Backport upstream PR#1240 - logging: remove option to log into separate file
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
This commit is contained in:
parent
bf9cfcee94
commit
7842bcd0bc
|
@ -0,0 +1,136 @@
|
|||
From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
|
||||
From: Thore Sommer <mail@thson.de>
|
||||
Date: Mon, 16 Jan 2023 07:26:08 -0300
|
||||
Subject: [PATCH 3/3] logging: remove option to log into separate file
|
||||
|
||||
The implementation had the issue that only the main loggers were added and that
|
||||
the permissions were not set strict enough. Users should use the logging
|
||||
provided by systemd instead.
|
||||
|
||||
Signed-off-by: Thore Sommer <mail@thson.de>
|
||||
---
|
||||
keylime.conf | 10 ----------
|
||||
keylime/keylime_logging.py | 31 ------------------------------
|
||||
scripts/templates/2.0/registrar.j2 | 9 ---------
|
||||
scripts/templates/2.0/verifier.j2 | 9 ---------
|
||||
4 files changed, 59 deletions(-)
|
||||
|
||||
diff --git a/keylime.conf b/keylime.conf
|
||||
index d896f9f..043b6a8 100644
|
||||
--- a/keylime.conf
|
||||
+++ b/keylime.conf
|
||||
@@ -342,11 +342,6 @@ tomtou_errors = False
|
||||
# signature check before storing them in the database.
|
||||
require_allow_list_signatures = False
|
||||
|
||||
-# Destination for log output, in addition to console. Values can be 'file',
|
||||
-# with the file being named after the "service" - cloud_verifier - created under
|
||||
-# /var/log/keylime), 'stream' or it can be left empty (which results in
|
||||
-# logging to console only, recommended when running inside a container)
|
||||
-log_destination = file
|
||||
|
||||
#=============================================================================
|
||||
[tenant]
|
||||
@@ -595,11 +590,6 @@ auto_migrate_db = True
|
||||
# The file to use for SQLite persistence of provider hypervisor data.
|
||||
prov_db_filename = provider_reg_data.sqlite
|
||||
|
||||
-# Destination for log output, in addition to console. Values can be 'file',
|
||||
-# with the file being named after the "service" - registrar - created under
|
||||
-# /var/log/keylime), 'stream' or it can be left empty (which results in
|
||||
-# logging to console only, recommended when running inside a container)
|
||||
-log_destination = file
|
||||
|
||||
#=============================================================================
|
||||
[ca]
|
||||
diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
|
||||
index bc8a11d..f7c7a8f 100644
|
||||
--- a/keylime/keylime_logging.py
|
||||
+++ b/keylime/keylime_logging.py
|
||||
@@ -1,17 +1,10 @@
|
||||
import logging
|
||||
-import os
|
||||
from logging import Logger
|
||||
from logging import config as logging_config
|
||||
from typing import Any, Callable, Dict
|
||||
|
||||
from keylime import config
|
||||
|
||||
-LOG_TO_FILE = set()
|
||||
-LOG_TO_STREAM = set()
|
||||
-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
|
||||
-# not clear that this works right. console logging may not work
|
||||
-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
|
||||
-
|
||||
logging_config.fileConfig(config.get_config("logging"))
|
||||
|
||||
|
||||
@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
|
||||
|
||||
|
||||
def init_logging(loggername: str) -> Logger:
|
||||
-
|
||||
- if loggername in ("verifier", "registrar"):
|
||||
- logdest = config.get(loggername, "log_destination", fallback="")
|
||||
- if logdest == "file":
|
||||
- LOG_TO_FILE.add(loggername)
|
||||
- if logdest == "stream":
|
||||
- LOG_TO_STREAM.add(loggername)
|
||||
-
|
||||
logger = logging.getLogger(f"keylime.{loggername}")
|
||||
logging.getLogger("requests").setLevel(logging.WARNING)
|
||||
- mainlogger = logging.getLogger("keylime")
|
||||
- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
|
||||
- if loggername in LOG_TO_FILE:
|
||||
- logfilename = os.path.join(LOGDIR, f"{loggername}.log")
|
||||
- if not os.path.exists(LOGDIR):
|
||||
- os.makedirs(LOGDIR, 0o750)
|
||||
- fh = logging.FileHandler(logfilename)
|
||||
- fh.setLevel(logger.getEffectiveLevel())
|
||||
- fh.setFormatter(basic_formatter)
|
||||
- mainlogger.addHandler(fh)
|
||||
-
|
||||
- if loggername in LOG_TO_STREAM:
|
||||
- fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
|
||||
- fh.setLevel(logger.getEffectiveLevel())
|
||||
- fh.setFormatter(basic_formatter)
|
||||
- mainlogger.addHandler(fh)
|
||||
|
||||
return logger
|
||||
diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
|
||||
index 3d92303..8de7a50 100644
|
||||
--- a/scripts/templates/2.0/registrar.j2
|
||||
+++ b/scripts/templates/2.0/registrar.j2
|
||||
@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
|
||||
|
||||
# The file to use for SQLite persistence of provider hypervisor data.
|
||||
prov_db_filename: {{ registrar.prov_db_filename }}
|
||||
-
|
||||
-# Destination for log output, in addition to console. If left empty, the log
|
||||
-# output will only be printed to console (recommended for containers to avoid
|
||||
-# filling data storage). The accepted values are:
|
||||
-# 'file': The log output will also be written to a file named after the
|
||||
-# component in '/var/log/keylime/registrar.log'
|
||||
-# 'stream': The log output will be written to a common file in
|
||||
-# 'var/log/keylime/keylime-stream.log'
|
||||
-log_destination = {{ registrar.log_destination }}
|
||||
diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
|
||||
index d1584df..7a66cb1 100644
|
||||
--- a/scripts/templates/2.0/verifier.j2
|
||||
+++ b/scripts/templates/2.0/verifier.j2
|
||||
@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
|
||||
|
||||
# Webhook url for revocation notifications.
|
||||
webhook_url = {{ verifier.webhook_url }}
|
||||
-
|
||||
-# Destination for log output, in addition to console. If left empty, the log
|
||||
-# output will only be printed to console (recommended for containers to avoid
|
||||
-# filling data storage). The accepted values are:
|
||||
-# 'file': The log output will also be written to a file named after the
|
||||
-# component in '/var/log/keylime/verifier.log'
|
||||
-# 'stream': The log output will be written to a common file in
|
||||
-# 'var/log/keylime/keylime-stream.log'
|
||||
-log_destination = {{ verifier.log_destination }}
|
||||
--
|
||||
2.38.1
|
||||
|
11
keylime.spec
11
keylime.spec
|
@ -9,7 +9,7 @@
|
|||
|
||||
Name: keylime
|
||||
Version: 6.5.2
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
||||
|
||||
URL: https://github.com/keylime/keylime
|
||||
|
@ -17,8 +17,9 @@ Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}
|
|||
Source1: %{srcname}.sysusers
|
||||
Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
|
||||
|
||||
Patch0: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
|
||||
Patch1: 0002-Switch-to-sha256-hashes-for-signatures.patch
|
||||
Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
|
||||
Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
|
||||
Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
|
||||
|
||||
License: ASL 2.0 and MIT
|
||||
|
||||
|
@ -341,6 +342,10 @@ fi
|
|||
%license LICENSE
|
||||
|
||||
%changelog
|
||||
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
|
||||
- Backport upstream PR#1240 - logging: remove option to log into separate file
|
||||
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
|
||||
|
||||
* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
|
||||
- Remove leftover policy file
|
||||
Related: rhbz#2152135
|
||||
|
|
Loading…
Reference in New Issue