opt/cyberark/dap/log/nginx
The CyberArk support team was, as always, extremely helpful in assisting us and collaborating to find this solution. These issues are now documented in the CyberArk documentation and should be addressed in future updates.
If you experience the same issue, I recommend contacting CyberArk support to confirm whether this solution is applicable to your environment.