rpms/rsyslog
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 8.2604.0

Browse Source 
Drop ossl-free-cert.patch and gtls-unused-certificates.patch (upstream).
Backport imfile inotify FD release fix from upstream PR #6753.
Move logrotate configuration back to the main package

Resolves: RHEL-140914
Resolves: RHEL-169492
Resolves: RHEL-169794
Resolves: RHEL-171897
Resolves: RHEL-173192
This commit is contained in:
Cropi 2026-04-29 14:25:32 +02:00
parent b66dd9d149
commit bb412bbbec
5 changed files with 198 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
gtls-unused-certificates.patch
View File

@ -1,127 +0,0 @@
From e3f131d561a1df7dd07631345662ab678614bba7 Mon Sep 17 00:00:00 2001
From: Cropi <alakatos@redhat.com>
Date: Mon, 3 Nov 2025 14:13:19 +0100
Subject: [PATCH 2/2] nsd_gtls: fix repeated warnings on connection retry +
test
Move the `loggedWarnings` bitfield from per-instance to module-level
static storage in `runtime/nsd_gtls.c` so that missing cert/key/CA
warnings are emitted only once per rsyslogd process, not on every
connection retry. Otherwise, a broken connection can spam dosens of
logs.
---
runtime/nsd_gtls.c | 26 ++++++++++++++-----------
runtime/nsd_gtls.h | 1 -
tests/omfwd-gtls-missing-cert-key.sh | 29 ++++++++++++++++++++++++++++
3 files changed, 44 insertions(+), 12 deletions(-)
create mode 100755 tests/omfwd-gtls-missing-cert-key.sh
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 7721c1bd1..9a7939fba 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -77,6 +77,9 @@ static pthread_mutex_t mutGtlsStrerror;
static gnutls_dh_params_t dh_params; /**< server DH parameters for anon mode */
+/* Module-level bitfield for warnings that have been logged (shared across all instances) */
+static unsigned loggedWarnings = 0;
+
/* bitfield for warnings that have been logged */
enum {
GTLS_LOGGED_WARN_CERT_MISSING = 1 << 0,
@@ -674,13 +677,14 @@ static rsRetVal gtlsAddOurCert(nsd_gtls_t *const pThis) {
keyFile = (pThis->pszKeyFile == NULL) ? glbl.GetDfltNetstrmDrvrKeyFile(runConf) : pThis->pszKeyFile;
dbgprintf("GTLS certificate file: '%s'\n", certFile);
dbgprintf("GTLS key file: '%s'\n", keyFile);
- if (certFile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_CERT_MISSING)) {
- LogMsg(0, RS_RET_CERT_MISSING, LOG_WARNING, "warning: certificate file is not set");
- pThis->loggedWarnings |= GTLS_LOGGED_WARN_CERT_MISSING;
+
+ if (certFile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_CERT_MISSING)) {
+ LogError(0, RS_RET_CERT_MISSING, "warning: certificate file is not set");
+ loggedWarnings |= GTLS_LOGGED_WARN_CERT_MISSING;
}
- if (keyFile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_KEY_MISSING)) {
- LogMsg(0, RS_RET_CERTKEY_MISSING, LOG_WARNING, "warning: key file is not set");
- pThis->loggedWarnings |= GTLS_LOGGED_WARN_KEY_MISSING;
+ if (keyFile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_KEY_MISSING)) {
+ LogError(0, RS_RET_CERTKEY_MISSING, "warning: key file is not set");
+ loggedWarnings |= GTLS_LOGGED_WARN_KEY_MISSING;
}
/* set certificate in gnutls */
@@ -757,10 +761,11 @@ static rsRetVal gtlsInitCred(nsd_gtls_t *const pThis) {
/* sets the trusted cas file */
cafile = (pThis->pszCAFile == NULL) ? glbl.GetDfltNetstrmDrvrCAF(runConf) : pThis->pszCAFile;
- if (cafile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_CA_MISSING)) {
- LogMsg(0, RS_RET_CA_CERT_MISSING, LOG_WARNING, "Warning: CA certificate is not set");
- pThis->loggedWarnings |= GTLS_LOGGED_WARN_CA_MISSING;
- } else {
+ if (cafile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_CA_MISSING)) {
+ LogError(0, RS_RET_CA_CERT_MISSING, "Warning: CA certificate is not set");
+ loggedWarnings |= GTLS_LOGGED_WARN_CA_MISSING;
+ }
+ if (cafile != NULL) {
dbgprintf("GTLS CA file: '%s'\n", cafile);
gnuRet = gnutls_certificate_set_x509_trust_file(pThis->xcred, (char *)cafile, GNUTLS_X509_FMT_PEM);
if (gnuRet == GNUTLS_E_FILE_ERROR) {
@@ -1432,7 +1437,6 @@ static inline void gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock) {
BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
iRet = nsd_ptcp.Construct(&pThis->pTcp);
pThis->bReportAuthErr = 1;
- pThis->loggedWarnings = 0;
ENDobjConstruct(nsd_gtls)
diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h
index 685f65a49..f40ab3f13 100644
--- a/runtime/nsd_gtls.h
+++ b/runtime/nsd_gtls.h
@@ -83,7 +83,6 @@ struct nsd_gtls_s {
gnutls_x509_privkey_t ourKey; /**< our private key, if in client mode (unused in server mode) */
short bOurCertIsInit; /**< 1 if our certificate is initialized and must be deinit on destruction */
short bOurKeyIsInit; /**< 1 if our private key is initialized and must be deinit on destruction */
- unsigned short loggedWarnings; /**< bitfield of logged warnings */
char *pszRcvBuf;
int lenRcvBuf;
/**< -1: empty, 0: connection closed, 1..NSD_GTLS_MAX_RCVBUF-1: data of that size present */
diff --git a/tests/omfwd-gtls-missing-cert-key.sh b/tests/omfwd-gtls-missing-cert-key.sh
new file mode 100755
index 000000000..36cb2f3f5
--- /dev/null
+++ b/tests/omfwd-gtls-missing-cert-key.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# Test for gnutls loggedWarnings functionality with omfwd
+# This test verifies that warnings for missing cert/key files are logged only once
+# even when the action retries multiple times (loggedWarnings mechanism)
+. ${srcdir:=.}/diag.sh init
+
+export PORT_RCVR="$(get_free_port)"
+export RS_REDIR=">${RSYSLOG_DYNNAME}.rsyslog.log 2>&1"
+
+generate_conf
+add_conf '
+global(defaultNetstreamDriverCAFile="'$srcdir/tls-certs/ca.pem'")
+
+action(type="omfwd" protocol="tcp" target="127.0.0.1" port="'$PORT_RCVR'"
+ StreamDriver="gtls"
+ StreamDriverMode="1"
+ StreamDriverAuthMode="x509/name"
+ action.resumeRetryCount="-1"
+ action.resumeInterval="10")
+'
+startup
+sleep 30
+shutdown_immediate
+wait_shutdown
+
+content_count_check "warning: certificate file is not set" 1 ${RSYSLOG_DYNNAME}.rsyslog.log
+content_count_check "warning: key file is not set" 1 ${RSYSLOG_DYNNAME}.rsyslog.log
+
+exit_test
--
2.51.0

172
imfile-inotify-fd-release-on-delete.patch Normal file
View File

@ -0,0 +1,172 @@
From 600553721413e8981383b73138b8a086ad7dfba7 Mon Sep 17 00:00:00 2001
From: Cropi <alakatos@redhat.com>
Date: Thu, 23 Apr 2026 10:35:22 +0200
Subject: [PATCH] imfile: release deleted-file FDs after FILE_DELETE_DELAY in
inotify mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In inotify mode, when a monitored file is deleted and no further
inotify events arrive, poll() blocks indefinitely and the deleted
file's FD is never closed — the disk space is never reclaimed.
Cap poll() timeout to FILE_DELETE_DELAY+1 s whenever deletions are
pending, and run a tree walk on that timeout to clean up stale FDs.
---
plugins/imfile/imfile.c | 30 +++++++++++
tests/Makefile.am | 1 +
tests/imfile-inotify-fd-release-on-delete.sh | 56 ++++++++++++++++++++
3 files changed, 87 insertions(+)
create mode 100755 tests/imfile-inotify-fd-release-on-delete.sh
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index d9c754811e..a60813a2ab 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -106,6 +106,7 @@ DEF_IMOD_STATIC_DATA /* must be present, starts static data */
const size_t outlen); /* see siphash.c */
static int bLegacyCnfModGlobalsPermitted; /* are legacy module-global config parameters permitted? */
+static sbool havePendingDeletes = 0; /* set when files await deferred deletion after FILE_DELETE_DELAY */
#define NUM_MULTISUB 1024 /* default max number of submits */
#define DFLT_PollInterval 10
@@ -970,6 +971,7 @@ static void detect_updates(fs_edge_t *const edge) {
"detect_updates obj gone away, keep '%s' "
"open: %" PRId64 "/%" PRId64 "/%" PRId64 "s!\n",
act_name, (int64_t)act->time_to_delete, (int64_t)ttNow, (int64_t)ttNow - act->time_to_delete);
+ havePendingDeletes = 1;
pollFile(act);
}
break;
@@ -2649,6 +2651,7 @@ static rsRetVal do_inotify(void) {
int currev;
static int last_timeout = 0;
time_t last_fallback = 0;
+ time_t last_delete_check = 0;
struct pollfd pollfd;
DEFiRet;
@@ -2684,6 +2687,14 @@ static rsRetVal do_inotify(void) {
poll_timeout = fallback_timeout;
}
}
+ /* Cap poll() so we wake up to clean up deleted-file FDs even
+ * when no inotify events arrive. */
+ if (havePendingDeletes) {
+ const int delete_timeout = (FILE_DELETE_DELAY + 1) * 1000;
+ if (poll_timeout == -1 || delete_timeout < poll_timeout) {
+ poll_timeout = delete_timeout;
+ }
+ }
r = poll(&pollfd, 1, poll_timeout);
if (r == -1 && errno == EINTR) {
@@ -2703,6 +2714,14 @@ static rsRetVal do_inotify(void) {
last_fallback = now;
}
}
+ /* poll() timed out — re-check deleted files whose
+ * FILE_DELETE_DELAY has now elapsed. */
+ if (havePendingDeletes) {
+ DBGPRINTF("pending deletes exist, running tree walk to re-check\n");
+ havePendingDeletes = 0;
+ fs_node_walk(runModConf->conf_tree, poll_tree);
+ last_delete_check = time(NULL);
+ }
continue;
} else if (r == -1) {
LogError(errno, RS_RET_INTERNAL_ERROR, "%s:%d: unexpected error during poll timeout wait", __FILE__,
@@ -2730,6 +2749,17 @@ static rsRetVal do_inotify(void) {
last_fallback = now;
}
}
+ /* Under sustained event load poll() never times out, so
+ * also check here, rate-limited to once per FILE_DELETE_DELAY. */
+ if (havePendingDeletes) {
+ time_t now = time(NULL);
+ if (last_delete_check == 0 || last_delete_check + FILE_DELETE_DELAY + 1 <= now) {
+ DBGPRINTF("pending deletes exist (event path), running tree walk to re-check\n");
+ havePendingDeletes = 0;
+ fs_node_walk(runModConf->conf_tree, poll_tree);
+ last_delete_check = now;
+ }
+ }
rd = read(ino_fd, iobuf, sizeof(iobuf));
if (rd == -1 && errno == EINTR) {
/* This might have been our termination signal! */
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 63fb091703..3302c614ef 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1681,6 +1681,7 @@ TESTS_IMFILE = \
imfile-rename.sh \
imfile-symlink.sh \
imfile-symlink-multi.sh \
+ imfile-inotify-fd-release-on-delete.sh \
imfile-symlink-ext-tmp-dir-tree.sh \
imfile-logrotate.sh \
imfile-logrotate-async.sh \
diff --git a/tests/imfile-inotify-fd-release-on-delete.sh b/tests/imfile-inotify-fd-release-on-delete.sh
new file mode 100755
index 0000000000..d71905724f
--- /dev/null
+++ b/tests/imfile-inotify-fd-release-on-delete.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# Test that imfile in inotify mode releases FDs of deleted files
+# after FILE_DELETE_DELAY without requiring any additional inotify
+# events. When no new events arrive after a file is deleted, poll()
+# blocks indefinitely and the FD is never closed, leaking disk space.
+# This is part of the rsyslog testbench, licensed under ASL 2.0
+. "${srcdir:=.}"/diag.sh init
+. "$srcdir"/diag.sh check-inotify-only
+
+export TESTMESSAGES=100
+export RETRIES=50
+
+generate_conf
+add_conf '
+global(workDirectory="'${RSYSLOG_DYNNAME}'.spool")
+module(load="../plugins/imfile/.libs/imfile" mode="inotify")
+input(type="imfile" tag="file:" file="./'$RSYSLOG_DYNNAME'.input")
+
+template(name="outfmt" type="string" string="%msg:F,58:2%\n")
+if $msg contains "msgnum:" then
+ action(type="omfile" file=`echo $RSYSLOG_OUT_LOG` template="outfmt")
+'
+
+./inputfilegen -m $TESTMESSAGES > "$RSYSLOG_DYNNAME".input
+startup
+wait_file_lines "$RSYSLOG_OUT_LOG" $TESTMESSAGES $RETRIES
+
+PID=$(cat "$RSYSLOG_PIDBASE".pid)
+if [ -z "$PID" ]; then
+ printf 'FAIL: could not read rsyslog PID\n'
+ error_exit 1
+fi
+check_fd_for_pid "$PID" exists ".input"
+
+rm "$RSYSLOG_DYNNAME".input
+
+# Wait for rsyslog to release the FD on its own — no new files, no
+# trigger events. FILE_DELETE_DELAY is 5 s, the fix caps poll() at
+# FILE_DELETE_DELAY+1 s, so 20 s is more than enough.
+max_wait=20
+i=0
+while ! check_fd_for_pid "$PID" absent ".input (deleted)"; do
+ if [ "$i" -ge "$max_wait" ]; then
+ printf 'FAIL: rsyslog did not release FD for deleted file after %d s\n' "$max_wait"
+ find /proc/"$PID"/fd/ -lname '*deleted*' -ls 2>/dev/null
+ error_exit 1
+ fi
+ ./msleep 1000
+ ((i++))
+done
+printf 'PASS: FD released after %d s\n' "$i"
+
+shutdown_when_empty
+wait_shutdown
+seq_check 0 $(( TESTMESSAGES - 1 ))
+exit_test

38
ossl-free-cert.patch
View File

@ -1,38 +0,0 @@
From e21ea186a88d2750c97092c016811d1378cbe24c Mon Sep 17 00:00:00 2001
From: Cropi <alakatos@redhat.com>
Date: Thu, 9 Oct 2025 11:39:46 +0200
Subject: [PATCH] ossl bugfix: ensure peer cert is freed in osslChkPeerAuth
Ensure osslChkPeerAuth starts with a null peer-certificate pointer and
frees any retrieved X509 certificate so OpenSSL allocations from
SSL_get_peer_certificate do not leak after TLS handshakes.
---
runtime/nsd_ossl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 30300156b..954277fef 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -353,7 +353,7 @@ finalize_it:
*/
rsRetVal osslChkPeerAuth(nsd_ossl_t *pThis) {
DEFiRet;
- X509 *certpeer;
+ X509 *certpeer = NULL;
ISOBJ_TYPE_assert(pThis, nsd_ossl);
uchar *fromHostIP = NULL;
@@ -388,6 +388,9 @@ rsRetVal osslChkPeerAuth(nsd_ossl_t *pThis) {
break;
}
finalize_it:
+ if (certpeer != NULL) {
+ X509_free(certpeer);
+ }
if (fromHostIP != NULL) {
free(fromHostIP);
}
--
2.51.0

43
rsyslog.spec
View File

@ -5,8 +5,8 @@
Summary: Enhanced system logging and kernel message trapping daemon
Name: rsyslog
Version: 8.2510.0
Release: 2%{?dist}
Version: 8.2604.0
Release: 1%{?dist}
License: GPL-3.0-or-later AND Apache-2.0
URL: http://www.rsyslog.com/
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@ -19,8 +19,7 @@ Source4: rsyslog.service
Source5: https://archive.apache.org/dist/qpid/proton/%{qpid_proton_v}/qpid-proton-%{qpid_proton_v}.tar.gz
Source7: rsyslog-tmpfiles.conf
Patch0: ossl-free-cert.patch
Patch1: gtls-unused-certificates.patch
Patch0: imfile-inotify-fd-release-on-delete.patch
BuildRequires: make
BuildRequires: gcc
@ -43,18 +42,15 @@ BuildRequires: libcap-ng-devel
Conflicts: selinux-policy < 38.1.29-1
Recommends: %{name}-logrotate = %version-%release
Recommends: logrotate
Obsoletes: rsyslog-logrotate < 8.2604.0-1
Provides: rsyslog-logrotate = %{version}-%{release}
Requires: bash >= 2.0
%{?systemd_ordering}
Provides: syslog
Obsoletes: sysklogd < 1.5-11
%package logrotate
Summary: Log rotation for rsyslog
Requires: %name = %version-%release
Requires: logrotate >= 3.5.2
%package crypto
Summary: Encryption support
Requires: %name = %version-%release
@ -162,9 +158,6 @@ and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.
%description logrotate
This subpackage contains the default logrotate configuration for rsyslog.
%description crypto
This package contains a module providing log file encryption and a
command line tool to process encrypted logs.
@ -250,7 +243,6 @@ container metadata.
# set up rsyslog sources
%setup -q -D
%patch -P 0 -p1
%patch -P 1 -p1
# Unpack qpid-proton for rhel
%setup -q -D -T -b 5
@ -340,7 +332,8 @@ autoreconf -if
--enable-snmp \
--enable-unlimited-select \
--enable-usertools \
--enable-omkafka
--enable-omkafka \
--disable-impstats-push
make V=1
@ -377,6 +370,8 @@ rm -f %{buildroot}%{_libdir}/rsyslog/*.la
# imdiag and liboverride is only used for testing
rm -f %{buildroot}%{_libdir}/rsyslog/imdiag.so
rm -f %{buildroot}%{_libdir}/rsyslog/liboverride_gethostname.so
rm -f %{buildroot}%{_libdir}/rsyslog/liboverride_getaddrinfo.so
rm -f %{buildroot}%{_libdir}/rsyslog/liboverride_gethostname_nonfqdn.so
%post
for n in /var/log/{messages,secure,maillog,spooler}
@ -412,6 +407,7 @@ done
%{_tmpfilesdir}/rsyslog.conf
%config(noreplace) %{_sysconfdir}/rsyslog.conf
%config(noreplace) %{_sysconfdir}/sysconfig/rsyslog
%config(noreplace) %{_sysconfdir}/logrotate.d/rsyslog
# plugins
%{_libdir}/rsyslog/fmhash.so
%{_libdir}/rsyslog/fmhttp.so
@ -448,9 +444,6 @@ done
%{_libdir}/rsyslog/pmlastmsg.so
%{_libdir}/rsyslog/pmsnare.so
%files logrotate
%config(noreplace) %{_sysconfdir}/logrotate.d/rsyslog
%files crypto
%{_bindir}/rscryutil
%{_mandir}/man1/rscryutil.1.gz
@ -521,6 +514,20 @@ done
%changelog
* Wed Apr 29 2026 Attila Lakatos <alakatos@redhat.com> - 8.2604.0-1
- Rebase to 8.2604.0
Resolves: RHEL-140914
- Drop ossl-free-cert.patch (upstream)
- Drop gtls-unused-certificates.patch (upstream)
- Add SAN:IP validation support
Resolves: RHEL-169794
- Fix omelasticsearch IPv6 handling
Resolves: RHEL-169492
- Fix imfile not releasing deleted file FDs in inotify mode
Resolves: RHEL-171897
- Move logrotate configuration back to the main package
Resolves: RHEL-173192
* Fri Oct 31 2025 Attila Lakatos <alakatos@redhat.com> - 8.2510.0-2
- Rebase to 8.2510.0
- gnutls netstream driver: improve doc

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (rsyslog-8.2510.0.tar.gz) = d2e693fd8c7112e4ccc36ea6fbb19909df885e7cb2778e95c04b7c5e9db8240224decfee52308a46865b7deffcf1e31ade0104c90d84b768a4dece15e5ea190e
SHA512 (rsyslog-8.2604.0.tar.gz) = 99743293858f36f728370a1d52a9484ad4bc9dea04b79b893bff7fddccf7c558ce425e117881975ab03e199a7f49c451df7a7937a93993943047a0515c3423b9
SHA512 (qpid-proton-0.40.0.tar.gz) = 3e7fe56ca1423f45f71d81f5e1d6ec5f21c073cc580628e12a8dbd545a86805b7312834e0d1234dde43797633d575ed639f21a96239b217500cc0a824482aae3