Backport upstream PR#1240 - logging: remove option to log into separate file

Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
2023-01-16 07:51:01 -03:00 · 2023-01-16 07:51:01 -03:00 · 7842bcd0bc
parent bf9cfcee94
commit 7842bcd0bc
2 changed files with 144 additions and 3 deletions
--- a/0003-logging-remove-option-to-log-into-separate-file.patch
+++ b/0003-logging-remove-option-to-log-into-separate-file.patch
@ -0,0 +1,136 @@
+From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
+From: Thore Sommer <mail@thson.de>
+Date: Mon, 16 Jan 2023 07:26:08 -0300
+Subject: [PATCH 3/3] logging: remove option to log into separate file
+
+The implementation had the issue that only the main loggers were added and that
+the permissions were not set strict enough. Users should use the logging
+provided by systemd instead.
+
+Signed-off-by: Thore Sommer <mail@thson.de>
+---
+ keylime.conf                       | 10 ----------
+ keylime/keylime_logging.py         | 31 ------------------------------
+ scripts/templates/2.0/registrar.j2 |  9 ---------
+ scripts/templates/2.0/verifier.j2  |  9 ---------
+ 4 files changed, 59 deletions(-)
+
+diff --git a/keylime.conf b/keylime.conf
+index d896f9f..043b6a8 100644
+--- a/keylime.conf
+++ b/keylime.conf
+@@ -342,11 +342,6 @@ tomtou_errors = False
+ # signature check before storing them in the database.
+ require_allow_list_signatures = False
+ 
+-# Destination for log output, in addition to console. Values can be 'file', 
+-# with the file being named after the "service" - cloud_verifier - created under 
+-# /var/log/keylime), 'stream' or it can be left empty (which results in 
+-# logging to console only, recommended when running inside a container)
+-log_destination = file
+ 
+ #=============================================================================
+ [tenant]
+@@ -595,11 +590,6 @@ auto_migrate_db = True
+ # The file to use for SQLite persistence of provider hypervisor data.
+ prov_db_filename = provider_reg_data.sqlite
+ 
+-# Destination for log output, in addition to console. Values can be 'file',
+-# with the file being named after the "service" - registrar - created under
+-# /var/log/keylime), 'stream' or it can be left empty (which results in
+-# logging to console only, recommended when running inside a container)
+-log_destination = file
+ 
+ #=============================================================================
+ [ca]
+diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
+index bc8a11d..f7c7a8f 100644
+--- a/keylime/keylime_logging.py
+++ b/keylime/keylime_logging.py
+@@ -1,17 +1,10 @@
+ import logging
+-import os
+ from logging import Logger
+ from logging import config as logging_config
+ from typing import Any, Callable, Dict
+ 
+ from keylime import config
+ 
+-LOG_TO_FILE = set()
+-LOG_TO_STREAM = set()
+-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
+-# not clear that this works right.  console logging may not work
+-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
+-
+ logging_config.fileConfig(config.get_config("logging"))
+ 
+ 
+@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
+ 
+ 
+ def init_logging(loggername: str) -> Logger:
+-
+-    if loggername in ("verifier", "registrar"):
+-        logdest = config.get(loggername, "log_destination", fallback="")
+-        if logdest == "file":
+-            LOG_TO_FILE.add(loggername)
+-        if logdest == "stream":
+-            LOG_TO_STREAM.add(loggername)
+-
+     logger = logging.getLogger(f"keylime.{loggername}")
+     logging.getLogger("requests").setLevel(logging.WARNING)
+-    mainlogger = logging.getLogger("keylime")
+-    basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
+-    if loggername in LOG_TO_FILE:
+-        logfilename = os.path.join(LOGDIR, f"{loggername}.log")
+-        if not os.path.exists(LOGDIR):
+-            os.makedirs(LOGDIR, 0o750)
+-        fh = logging.FileHandler(logfilename)
+-        fh.setLevel(logger.getEffectiveLevel())
+-        fh.setFormatter(basic_formatter)
+-        mainlogger.addHandler(fh)
+-
+-    if loggername in LOG_TO_STREAM:
+-        fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
+-        fh.setLevel(logger.getEffectiveLevel())
+-        fh.setFormatter(basic_formatter)
+-        mainlogger.addHandler(fh)
+ 
+     return logger
+diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
+index 3d92303..8de7a50 100644
+--- a/scripts/templates/2.0/registrar.j2
+++ b/scripts/templates/2.0/registrar.j2
+@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
+ 
+ # The file to use for SQLite persistence of provider hypervisor data.
+ prov_db_filename: {{ registrar.prov_db_filename }}
+-
+-# Destination for log output, in addition to console. If left empty, the log
+-# output will only be printed to console (recommended for containers to avoid
+-# filling data storage). The accepted values are:
+-# 'file': The log output will also be written to a file named after the
+-#         component in '/var/log/keylime/registrar.log'
+-# 'stream': The log output will be written to a common file in
+-#           'var/log/keylime/keylime-stream.log'
+-log_destination = {{ registrar.log_destination }}
+diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
+index d1584df..7a66cb1 100644
+--- a/scripts/templates/2.0/verifier.j2
+++ b/scripts/templates/2.0/verifier.j2
+@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
+ 
+ # Webhook url for revocation notifications.
+ webhook_url = {{ verifier.webhook_url }}
+-
+-# Destination for log output, in addition to console. If left empty, the log
+-# output will only be printed to console (recommended for containers to avoid
+-# filling data storage). The accepted values are:
+-# 'file': The log output will also be written to a file named after the
+-#         component in '/var/log/keylime/verifier.log'
+-# 'stream': The log output will be written to a common file in
+-#           'var/log/keylime/keylime-stream.log'
+-log_destination = {{ verifier.log_destination }}
+-- 
+2.38.1
+
--- a/keylime.spec
+++ b/keylime.spec
@ -9,7 +9,7 @@

 Name:    keylime
 Version: 6.5.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 URL:            https://github.com/keylime/keylime
@ -17,8 +17,9 @@ Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}
 Source1:        %{srcname}.sysusers
 Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz

-Patch0: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
-Patch1: 0002-Switch-to-sha256-hashes-for-signatures.patch
+Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
+Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
+Patch: 0003-logging-remove-option-to-log-into-separate-file.patch

 License: ASL 2.0 and MIT

@ -341,6 +342,10 @@ fi
 %license LICENSE

 %changelog
+* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
+- Backport upstream PR#1240 - logging: remove option to log into separate file
+  Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
+
 * Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
 - Remove leftover policy file
  Related: rhbz#2152135