rpms
/
rsyslog
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import rsyslog-8.2102.0-5.el8

This commit is contained in:
CentOS Sources 2021-11-09 04:50:05 -05:00 committed by Stepan Oksanichenko
parent 3c8a96e211
commit 02c9ca947b
17 changed files with 282 additions and 524 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/qpid-proton-0.31.0.tar.gz
SOURCES/rsyslog-8.1911.0.tar.gz
SOURCES/rsyslog-doc-8.1911.0.tar.gz
SOURCES/qpid-proton-0.34.0.tar.gz
SOURCES/rsyslog-8.2102.0.tar.gz
SOURCES/rsyslog-doc-8.2102.0.tar.gz

6
.rsyslog.metadata
View File

@ -1,3 +1,3 @@
8714235747ec8947648448eecda57e97d3a733ce SOURCES/qpid-proton-0.31.0.tar.gz
30dfc2b99d73598788e2bd0d0ac45e16e7c3a3d5 SOURCES/rsyslog-8.1911.0.tar.gz
8bcb23571ab8011b712ccf52acee20f8940b7f03 SOURCES/rsyslog-doc-8.1911.0.tar.gz
390e5cb87a6331cf0ce451d7f6552e2c0d97f706 SOURCES/qpid-proton-0.34.0.tar.gz
fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz
9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz

123
SOURCES/rsyslog-8.1911.0-rhbz1659383-config-enabled-error.patch
View File

@ -1,123 +0,0 @@
From ba5b68be84888b24918dd019b87ed9f62d7fa988 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Tue, 11 Feb 2020 13:46:23 +0100
Subject: [PATCH] Fixed processing of 'cofig.enabled' directive
Previously the directive was processed way too late which caused
false errors whenever it was set to 'off' and possibly other
problems.
---
grammar/rainerscript.c | 43+++++++++++++++++++++++----------------
grammar/rainerscript.h | 1 +
runtime/rsconf.c | 10 +++++++++
3 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c
index 8f14bbe319..4398e6011a 100644
--- a/grammar/rainerscript.c
+++ b/grammar/rainerscript.c
@@ -699,6 +699,22 @@ nvlstFindNameCStr(struct nvlst *lst, const char *const __restrict__ name)
return lst;
}
+/* check if the nvlst is disabled, and mark config.enabled directive
+ * as used if it is not. Returns 1 if block is disabled, 0 otherwise.
+ */
+int nvlstChkDisabled(struct nvlst *lst)
+{
+ struct nvlst *valnode;
+
+ if((valnode = nvlstFindNameCStr(lst, "config.enabled")) != NULL) {
+ lst->bUsed = 1;
+ if(es_strbufcmp(valnode->val.d.estr, (unsigned char*) "on", 2)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
/* check if there are duplicate names inside a nvlst and emit
* an error message, if so.
@@ -1207,21 +1224,6 @@ nvlstGetParams(struct nvlst *lst, struct cnfparamblk *params,
}
}
- /* now config-system parameters (currently a bit hackish, as we
- * only have one...). -- rgerhards, 2018-01-24
- */
- if((valnode = nvlstFindNameCStr(lst, "config.enabled")) != NULL) {
- if(es_strbufcmp(valnode->val.d.estr, (unsigned char*) "on", 2)) {
- dbgprintf("config object disabled by configuration\n");
- /* flag all params as used to not emit error mssages */
- bInError = 1;
- struct nvlst *val;
- for(val = lst; val != NULL ; val = val->next) {
- val->bUsed = 1;
- }
- }
- }
-
/* done parameter processing */
if(bInError) {
if(bValsWasNULL)
@@ -4418,8 +4418,13 @@ cnfstmtNewAct(struct nvlst *lst)
struct cnfstmt* cnfstmt;
char namebuf[256];
rsRetVal localRet;
- if((cnfstmt = cnfstmtNew(S_ACT)) == NULL)
+ if((cnfstmt = cnfstmtNew(S_ACT)) == NULL) {
goto done;
+ }
+ if (nvlstChkDisabled(lst)) {
+ dbgprintf("action disabled by configuration\n");
+ cnfstmt->nodetype = S_NOP;
+ }
localRet = actionNewInst(lst, &cnfstmt->d.act);
if(localRet == RS_RET_OK_WARN) {
parser_errmsg("warnings occured in file '%s' around line %d",
@@ -5284,6 +5289,11 @@ includeProcessCnf(struct nvlst *const lst)
goto done;
}
+ if (nvlstChkDisabled(lst)) {
+ DBGPRINTF("include statement disabled\n");
+ goto done;
+ }
+
pvals = nvlstGetParams(lst, &incpblk, NULL);
if(pvals == NULL) {
goto done;
diff --git a/grammar/rainerscript.h b/grammar/rainerscript.h
index bfa8ee6cb9..0f8128861b 100644
--- a/grammar/rainerscript.h
+++ b/grammar/rainerscript.h
@@ -340,6 +340,7 @@ void nvlstDestruct(struct nvlst *lst);
void nvlstPrint(struct nvlst *lst);
void nvlstChkUnused(struct nvlst *lst);
struct nvlst* nvlstFindName(struct nvlst *lst, es_str_t *name);
+int nvlstChkDisabled(struct nvlst *lst);
struct cnfobj* cnfobjNew(enum cnfobjType objType, struct nvlst *lst);
void cnfobjDestruct(struct cnfobj *o);
void cnfobjPrint(struct cnfobj *o);
diff --git a/runtime/rsconf.c b/runtime/rsconf.c
index fc0863a738..303e06365b 100644
--- a/runtime/rsconf.c
+++ b/runtime/rsconf.c
@@ -438,6 +438,16 @@ cnfDoObj(struct cnfobj *const o)
dbgprintf("cnf:global:obj: ");
cnfobjPrint(o);
+
+ /* We need to check for object disabling as early as here to cover most
+ * of them at once and avoid needless initializations
+ * - jvymazal 2020-02-12
+ */
+ if (nvlstChkDisabled(o->nvlst)) {
+ dbgprintf("object disabled by configuration\n");
+ return;
+ }
+
switch(o->objType) {
case CNFOBJ_GLOBAL:
glblProcessCnf(o);

142
SOURCES/rsyslog-8.1911.0-rhbz1763757-imfile-statefiles.patch
View File

@ -1,142 +0,0 @@
From ac30968b7858d4ca3743d2b4d296eca543864fe2 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Fri, 22 Nov 2019 14:25:59 +0100
Subject: [PATCH] Thorougher state-file renaming and cleaning
Now checking if file-id changes and reanming - cleaning state file
accordingly and always checking and cleaning old inode-only style
state files.
---
plugins/imfile/imfile.c | 66 +++++++++++++++++++++++++++--------------
1 file changed, 43 insertions(+), 23 deletions(-)
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index d9bf0fbb6d..9db2b47ac9 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -182,6 +182,7 @@ struct act_obj_s {
time_t timeoutBase; /* what time to calculate the timeout against? */
/* file dynamic data */
char file_id[FILE_ID_HASH_SIZE]; /* file id for this entry, once we could obtain it */
+ char file_id_prev[FILE_ID_HASH_SIZE]; /* previous file id for this entry, set if changed */
int in_move; /* workaround for inotify move: if set, state file must not be deleted */
ino_t ino; /* current inode nbr */
int fd; /* fd to file in order to obtain file_id (needs to be preserved across move) */
@@ -711,7 +712,7 @@ act_obj_add(fs_edge_t *const edge, const char *const name, const int is_file,
if (is_file) {
LogError(errno, RS_RET_ERR, "imfile: error accessing file '%s'", name);
} else { /* reporting only in debug for dirs as higher lvl paths are likely blocked by selinux */
- DBGPRINTF("imfile: error accessing file '%s'", name);
+ DBGPRINTF("imfile: error accessing directory '%s'", name);
}
FINALIZE;
}
@@ -727,6 +728,7 @@ act_obj_add(fs_edge_t *const edge, const char *const name, const int is_file,
act->ino = ino;
act->fd = fd;
act->file_id[0] = '\0';
+ act->file_id_prev[0] = '\0';
act->is_symlink = is_symlink;
if (source) { /* we are target of symlink */
CHKmalloc(act->source_name = strdup(source));
@@ -1256,17 +1258,15 @@ get_file_id_hash(const char *data, size_t lendata,
static void ATTR_NONNULL(1)
getFileID(act_obj_t *const act)
{
- if(act->file_id[0] != '\0') {
- return; /* everything already done */
- }
+ /* save the old id for cleaning purposes */
+ strncpy(act->file_id_prev, (const char*)act->file_id, FILE_ID_HASH_SIZE);
+ act->file_id[0] = '\0';
assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
char filedata[FILE_ID_SIZE];
+ lseek(act->fd, 0, SEEK_SET); /* Seek to beginning of file so we have correct id */
const int r = read(act->fd, filedata, FILE_ID_SIZE);
if(r == FILE_ID_SIZE) {
get_file_id_hash(filedata, sizeof(filedata), act->file_id, sizeof(act->file_id));
- dbgprintf("file_id '%s' obtained, closing monitoring file handle\n", act->file_id);
- close(act->fd); /* we will never go here! */
- act->fd = -1;
} else {
DBGPRINTF("getFileID partial or error read, ret %d\n", r);
}
@@ -1378,28 +1378,13 @@ openFileWithStateFile(act_obj_t *const act)
if(fd < 0) {
if(errno == ENOENT) {
if(act->file_id[0] != '\0') {
- const char *pszSFNamHash = strdup((const char*)pszSFNam);
- CHKmalloc(pszSFNamHash);
DBGPRINTF("state file %s for %s does not exist - trying to see if "
"inode-only file exists\n", pszSFNam, act->name);
getFullStateFileName(statefn, "", pszSFNam, sizeof(pszSFNam));
fd = open((char*)pszSFNam, O_CLOEXEC | O_NOCTTY | O_RDONLY, 0600);
if(fd >= 0) {
- dbgprintf("found inode-only state file, renaming it now that we "
- "know the file_id, new name: %s\n", pszSFNamHash);
- /* we now can use identify the file, so let's rename it */
- if(rename((const char*)pszSFNam, pszSFNamHash) != 0) {
- LogError(errno, RS_RET_IO_ERROR,
- "imfile error trying to rename state file for '%s' - "
- "ignoring this error, usually this means a file no "
- "longer file is left over, but this may also cause "
- "some real trouble. Still the best we can do ",
- act->name);
- free((void*) pszSFNamHash);
- ABORT_FINALIZE(RS_RET_IO_ERROR);
- }
+ dbgprintf("found inode-only state file, will be renamed at next persist\n");
}
- free((void*) pszSFNamHash);
}
if(fd < 0) {
DBGPRINTF("state file %s for %s does not exist - trying to see if "
@@ -2609,6 +2594,36 @@ atomicWriteStateFile(const char *fn, const char *content)
RETiRet;
}
+/* This function should be called after any file ID change - that is if
+ * file grown from hash-only statefile, or was truncated, this will ensure
+ * we delete the old file so we do not make garbage in our working dir and
+ * there are no leftover statefiles which can in theory later bind to something
+ * and cause data loss.
+ * jvymazal 2019-11-27
+ */
+static void
+removeOldStatefile(const uchar *statefn, const char *hashToDelete)
+{
+ int ret;
+ uchar statefname[MAXFNAME];
+
+ getFullStateFileName(statefn, hashToDelete, statefname, sizeof(statefname));
+ DBGPRINTF("removing old state file: '%s'\n", statefname);
+ ret = unlink((const char*)statefname);
+ if(ret != 0) {
+ if (errno != ENOENT) {
+ LogError(errno, RS_RET_IO_ERROR,
+ "imfile error trying to delete old state file: '%s' - ignoring this "
+ "error, usually this means a file no longer file is left over, but "
+ "this may also cause some real trouble. Still the best we can do ",
+ statefname);
+ } else {
+ DBGPRINTF("trying to delete no longer valid statefile '%s' which no "
+ "longer exists (probably already deleted)\n", statefname);
+ }
+ }
+}
+
/* This function persists information for a specific file being monitored.
* To do so, it simply persists the stream object. We do NOT abort on error
@@ -2660,6 +2675,11 @@ persistStrmState(act_obj_t *const act)
CHKiRet(atomicWriteStateFile((const char*)statefname, jstr));
json_object_put(json);
+ /* file-id changed remove the old statefile */
+ if (strncmp((const char *)act->file_id_prev, (const char *)act->file_id, FILE_ID_HASH_SIZE)) {
+ removeOldStatefile(statefn, act->file_id_prev);
+ }
+
finalize_it:
if(iRet != RS_RET_OK) {
LogError(0, iRet, "imfile: could not persist state "

58
SOURCES/rsyslog-8.1911.0-rhbz1782353-deny-expired-by-default.patch
View File

@ -1,58 +0,0 @@
From 0de93c9e1597b20f71bb61d5375ded546cfd2fa8 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Wed, 11 Dec 2019 15:35:26 +0100
Subject: [PATCH] Changed default for permitExpiredCerts to "off"
This is to be conssitent with rsyslog's prior behavior where
expired certs were automatically rejected
---
runtime/nsd_gtls.c | 10 +++++-----
runtime/nsd_ossl.c | 8 ++++----
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 5df12994d1..2be0ca9c92 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -1461,16 +1461,16 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
ISOBJ_TYPE_assert((pThis), nsd_gtls);
- /* default is set to warn! */
- if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
- pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
- } else if(!strcasecmp((char*) mode, "off")) {
+ /* default is set to off! */
+ if(mode == NULL || !strcasecmp((char*)mode, "off")) {
pThis->permitExpiredCerts = GTLS_EXPIRED_DENY;
+ } else if(!strcasecmp((char*) mode, "warn")) {
+ pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
} else if(!strcasecmp((char*) mode, "on")) {
pThis->permitExpiredCerts = GTLS_EXPIRED_PERMIT;
} else {
LogError(0, RS_RET_VALUE_NOT_SUPPORTED, "error: permitexpiredcerts mode '%s' not supported by "
- "ossl netstream driver", mode);
+ "gtls netstream driver", mode);
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
}
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 4f8dd845ab..ebb2537d72 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -1130,11 +1130,11 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
nsd_ossl_t *pThis = (nsd_ossl_t*) pNsd;
ISOBJ_TYPE_assert((pThis), nsd_ossl);
- /* default is set to warn! */
- if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
- pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
- } else if(!strcasecmp((char*) mode, "off")) {
+ /* default is set to off! */
+ if(mode == NULL || !strcasecmp((char*)mode, "off")) {
pThis->permitExpiredCerts = OSSL_EXPIRED_DENY;
+ } else if(!strcasecmp((char*) mode, "warn")) {
+ pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
} else if(!strcasecmp((char*) mode, "on")) {
pThis->permitExpiredCerts = OSSL_EXPIRED_PERMIT;
} else {

33
SOURCES/rsyslog-8.1911.0-rhbz1789675-serialize-crash-race.patch
View File

@ -1,33 +0,0 @@
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Wed, 18 Dec 2019 09:48:15 +0100
Subject: [PATCH] Fix race condition related to libfastjson when using DA queue
Rsyslogd aborts when writing to disk queue from multiple workers simultaneously.
It is assumed that libfastjson is not thread-safe.
Resolve libfastjson race condition when writing to disk queue.
see also https://github.com/rsyslog/rsyslog/issues/4099
---
runtime/msg.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/runtime/msg.c b/runtime/msg.c
index b5c17cfdd4..f9da40005f 100644
--- a/runtime/msg.c
+++ b/runtime/msg.c
@@ -1242,11 +1242,15 @@ static rsRetVal MsgSerialize(smsg_t *pThis, strm_t *pStrm)
psz = pThis->pszStrucData;
CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("pszStrucData"), PROPTYPE_PSZ, (void*) psz));
if(pThis->json != NULL) {
+ MsgLock(pThis);
psz = (uchar*) json_object_get_string(pThis->json);
+ MsgUnlock(pThis);
CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("json"), PROPTYPE_PSZ, (void*) psz));
}
if(pThis->localvars != NULL) {
+ MsgLock(pThis);
psz = (uchar*) json_object_get_string(pThis->localvars);
+ MsgUnlock(pThis);
CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("localvars"), PROPTYPE_PSZ, (void*) psz));
}

37
SOURCES/rsyslog-8.1911.0-rhbz1793569-imfile-file_id.patch
View File

@ -1,37 +0,0 @@
From 0c69ec76d8cac47bcfa78abae86229ad63c92b0b Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Tue, 21 Jan 2020 13:58:14 +0100
Subject: [PATCH] Fixed saving of old file_id for statefiles
Previously we saved old file_id unconditionally, which led to not
deleting old statefiles if files changes without rsyslog running.
Now it should work correctly.
---
plugins/imfile/imfile.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index 908bb5901c..5ad44f6c59 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -1258,8 +1258,8 @@ get_file_id_hash(const char *data, size_t lendata,
static void ATTR_NONNULL(1)
getFileID(act_obj_t *const act)
{
- /* save the old id for cleaning purposes */
- strncpy(act->file_id_prev, (const char*)act->file_id, FILE_ID_HASH_SIZE);
+ char tmp_id[FILE_ID_HASH_SIZE];
+ strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE);
act->file_id[0] = '\0';
assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
char filedata[FILE_ID_SIZE];
@@ -1270,6 +1270,9 @@ getFileID(act_obj_t *const act)
} else {
DBGPRINTF("getFileID partial or error read, ret %d\n", r);
}
+ if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */
+ strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE);
+ }
DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id);
}

24
SOURCES/rsyslog-8.1911.0-rhbz1843994-imfile-selinux-symlink-crash.patch
View File

@ -1,24 +0,0 @@
From 89ff6436b55cd81c54dcb076490b0c4de98d508d Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Tue, 9 Jun 2020 12:09:59 +0200
Subject: [PATCH] Fixing imfile segfaulting on selinux denial
If imfile is denied access to file watched trough symlink there is
unchecked condition resulting in access to not initialized memory.
---
plugins/imfile/imfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index f360bd290b..21d6546552 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -732,7 +732,7 @@ act_obj_add(fs_edge_t *const edge, const char *const name, const int is_file,
} else { /* reporting only in debug for dirs as higher lvl paths are likely blocked by selinux */
DBGPRINTF("imfile: error accessing directory '%s'", name);
}
- FINALIZE;
+ ABORT_FINALIZE(RS_RET_NO_FILE_ACCESS);
}
DBGPRINTF("add new active object '%s' in '%s'\n", name, edge->path);
CHKmalloc(act = calloc(sizeof(act_obj_t), 1));

49
SOURCES/rsyslog-8.1911.0-rhbz1944756-large-group.patch
View File

@ -1,49 +0,0 @@
diff -up rsyslog-8.1911.0/grammar/rainerscript.c.orig rsyslog-8.1911.0/grammar/rainerscript.c
--- rsyslog-8.1911.0/grammar/rainerscript.c.orig 2021-04-06 13:43:55.366523373 +0200
+++ rsyslog-8.1911.0/grammar/rainerscript.c 2021-04-06 13:44:40.039239056 +0200
@@ -905,15 +905,29 @@ static int
doGetGID(struct nvlst *valnode, struct cnfparamdescr *param,
struct cnfparamvals *val)
{
- char *cstr;
- int r;
- struct group *resultBuf;
- struct group wrkBuf;
- char stringBuf[2048]; /* 2048 has been proven to be large enough */
+ char *cstr;
+ int r;
+ struct group *resultBuf = NULL;
+ struct group wrkBuf;
+ char *stringBuf = NULL;
+ size_t bufSize = 1024;
+ int e;
+
+ cstr = es_str2cstr(valnode->val.d.estr, NULL);
+ do {
+ char *p;
+
+ /* Increase bufsize and try again.*/
+ bufSize *= 2;
+ p = realloc(stringBuf, bufSize);
+ if(!p) {
+ e = ENOMEM;
+ break;
+ }
+ stringBuf = p;
+ e = getgrnam_r(cstr, &wrkBuf, stringBuf, bufSize, &resultBuf);
+ } while(!resultBuf && (e == ERANGE));
- cstr = es_str2cstr(valnode->val.d.estr, NULL);
- const int e = getgrnam_r(cstr, &wrkBuf, stringBuf,
- sizeof(stringBuf), &resultBuf);
if(resultBuf == NULL) {
if(e != 0) {
LogError(e, RS_RET_ERR, "parameter '%s': error to "
@@ -929,6 +943,7 @@ doGetGID(struct nvlst *valnode, struct c
param->name, (int) resultBuf->gr_gid, cstr);
r = 1;
}
+ free(stringBuf);
free(cstr);
return r;
}

21
SOURCES/rsyslog-8.1911.0-service.patch
View File

@ -1,21 +0,0 @@
diff -up ./rsyslog.service.in.service ./rsyslog.service.in
--- ./rsyslog.service.in.service 2018-03-01 13:58:11.480598935 +0100
+++ ./rsyslog.service.in 2018-03-01 13:58:25.433518607 +0100
@@ -1,12 +1,16 @@
[Unit]
Description=System Logging Service
Requires=syslog.socket
+Wants=network.target network-online.target
+After=network.target network-online.target
Documentation=man:rsyslogd(8)
Documentation=https://www.rsyslog.com/doc/
[Service]
Type=notify
-ExecStart=@sbindir@/rsyslogd -n -iNONE
+EnvironmentFile=-/etc/sysconfig/rsyslog
+ExecStart=@sbindir@/rsyslogd -n $SYSLOGD_OPTIONS
+UMask=0066
StandardOutput=null
Restart=on-failure

14
SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch Normal file
View File

@ -0,0 +1,14 @@
diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2021-06-28 09:05:23.283262154 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2021-06-28 09:10:05.858381106 +0200
@@ -424,8 +424,8 @@ readjournal(void)
severity = cs.iDfltSeverity;
}
} else {
- LogError(0, RS_RET_ERR, "The value of the 'PRIORITY' field has an "
- "unexpected length: %zu\n", length);
+ DBGPRINTF("The value of the 'PRIORITY' field has an "
+ "unexpected length: %zu value: '%s'\n", length, (const char*)get);
}
}

21
SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig rsyslog-8.2102.0/plugins/omrelp/omrelp.c
--- rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig 2021-06-15 12:46:14.758589030 +0200
+++ rsyslog-8.2102.0/plugins/omrelp/omrelp.c 2021-06-15 12:47:08.130516632 +0200
@@ -303,7 +303,7 @@ ENDfreeCnf
BEGINcreateInstance
CODESTARTcreateInstance
pData->sizeWindow = 0;
- pData->timeout = 90;
+ pData->timeout = 5;
pData->connTimeout = 10;
pData->rebindInterval = 0;
pData->bEnableTLS = DFLT_ENABLE_TLS;
@@ -365,7 +365,7 @@ setInstParamDefaults(instanceData *pData
pData->target = NULL;
pData->port = NULL;
pData->tplName = NULL;
- pData->timeout = 90;
+ pData->timeout = 5;
pData->connTimeout = 10;
pData->sizeWindow = 0;
pData->rebindInterval = 0;

20
SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2021-06-15 12:30:35.238832058 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2021-06-15 12:32:04.699721356 +0200
@@ -565,6 +565,8 @@ persistJournalState(void)
ABORT_FINALIZE(RS_RET_IO_ERROR);
}
+ fflush(sf);
+
/* change the name of the file to the configured one */
if (rename(tmp_sf, cs.stateFile) < 0) {
LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile);
@@ -586,6 +588,7 @@ persistJournalState(void)
LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir());
ABORT_FINALIZE(RS_RET_IO_ERROR);
}
+ closedir(wd);
}
DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile);

102
SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch Normal file
View File

@ -0,0 +1,102 @@
diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c
--- rsyslog-8.2102.0/runtime/cfsysline.c.orig 2021-08-04 07:16:02.663163106 +0200
+++ rsyslog-8.2102.0/runtime/cfsysline.c 2021-08-04 07:18:05.952490008 +0200
@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR
assert(*pp != NULL);
if(getSubString(pp, (char*) szName, sizeof(szName), ' ') != 0) {
- if(loadConf->globals.abortOnIDResolutionFail) {
- fprintf(stderr, "could not extract group name: %s\n", (char*)szName);
- exit(1); /* good exit */
- } else {
- LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
- ABORT_FINALIZE(RS_RET_NOT_FOUND);
- }
+ LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+ ABORT_FINALIZE(RS_RET_NOT_FOUND);
}
do {
@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR
LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName);
}
iRet = RS_RET_NOT_FOUND;
- if(loadConf->globals.abortOnIDResolutionFail) {
- fprintf(stderr, "ID for group '%s' could not be found or error\n", szName);
- exit(1); /* good exit */
- }
} else {
if(pSetHdlr == NULL) {
/* we should set value directly to var */
@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR
assert(*pp != NULL);
if(getSubString(pp, (char*) szName, sizeof(szName), ' ') != 0) {
- if(loadConf->globals.abortOnIDResolutionFail) {
- fprintf(stderr, "could not extract user name: %s\n", (char*)szName);
- exit(1); /* good exit */
- } else {
- LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
- ABORT_FINALIZE(RS_RET_NOT_FOUND);
- }
+ LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+ ABORT_FINALIZE(RS_RET_NOT_FOUND);
}
getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf);
if(ppwBuf == NULL) {
- if(loadConf->globals.abortOnIDResolutionFail) {
- fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName);
- exit(1); /* good exit */
- } else {
- LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
- iRet = RS_RET_NOT_FOUND;
- }
+ LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+ iRet = RS_RET_NOT_FOUND;
} else {
if(pSetHdlr == NULL) {
/* we should set value directly to var */
diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
--- rsyslog-8.2102.0/runtime/glbl.c.orig 2021-08-04 07:18:19.301633677 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c 2021-08-04 07:19:02.409019106 +0200
@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc
{ "environment", eCmdHdlrArray, 0 },
{ "processinternalmessages", eCmdHdlrBinary, 0 },
{ "umask", eCmdHdlrFileCreateMode, 0 },
- { "security.abortonidresolutionfail", eCmdHdlrBinary, 0 },
{ "internal.developeronly.options", eCmdHdlrInt, 0 },
{ "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 },
{ "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 },
@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void)
glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n;
} else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) {
loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n;
- } else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) {
- loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n;
} else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) {
*(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n;
} else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) {
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2021-08-04 07:19:13.103104854 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.c 2021-08-04 07:19:44.635357684 +0200
@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh
pThis->globals.maxErrMsgToStderr = -1;
pThis->globals.umask = -1;
pThis->globals.gidDropPrivKeepSupplemental = 0;
- pThis->globals.abortOnIDResolutionFail = 1;
pThis->templates.root = NULL;
pThis->templates.last = NULL;
pThis->templates.lastStatic = NULL;
diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
--- rsyslog-8.2102.0/runtime/rsconf.h.orig 2021-08-04 07:20:15.848607958 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.h 2021-08-04 07:20:42.782823920 +0200
@@ -73,7 +73,6 @@ struct globals_s {
int uidDropPriv; /* user-id to which priveleges should be dropped to */
int gidDropPriv; /* group-id to which priveleges should be dropped to */
int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
- int abortOnIDResolutionFail;
int umask; /* umask to use */
uchar *pszConfDAGFile; /* name of config DAG file, non-NULL means generate one */

26
SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch Normal file
View File

@ -0,0 +1,26 @@
diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c
--- rsyslog-8.2102.0/runtime/ratelimit.c.orig 2021-07-27 10:37:50.972903104 +0200
+++ rsyslog-8.2102.0/runtime/ratelimit.c 2021-07-27 10:38:26.141002988 +0200
@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c
{
DEFiRet;
rsRetVal localRet;
- int severity = 0;
*ppRepMsg = NULL;
@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c
DBGPRINTF("Message discarded, parsing error %d\n", localRet);
ABORT_FINALIZE(RS_RET_DISCARDMSG);
}
- severity = pMsg->iSeverity;
}
}
/* Only the messages having severity level at or below the
* treshold (the value is >=) are subject to ratelimiting. */
- if(ratelimit->interval && (severity >= ratelimit->severity)) {
+ if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) {
char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */
snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg),
getAPPNAME(pMsg, 0));

23
SOURCES/rsyslog.service Normal file
View File

@ -0,0 +1,23 @@
[Unit]
Description=System Logging Service
;Requires=syslog.socket
Wants=network.target network-online.target
After=network.target network-online.target
Documentation=man:rsyslogd(8)
Documentation=https://www.rsyslog.com/doc/
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/rsyslog
ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
UMask=0066
StandardOutput=null
Restart=on-failure
# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384
[Install]
WantedBy=multi-user.target
;Alias=syslog.service

101
SPECS/rsyslog.spec
View File

@ -5,8 +5,8 @@
Summary: Enhanced system logging and kernel message trapping daemon
Name: rsyslog
Version: 8.1911.0
Release: 7%{?dist}.2
Version: 8.2102.0
Release: 5%{?dist}
License: (GPLv3+ and ASL 2.0)
Group: System Environment/Daemons
ExcludeArch: i686
@ -16,7 +16,8 @@ Source1: http://www.rsyslog.com/files/download/rsyslog/%{name}-doc-%{version}.ta
Source2: rsyslog.conf
Source3: rsyslog.sysconfig
Source4: rsyslog.log
Source5: qpid-proton-0.31.0.tar.gz
Source5: qpid-proton-0.34.0.tar.gz
Source6: rsyslog.service
BuildRequires: autoconf
BuildRequires: automake
@ -33,7 +34,9 @@ BuildRequires: python3-docutils
# it depens on rhbz#1419228
BuildRequires: systemd-devel >= 219-39
BuildRequires: zlib-devel
BuildRequires: openssl-devel
Requires: openssl-libs
Requires: logrotate >= 3.5.2
Requires: bash >= 2.0
Requires: libestr >= 0.1.9
@ -44,17 +47,13 @@ Requires(postun): systemd
Provides: syslog
Obsoletes: sysklogd < 1.5-11
# tweak the upstream service file to honour configuration from /etc/sysconfig/rsyslog
Patch0: rsyslog-8.1911.0-service.patch
# imjournal: adds "journal" when tag/process name is missing
Patch1: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
Patch2: rsyslog-8.1911.0-rhbz1763757-imfile-statefiles.patch
Patch3: rsyslog-8.1911.0-rhbz1782353-deny-expired-by-default.patch
Patch4: rsyslog-8.1911.0-rhbz1659383-config-enabled-error.patch
Patch5: rsyslog-8.1911.0-rhbz1789675-serialize-crash-race.patch
Patch6: rsyslog-8.1911.0-rhbz1793569-imfile-file_id.patch
Patch7: rsyslog-8.1911.0-rhbz1843994-imfile-selinux-symlink-crash.patch
Patch8: rsyslog-8.1911.0-rhbz1944756-large-group.patch
Patch0: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
Patch1: rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
Patch2: rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
Patch3: rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
Patch4: rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
Patch5: rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
%package crypto
Summary: Encryption support
@ -73,11 +72,17 @@ Group: System Environment/Daemons
Requires: %name = %version-%release
%package gnutls
Summary: TLS protocol support for rsyslog
Summary: TLS protocol support for rsyslog via GnuTLS library
Group: System Environment/Daemons
Requires: %name = %version-%release
BuildRequires: gnutls-devel
%package openssl
Summary: TLS protocol support for rsyslog via OpenSSL library
Group: System Environment/Daemons
Requires: %name = %version-%release
BuildRequires: openssl-devel
%package gssapi
Summary: GSSAPI authentication and encryption support for rsyslog
Group: System Environment/Daemons
@ -183,7 +188,14 @@ Elasticsearch.
%description gnutls
The rsyslog-gnutls package contains the rsyslog plugins that provide the
ability to send and receive syslog messages via TCP or RELP using TLS
encryption. For details refer to rsyslog doc on imtcp and omfwd modules.
encryption via GnuTLS library. For details refer to rsyslog doc on imtcp
and omfwd modules.
%description openssl
The rsyslog-openssl package contains the rsyslog plugins that provide the
ability to send and receive syslog messages via TCP or RELP using TLS
encryption via OpenSSL library. For details refer to rsyslog doc on imtcp
and omfwd modules.
%description gssapi
The rsyslog-gssapi package contains the rsyslog plugins which support GSSAPI
@ -256,15 +268,12 @@ mv build doc
%setup -q -D
%setup -q -D -T -b 5
%patch0 -p1 -b .service
%patch1 -p1 -b .default-tag
%patch2 -p1 -b .imfile-statefiles
%patch3 -p1 -b .deny-expired-certs
%patch4 -p1 -b .config-enabled-on
%patch5 -p1 -b .serialize-json
%patch6 -p1 -b .imfile-id
%patch7 -p1 -b .imfile-selinux-symlink
%patch8 -p1 -b .large-groups
%patch0 -p1 -b .default-tag
%patch1 -p1 -b .fd-leak-on-fsync
%patch2 -p1 -b .timeout
%patch3 -p1 -b .unexpected-priority-length
%patch4 -p1 -b .imuxsock-rate-limit
%patch5 -p1 -b .abort-on-id-resolution-fail
%build
%ifarch sparc64
@ -275,7 +284,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic"
%endif
# build the proton first
(
cd %{_builddir}/qpid-proton-0.31.0
cd %{_builddir}/qpid-proton-0.34.0
mkdir bld
cd bld
@ -308,6 +317,7 @@ autoreconf -if
--enable-elasticsearch \
--enable-generate-man-pages \
--enable-gnutls \
--enable-openssl \
--enable-gssapi-krb5 \
--enable-imdiag \
--enable-imfile \
@ -325,7 +335,7 @@ autoreconf -if
--enable-mmsnmptrapd \
--enable-mmutf8fix \
--enable-mysql \
--enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.31.0/bld/c/include" \
--enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.34.0/bld/c/include" \
--enable-omhttp \
--enable-omjournal \
--enable-omkafka \
@ -350,6 +360,7 @@ make DESTDIR=%{buildroot} install
install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
install -d -m 755 %{buildroot}%{_unitdir}
install -d -m 755 %{buildroot}%{_sysconfdir}/rsyslog.d
install -d -m 700 %{buildroot}%{rsyslog_statedir}
install -d -m 700 %{buildroot}%{rsyslog_pkidir}
@ -358,6 +369,7 @@ install -d -m 755 %{buildroot}%{rsyslog_docdir}/html
install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rsyslog.conf
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog
install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/syslog
install -p -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/rsyslog.service
install -p -m 644 plugins/ommysql/createDB.sql %{buildroot}%{rsyslog_docdir}/mysql-createDB.sql
install -p -m 644 plugins/ompgsql/createDB.sql %{buildroot}%{rsyslog_docdir}/pgsql-createDB.sql
install -p -m 644 contrib/mmkubernetes/*.rulebase %{buildroot}%{rsyslog_docdir}
@ -365,8 +377,6 @@ install -p -m 644 contrib/mmkubernetes/*.rulebase %{buildroot}%{rsyslog_docdir}
cp -r doc/* %{buildroot}%{rsyslog_docdir}/html
# get rid of libtool libraries
rm -f %{buildroot}%{_libdir}/rsyslog/*.la
# get rid of socket activation by default
sed -i '/^Alias/s/^/;/;/^Requires=syslog.socket/s/^/;/' %{buildroot}%{_unitdir}/rsyslog.service
# convert line endings from "\r\n" to "\n"
cat tools/recover_qi.pl | tr -d '\r' > %{buildroot}%{_bindir}/rsyslog-recover-qi.pl
@ -457,6 +467,9 @@ done
%files gnutls
%{_libdir}/rsyslog/lmnsd_gtls.so
%files openssl
%{_libdir}/rsyslog/lmnsd_ossl.so
%files kafka
%{_libdir}/rsyslog/imkafka.so
%{_libdir}/rsyslog/omkafka.so
@ -501,9 +514,35 @@ done
%{_libdir}/rsyslog/omudpspoof.so
%changelog
* Tue Apr 06 2021 Attila Lakatos <alakatos@redhat.com> - 8.1911.0-7.2
- added patch resolving theoretically "too large" groups
resolves:rhbz#1944756
* Wed Aug 04 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-5
- Do not exit when user/group can not be found
resolves: rhbz#1984489
- Remove abortOnIDResolution fail
* Tue Jul 27 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-4
- Allways use message severity when comparing with ratelimit severity
resolves: rhbz#1984616
* Mon Jun 28 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-3
- Priority field must have valid length
resolves: rhbz#1866877
- Allocate more memory on too large groups
resolves: rhbz#1944718
* Tue May 18 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-2
RHEL 8.5.0 ERRATUM
- rebase to 8.2102.0
resolves: rhbz#1932795
- Enable openssl
resolves: rhbz#1891458
- EKU check for client cert on server side
resolves: rhbz#1783348
- Use GNUTLS_SHUT_WR when ending TLS connections
resolves: rhbz#1880434
- Use librelp with openssl enabled
resolves: rhbz#1795607
- Close dir when fsync=on
resolves: rhbz#1960536
* Wed Nov 18 2020 Attila Lakatos <alakatos@redhat.com> - 8.1911.0-7
- add back rsyslog-udpspoof package