From 7842bcd0bc7c7bf233a725af3f780e490e9d51ed Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Mon, 16 Jan 2023 07:51:01 -0300 Subject: [PATCH] Backport upstream PR#1240 - logging: remove option to log into separate file Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime --- ...ove-option-to-log-into-separate-file.patch | 136 ++++++++++++++++++ keylime.spec | 11 +- 2 files changed, 144 insertions(+), 3 deletions(-) create mode 100644 0003-logging-remove-option-to-log-into-separate-file.patch diff --git a/0003-logging-remove-option-to-log-into-separate-file.patch b/0003-logging-remove-option-to-log-into-separate-file.patch new file mode 100644 index 0000000..e7e3672 --- /dev/null +++ b/0003-logging-remove-option-to-log-into-separate-file.patch @@ -0,0 +1,136 @@ +From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001 +From: Thore Sommer +Date: Mon, 16 Jan 2023 07:26:08 -0300 +Subject: [PATCH 3/3] logging: remove option to log into separate file + +The implementation had the issue that only the main loggers were added and that +the permissions were not set strict enough. Users should use the logging +provided by systemd instead. + +Signed-off-by: Thore Sommer +--- + keylime.conf | 10 ---------- + keylime/keylime_logging.py | 31 ------------------------------ + scripts/templates/2.0/registrar.j2 | 9 --------- + scripts/templates/2.0/verifier.j2 | 9 --------- + 4 files changed, 59 deletions(-) + +diff --git a/keylime.conf b/keylime.conf +index d896f9f..043b6a8 100644 +--- a/keylime.conf ++++ b/keylime.conf +@@ -342,11 +342,6 @@ tomtou_errors = False + # signature check before storing them in the database. + require_allow_list_signatures = False + +-# Destination for log output, in addition to console. Values can be 'file', +-# with the file being named after the "service" - cloud_verifier - created under +-# /var/log/keylime), 'stream' or it can be left empty (which results in +-# logging to console only, recommended when running inside a container) +-log_destination = file + + #============================================================================= + [tenant] +@@ -595,11 +590,6 @@ auto_migrate_db = True + # The file to use for SQLite persistence of provider hypervisor data. + prov_db_filename = provider_reg_data.sqlite + +-# Destination for log output, in addition to console. Values can be 'file', +-# with the file being named after the "service" - registrar - created under +-# /var/log/keylime), 'stream' or it can be left empty (which results in +-# logging to console only, recommended when running inside a container) +-log_destination = file + + #============================================================================= + [ca] +diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py +index bc8a11d..f7c7a8f 100644 +--- a/keylime/keylime_logging.py ++++ b/keylime/keylime_logging.py +@@ -1,17 +1,10 @@ + import logging +-import os + from logging import Logger + from logging import config as logging_config + from typing import Any, Callable, Dict + + from keylime import config + +-LOG_TO_FILE = set() +-LOG_TO_STREAM = set() +-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime") +-# not clear that this works right. console logging may not work +-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log") +- + logging_config.fileConfig(config.get_config("logging")) + + +@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An + + + def init_logging(loggername: str) -> Logger: +- +- if loggername in ("verifier", "registrar"): +- logdest = config.get(loggername, "log_destination", fallback="") +- if logdest == "file": +- LOG_TO_FILE.add(loggername) +- if logdest == "stream": +- LOG_TO_STREAM.add(loggername) +- + logger = logging.getLogger(f"keylime.{loggername}") + logging.getLogger("requests").setLevel(logging.WARNING) +- mainlogger = logging.getLogger("keylime") +- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s") +- if loggername in LOG_TO_FILE: +- logfilename = os.path.join(LOGDIR, f"{loggername}.log") +- if not os.path.exists(LOGDIR): +- os.makedirs(LOGDIR, 0o750) +- fh = logging.FileHandler(logfilename) +- fh.setLevel(logger.getEffectiveLevel()) +- fh.setFormatter(basic_formatter) +- mainlogger.addHandler(fh) +- +- if loggername in LOG_TO_STREAM: +- fh = logging.FileHandler(filename=LOGSTREAM, mode="w") +- fh.setLevel(logger.getEffectiveLevel()) +- fh.setFormatter(basic_formatter) +- mainlogger.addHandler(fh) + + return logger +diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2 +index 3d92303..8de7a50 100644 +--- a/scripts/templates/2.0/registrar.j2 ++++ b/scripts/templates/2.0/registrar.j2 +@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }} + + # The file to use for SQLite persistence of provider hypervisor data. + prov_db_filename: {{ registrar.prov_db_filename }} +- +-# Destination for log output, in addition to console. If left empty, the log +-# output will only be printed to console (recommended for containers to avoid +-# filling data storage). The accepted values are: +-# 'file': The log output will also be written to a file named after the +-# component in '/var/log/keylime/registrar.log' +-# 'stream': The log output will be written to a common file in +-# 'var/log/keylime/keylime-stream.log' +-log_destination = {{ registrar.log_destination }} +diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2 +index d1584df..7a66cb1 100644 +--- a/scripts/templates/2.0/verifier.j2 ++++ b/scripts/templates/2.0/verifier.j2 +@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }} + + # Webhook url for revocation notifications. + webhook_url = {{ verifier.webhook_url }} +- +-# Destination for log output, in addition to console. If left empty, the log +-# output will only be printed to console (recommended for containers to avoid +-# filling data storage). The accepted values are: +-# 'file': The log output will also be written to a file named after the +-# component in '/var/log/keylime/verifier.log' +-# 'stream': The log output will be written to a common file in +-# 'var/log/keylime/keylime-stream.log' +-log_destination = {{ verifier.log_destination }} +-- +2.38.1 + diff --git a/keylime.spec b/keylime.spec index b6f56f8..8a47a55 100644 --- a/keylime.spec +++ b/keylime.spec @@ -9,7 +9,7 @@ Name: keylime Version: 6.5.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime @@ -17,8 +17,9 @@ Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version} Source1: %{srcname}.sysusers Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz -Patch0: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch -Patch1: 0002-Switch-to-sha256-hashes-for-signatures.patch +Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch +Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch +Patch: 0003-logging-remove-option-to-log-into-separate-file.patch License: ASL 2.0 and MIT @@ -341,6 +342,10 @@ fi %license LICENSE %changelog +* Fri Jan 13 2023 Sergio Correia - 6.5.2-4 +- Backport upstream PR#1240 - logging: remove option to log into separate file + Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime + * Thu Dec 1 2022 Sergio Correia - 6.5.2-3 - Remove leftover policy file Related: rhbz#2152135