The logrotate ContainerLogger module runs as the agent's user. In most cases, this is root.
When logrotate is run as root, there is an additional check the configuration files must pass (because a root logrotate needs to be secured against non-root modifications to the configuration):
Log rotation will fail under the following scenario:
1) The agent is run with --switch_user (default: true)
2) A task is launched with a non-root user specified
3) The logrotate module spawns a few companion processes (as root) and this creates the stdout, stderr, stdout.logrotate.conf, and stderr.logrotate.conf files (as root). This step races with the next step.
4) The Mesos containerizer and Fetcher will chown the task's sandbox to the non-root user. Including the files just created.
5) When logrotate is run, it will skip any non-root configuration files. This means the files are not rotated.
Fix: The logrotate module's companion processes should call setuid and setgid.