rpms/ipa-healthcheck
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-healthcheck-0.7-10.module+el8.6.0+14292+18b36d36

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 03:06:39 -04:00 committed by Stepan Oksanichenko
parent 0776009f20
commit 68342bf618
8 changed files with 542 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
SOURCES/0013-Add-service-check-dependencies.patch Normal file
View File

@ -0,0 +1,71 @@
From 235198b41a0932a7a190124fff5f8c1afa5d6679 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 5 May 2021 15:35:19 -0400
Subject: [PATCH] Add service check dependencies
Since 389-ds is the heart of IPA there may not be a point in checking
all dependent services. ipa-dnskeysyncd in particular doesn't like
when it can't connect and tries to restart itself multiple times.
Note that this currently works because the services are sorted
alphabetically and dirsrv appears near the top. Re-ordering may be
necessary in the future.
I'm choosing not to add dirsrv to the other services because they
return cleanly if it is not available.
https://bugzilla.redhat.com/show_bug.cgi?id=1776687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/ipahealthcheck/core/core.py | 20 ++++++++++++++++++++
src/ipahealthcheck/meta/services.py | 2 ++
2 files changed, 22 insertions(+)
diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py
index a4af690..eaa2d9c 100644
--- a/src/ipahealthcheck/core/core.py
+++ b/src/ipahealthcheck/core/core.py
@@ -81,6 +81,26 @@ def run_service_plugins(plugins, source, check):
if not isinstance(plugin, ServiceCheck):
continue
+ # Try to save some time to not check dependent services if the
+ # parent is down.
+ if not set(plugin.requires).issubset(available):
+ # A required service is not available. Either it hasn't been
+ # checked yet or it isn't running. If not running break.
+ running = True
+ for result in results.results:
+ if result.check in plugin.requires:
+ # if not in available but in results the service failed
+ running = False
+ break
+ if not running:
+ logger.debug(
+ 'Skipping %s:%s because %s service(s) not running',
+ plugin.__class__.__module__,
+ plugin.__class__.__name__,
+ ', '.join(set(plugin.requires) - set(available))
+ )
+ continue
+
logger.debug('Calling check %s', plugin)
for result in plugin.check():
# always run the service checks so dependencies work
diff --git a/src/ipahealthcheck/meta/services.py b/src/ipahealthcheck/meta/services.py
index a987108..5d80728 100644
--- a/src/ipahealthcheck/meta/services.py
+++ b/src/ipahealthcheck/meta/services.py
@@ -92,6 +92,8 @@ class ipa_dnskeysyncd(IPAServiceCheck):
def check(self):
self.service_name = 'ipa-dnskeysyncd'
+ requires = ('dirsrv',)
+
if not bindinstance.named_conf_exists():
return ()
--
2.31.1

82
SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch Normal file
View File

@ -0,0 +1,82 @@
From eb377fed539e44194fb1ad822c0d4c6e9ea38d03 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 May 2021 13:26:00 -0400
Subject: [PATCH] Filter out the pki healthcheck sources if IPA CA is not
installed
The pki checks spew the error "Invalid PKI instance: pki-tomcat" so
we need to suppress them in the IPA CA-less installation case.
So if the IPA CA is not configured then don't register the
pki sources.
A side-effect is that to user the sources will not be listed at
all in this case.
This should not affect pki-healthcheck and it will continue to
return errors in the unconfigured case.
https://github.com/freeipa/freeipa-healthcheck/issues/201
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/ipahealthcheck/core/core.py | 13 +++++++++++++
src/ipahealthcheck/ipa/plugin.py | 4 ++++
2 files changed, 17 insertions(+)
diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py
index eaa2d9c..a6b4fe8 100644
--- a/src/ipahealthcheck/core/core.py
+++ b/src/ipahealthcheck/core/core.py
@@ -281,6 +281,13 @@ class RunChecks:
if rval is not None:
return rval
+ # If we have IPA configured without a CA then we want to skip
+ # the pkihealthcheck plugins otherwise they will generated a
+ # lot of false positives. The IPA plugins are loaded first so
+ # which should set ca_configured in its registry to True or
+ # False. We will skip the pkihealthcheck plugins only if
+ # ca_configured is False which means that it was set by IPA.
+ ca_configured = False
for name, registry in find_registries(self.entry_points).items():
try:
registry.initialize(framework, config, options)
@@ -292,6 +299,12 @@ class RunChecks:
except Exception as e:
logger.error("Unable to initialize %s: %s" % (name, e))
continue
+ if hasattr(registry, 'ca_configured'):
+ ca_configured = registry.ca_configured
+ for name, registry in find_registries(self.entry_points).items():
+ if 'pkihealthcheck' in name and ca_configured is False:
+ logger.debug('IPA CA is not configured, skipping %s', name)
+ continue
for plugin in find_plugins(name, registry):
plugins.append(plugin)
diff --git a/src/ipahealthcheck/ipa/plugin.py b/src/ipahealthcheck/ipa/plugin.py
index 67d93e5..debb1bb 100644
--- a/src/ipahealthcheck/ipa/plugin.py
+++ b/src/ipahealthcheck/ipa/plugin.py
@@ -35,6 +35,7 @@ class IPARegistry(Registry):
super(IPARegistry, self).__init__()
self.trust_agent = False
self.trust_controller = False
+ self.ca_configured = False
def initialize(self, framework, config, options=None):
super(IPARegistry, self).initialize(framework, config)
@@ -58,6 +59,9 @@ class IPARegistry(Registry):
logging.debug('Failed to connect to LDAP: %s', e)
return
+ ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host)
+ self.ca_configured = ca.is_configured()
+
# This package is pulled in when the trust package is installed
# and is required to lookup trust users. If this is not installed
# then it can be inferred that trust is not enabled.
--
2.31.1

117
SOURCES/0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch Normal file
View File

@ -0,0 +1,117 @@
From d59a031264c5b30ce2686d2c2bd6d756b05ebcc8 Mon Sep 17 00:00:00 2001
From: root <root@ipa.example.test>
Date: Thu, 7 Oct 2021 18:02:30 -0400
Subject: [PATCH] Work with existing resolve_rrsets and newer
resolve_rrsets_nss
Up to freeipa 4.8.9 resolve_rrsets is used to look up the
ipa-ca values. After that, and in master, resovle_rrsets_nss
is used instead. Handle both in the DNS mock testing.
---
tests/test_ipa_dns.py | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/tests/test_ipa_dns.py b/tests/test_ipa_dns.py
index b6a9610..91b15c2 100644
--- a/tests/test_ipa_dns.py
+++ b/tests/test_ipa_dns.py
@@ -27,6 +27,15 @@ from ipaserver.dns_data_management import (
IPA_DEFAULT_ADTRUST_SRV_REC
)
+try:
+ # pylint: disable=unused-import
+ from ipaserver.install.installutils import resolve_rrsets_nss # noqa: F401
+ # pylint: enable=unused-import
+except ImportError:
+ resolve_rrsets_import = 'ipaserver.dns_data_management.resolve_rrsets'
+else:
+ resolve_rrsets_import = 'ipaserver.install.installutils.resolve_rrsets_nss'
+
def add_srv_records(qname, port_map, priority=0, weight=100):
rdlist = []
@@ -182,7 +191,7 @@ class TestDNSSystemRecords(BaseTest):
2. fake_query() overrides dns.resolver.query to simulate
A, AAAA and TXT record lookups.
"""
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_single(self, mock_query, mock_query_srv, mock_rrset):
@@ -217,7 +226,7 @@ class TestDNSSystemRecords(BaseTest):
assert result.source == 'ipahealthcheck.ipa.idns'
assert result.check == 'IPADNSSystemRecordsCheck'
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_two(self, mock_query, mock_query_srv, mock_rrset):
@@ -265,7 +274,7 @@ class TestDNSSystemRecords(BaseTest):
assert result.source == 'ipahealthcheck.ipa.idns'
assert result.check == 'IPADNSSystemRecordsCheck'
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_three(self, mock_query, mock_query_srv, mock_rrset):
@@ -323,7 +332,7 @@ class TestDNSSystemRecords(BaseTest):
assert result.source == 'ipahealthcheck.ipa.idns'
assert result.check == 'IPADNSSystemRecordsCheck'
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_three_mixed(self, mock_query, mock_query_srv,
@@ -379,7 +388,7 @@ class TestDNSSystemRecords(BaseTest):
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.idns'
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_missing_server(self, mock_query, mock_query_srv,
@@ -445,7 +454,7 @@ class TestDNSSystemRecords(BaseTest):
for result in warn:
assert result.kw.get('msg') == 'Expected SRV record missing'
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_missing_ipa_ca(self, mock_query, mock_query_srv,
@@ -516,7 +525,7 @@ class TestDNSSystemRecords(BaseTest):
assert result.kw.get('count') == 2
assert result.kw.get('expected') == 3
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_extra_srv(self, mock_query, mock_query_srv,
@@ -586,7 +595,7 @@ class TestDNSSystemRecords(BaseTest):
assert result.kw.get('msg') == \
'Unexpected SRV entry in DNS'
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_bad_realm(self, mock_query, mock_query_srv,
@@ -626,7 +635,7 @@ class TestDNSSystemRecords(BaseTest):
assert result.kw.get('msg') == 'expected realm missing'
assert result.kw.get('key') == '\"FAKE_REALM\"'
- @patch('ipaserver.dns_data_management.resolve_rrsets')
+ @patch(resolve_rrsets_import)
@patch('ipapython.dnsutil.query_srv')
@patch('dns.resolver.query')
def test_dnsrecords_one_with_ad(self, mock_query, mock_query_srv,
--
2.27.0

96
SOURCES/0016-tests-Generate-a-proper-not-valid-after-field.patch Normal file
View File

@ -0,0 +1,96 @@
From 90f0b7c16c68d1dd876fc88b56b58c04bc565230 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Fri, 6 Nov 2020 15:18:33 +0300
Subject: [PATCH] tests: Generate a proper `not-valid-after` field
Some tests assume that the mocked certificate will be valid in N
days from now(). There was a hardcoded `not-valid-after` value
which pointed to 20201205214850Z. So, from Nov 06 2020 the assertion
20201205214850Z - now() < cert_expiration_days(30days) fails.
Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/159
Signed-off-by: Stanislav Levin <slev@altlinux.org>
---
tests/mock_certmonger.py | 18 ++++++++++++++++--
tests/test_ipa_expiration.py | 8 ++++++--
3 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/tests/mock_certmonger.py b/tests/mock_certmonger.py
index ab53620..8fa4d36 100644
--- a/tests/mock_certmonger.py
+++ b/tests/mock_certmonger.py
@@ -3,6 +3,7 @@
#
import copy
+from datetime import datetime, timedelta, timezone
from ipaplatform.paths import paths
@@ -10,6 +11,8 @@ from ipaplatform.paths import paths
# distinct from the value from the overrident get_defaults() method.
template = paths.CERTMONGER_COMMAND_TEMPLATE
+CERT_EXPIRATION_DAYS = 30
+
pristine_cm_requests = [
{
'nickname': '1234',
@@ -20,7 +23,11 @@ pristine_cm_requests = [
'cert-storage': 'FILE',
'cert-presave-command': template % 'renew_ra_cert_pre',
'cert-postsave-command': template % 'renew_ra_cert',
- 'not-valid-after': 1024,
+ 'not-valid-after': (
+ int(
+ datetime(1970, 1, 1, 0, 17, 4, tzinfo=timezone.utc).timestamp()
+ )
+ ),
},
{
'nickname': '5678',
@@ -30,7 +37,14 @@ pristine_cm_requests = [
'template_profile': 'caIPAserviceCert',
'cert-storage': 'FILE',
'cert-postsave-command': template % 'restart_httpd',
- 'not-valid-after': 1607204930,
+ 'not-valid-after': (
+ int(
+ (
+ datetime.now(timezone.utc) +
+ timedelta(days=CERT_EXPIRATION_DAYS + 1)
+ ).timestamp()
+ )
+ ),
},
]
diff --git a/tests/test_ipa_expiration.py b/tests/test_ipa_expiration.py
index ff3564b..fb7105b 100644
--- a/tests/test_ipa_expiration.py
+++ b/tests/test_ipa_expiration.py
@@ -11,7 +11,11 @@ from ipahealthcheck.ipa.certs import IPACertmongerExpirationCheck
from ipahealthcheck.ipa.certs import IPACAChainExpirationCheck
from unittest.mock import Mock, patch
from mock_certmonger import create_mock_dbus, _certmonger
-from mock_certmonger import get_expected_requests, set_requests
+from mock_certmonger import (
+ get_expected_requests,
+ set_requests,
+ CERT_EXPIRATION_DAYS,
+)
from datetime import datetime, timedelta, timezone
@@ -67,7 +71,7 @@ class TestExpiration(BaseTest):
registry.initialize(framework, config.Config)
f = IPACertmongerExpirationCheck(registry)
- f.config.cert_expiration_days = '30'
+ f.config.cert_expiration_days = str(CERT_EXPIRATION_DAYS)
self.results = capture_results(f)
assert len(self.results) == 2
--
2.31.1

25
SOURCES/0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch Normal file
View File

@ -0,0 +1,25 @@
From bfcf6c0ebe7522cdc7e0c4e3aee695752ea3f489 Mon Sep 17 00:00:00 2001
From: root <root@ipa.example.test>
Date: Thu, 7 Oct 2021 18:14:03 -0400
Subject: [PATCH] Fix the number of expected results in the fix file test
---
tests/test_core_files.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test_core_files.py b/tests/test_core_files.py
index a4f25ac..8257f40 100644
--- a/tests/test_core_files.py
+++ b/tests/test_core_files.py
@@ -118,7 +118,7 @@ def test_files_not_found(mock_exists):
for type in ('mode', 'group', 'owner'):
my_results = get_results(results, type)
- assert len(my_results.results) == 4
+ assert len(my_results.results) == 2
for result in my_results.results:
assert result.result == constants.SUCCESS
assert result.kw.get('msg') == 'File does not exist'
--
2.27.0

54
SOURCES/0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch Normal file
View File

@ -0,0 +1,54 @@
From a63d5ac05157e689e99494661240d43d131c0e91 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 May 2021 13:19:41 -0400
Subject: [PATCH] Don't collect the CRLManager role if the CA is not configured
This was raising a false positive in the IPA CA-less case.
https://github.com/freeipa/freeipa-healthcheck/issues/201
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/ipahealthcheck/ipa/roles.py | 2 ++
tests/test_ipa_roles.py | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/src/ipahealthcheck/ipa/roles.py b/src/ipahealthcheck/ipa/roles.py
index 0ff2269..aac7b80 100644
--- a/src/ipahealthcheck/ipa/roles.py
+++ b/src/ipahealthcheck/ipa/roles.py
@@ -25,6 +25,8 @@ class IPACRLManagerCheck(IPAPlugin):
"""
@duration
def check(self):
+ if not self.ca.is_configured():
+ return
try:
enabled = self.ca.is_crlgen_enabled()
except AttributeError:
diff --git a/tests/test_ipa_roles.py b/tests/test_ipa_roles.py
index 21c0069..7c4a2d1 100644
--- a/tests/test_ipa_roles.py
+++ b/tests/test_ipa_roles.py
@@ -48,6 +48,18 @@ class TestCRLManagerRole(BaseTest):
assert result.check == 'IPACRLManagerCheck'
assert result.kw.get('crlgen_enabled') is True
+ @patch('ipaserver.install.cainstance.CAInstance')
+ def test_crlmanager_no_ca(self, mock_ca):
+ """There should be no CRLManagerCheck without a CA"""
+ mock_ca.return_value = CAInstance(False)
+ framework = object()
+ registry.initialize(framework, config.Config)
+ f = IPACRLManagerCheck(registry)
+
+ self.results = capture_results(f)
+
+ assert len(self.results) == 0
+
class TestRenewalMaster(BaseTest):
def test_renewal_master_not_set(self):
--
2.31.1

71
SOURCES/0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch Normal file
View File

@ -0,0 +1,71 @@
From 62c14dbff5a947b50194df197de9f7052597ffb4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 17 Feb 2022 08:56:38 -0500
Subject: [PATCH] Don't depend on IPA status when suppressing pki checks
The pki healthchecks are noisy if a CA is not configured. We
want to suppresse these in IPA so don't make the checks visible
if a CA is not configured.
So this means we need to be able to run in these conditions:
1. IPA is configured with a CA: the pki checks are run
2. IPA is configured without a CA: the pki checks are not run
3. IPA is not configured: the pki checks are run
Which basically equates to three states: True, False, None
This was done originally with the ca_configured variable set to
None. Using some inside knowledge the registries are loaded which
will set ca_configured to True or False in the IPA registry.
Using that we can determine if the pki checks should be available.
Unfortunately I changed the initialization to False so it always
assumes that IPA is installed. ca_configured will be False for the
case of IPA not installed instead of None so we can't handle that
last state.
So initialize ca_configured to None so we can satisfy all three
states.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/ipahealthcheck/core/core.py | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py
index a6b4fe8..19f7818 100644
--- a/src/ipahealthcheck/core/core.py
+++ b/src/ipahealthcheck/core/core.py
@@ -281,13 +281,23 @@ class RunChecks:
if rval is not None:
return rval
+ # The pki checks are noisy if a CA is not configured so we
+ # want to suppress that for IPA.
+ #
+ # There are 3 possible states:
+ # 1. IPA is configured with a CA
+ # 2. IPA is configured without a CA
+ # 3. IPA is not configured
+ #
# If we have IPA configured without a CA then we want to skip
- # the pkihealthcheck plugins otherwise they will generated a
- # lot of false positives. The IPA plugins are loaded first so
- # which should set ca_configured in its registry to True or
- # False. We will skip the pkihealthcheck plugins only if
- # ca_configured is False which means that it was set by IPA.
- ca_configured = False
+ # the pkihealthcheck plugins
+ #
+ # The IPA registry will set ca_configured in its registry to True
+ # or False. We will skip the pkihealthcheck plugins only if
+ # ca_configured is False which means that it was set by IPA. So
+ # we initialize ca_configured to None so that the pki checks
+ # will always be executed with pki-healthcheck.
+ ca_configured = None
for name, registry in find_registries(self.entry_points).items():
try:
registry.initialize(framework, config, options)
--
2.31.1

27
SPECS/ipa-healthcheck.spec
View File

@ -8,7 +8,7 @@
Name: ipa-healthcheck
Version: 0.7
Release: 6%{?dist}
Release: 10%{?dist}
Summary: Health check tool for IdM
BuildArch: noarch
License: GPLv3
@ -27,6 +27,13 @@ Patch0009: 0009-Add-checks-to-detect-mismatch-of-certificates.patch
Patch0010: 0010-Add-tests-for-certificate-mismatch-detection.patch
Patch0011: 0011-Add-log-files-to-the-set-of-files-checked-for-owner-.patch
Patch0012: 0012-Handle-files-that-don-t-exist-in-FileCheck.patch
Patch0013: 0013-Add-service-check-dependencies.patch
Patch0014: 0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch
Patch0015: 0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch
Patch0016: 0016-tests-Generate-a-proper-not-valid-after-field.patch
Patch0017: 0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch
Patch0018: 0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch
Patch0019: 0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch
Requires: %{name}-core = %{version}-%{release}
Requires: ipa-server
@ -130,6 +137,24 @@ install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man5/%{long
%changelog
* Thu Feb 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-10
- Don't depend on IPA status when suppressing pki checks (#2055316)
* Mon Jan 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-9
- Don't assume the entry_point order when determining if there is a
CA installed (#2041995)
* Thu Jan 06 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-8
- Suppress the CRLManager check false positive when a CA is not
configured (#1983060)
- Fix the backport of the pki.server.healthcheck suppression (#1983060)
* Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-7
- ipa-healthcheck command takes some extra time to complete when dirsrv
instance is stopped (#1776687)
- ipa-healthcheck complains about pki.server.healthcheck errors even CA
is not configured on the replica (#1983060)
* Mon Jun 14 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-6
- Fix patch fuzz issues, apply add'l upstream for log files (#1780020)