diff --git a/gtls-unused-certificates.patch b/gtls-unused-certificates.patch deleted file mode 100644 index e5f0813..0000000 --- a/gtls-unused-certificates.patch +++ /dev/null @@ -1,127 +0,0 @@ -From e3f131d561a1df7dd07631345662ab678614bba7 Mon Sep 17 00:00:00 2001 -From: Cropi -Date: Mon, 3 Nov 2025 14:13:19 +0100 -Subject: [PATCH 2/2] nsd_gtls: fix repeated warnings on connection retry + - test - -Move the `loggedWarnings` bitfield from per-instance to module-level -static storage in `runtime/nsd_gtls.c` so that missing cert/key/CA -warnings are emitted only once per rsyslogd process, not on every -connection retry. Otherwise, a broken connection can spam dosens of -logs. ---- - runtime/nsd_gtls.c | 26 ++++++++++++++----------- - runtime/nsd_gtls.h | 1 - - tests/omfwd-gtls-missing-cert-key.sh | 29 ++++++++++++++++++++++++++++ - 3 files changed, 44 insertions(+), 12 deletions(-) - create mode 100755 tests/omfwd-gtls-missing-cert-key.sh - -diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c -index 7721c1bd1..9a7939fba 100644 ---- a/runtime/nsd_gtls.c -+++ b/runtime/nsd_gtls.c -@@ -77,6 +77,9 @@ static pthread_mutex_t mutGtlsStrerror; - - static gnutls_dh_params_t dh_params; /**< server DH parameters for anon mode */ - -+/* Module-level bitfield for warnings that have been logged (shared across all instances) */ -+static unsigned loggedWarnings = 0; -+ - /* bitfield for warnings that have been logged */ - enum { - GTLS_LOGGED_WARN_CERT_MISSING = 1 << 0, -@@ -674,13 +677,14 @@ static rsRetVal gtlsAddOurCert(nsd_gtls_t *const pThis) { - keyFile = (pThis->pszKeyFile == NULL) ? glbl.GetDfltNetstrmDrvrKeyFile(runConf) : pThis->pszKeyFile; - dbgprintf("GTLS certificate file: '%s'\n", certFile); - dbgprintf("GTLS key file: '%s'\n", keyFile); -- if (certFile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_CERT_MISSING)) { -- LogMsg(0, RS_RET_CERT_MISSING, LOG_WARNING, "warning: certificate file is not set"); -- pThis->loggedWarnings |= GTLS_LOGGED_WARN_CERT_MISSING; -+ -+ if (certFile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_CERT_MISSING)) { -+ LogError(0, RS_RET_CERT_MISSING, "warning: certificate file is not set"); -+ loggedWarnings |= GTLS_LOGGED_WARN_CERT_MISSING; - } -- if (keyFile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_KEY_MISSING)) { -- LogMsg(0, RS_RET_CERTKEY_MISSING, LOG_WARNING, "warning: key file is not set"); -- pThis->loggedWarnings |= GTLS_LOGGED_WARN_KEY_MISSING; -+ if (keyFile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_KEY_MISSING)) { -+ LogError(0, RS_RET_CERTKEY_MISSING, "warning: key file is not set"); -+ loggedWarnings |= GTLS_LOGGED_WARN_KEY_MISSING; - } - - /* set certificate in gnutls */ -@@ -757,10 +761,11 @@ static rsRetVal gtlsInitCred(nsd_gtls_t *const pThis) { - - /* sets the trusted cas file */ - cafile = (pThis->pszCAFile == NULL) ? glbl.GetDfltNetstrmDrvrCAF(runConf) : pThis->pszCAFile; -- if (cafile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_CA_MISSING)) { -- LogMsg(0, RS_RET_CA_CERT_MISSING, LOG_WARNING, "Warning: CA certificate is not set"); -- pThis->loggedWarnings |= GTLS_LOGGED_WARN_CA_MISSING; -- } else { -+ if (cafile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_CA_MISSING)) { -+ LogError(0, RS_RET_CA_CERT_MISSING, "Warning: CA certificate is not set"); -+ loggedWarnings |= GTLS_LOGGED_WARN_CA_MISSING; -+ } -+ if (cafile != NULL) { - dbgprintf("GTLS CA file: '%s'\n", cafile); - gnuRet = gnutls_certificate_set_x509_trust_file(pThis->xcred, (char *)cafile, GNUTLS_X509_FMT_PEM); - if (gnuRet == GNUTLS_E_FILE_ERROR) { -@@ -1432,7 +1437,6 @@ static inline void gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock) { - BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */ - iRet = nsd_ptcp.Construct(&pThis->pTcp); - pThis->bReportAuthErr = 1; -- pThis->loggedWarnings = 0; - ENDobjConstruct(nsd_gtls) - - -diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h -index 685f65a49..f40ab3f13 100644 ---- a/runtime/nsd_gtls.h -+++ b/runtime/nsd_gtls.h -@@ -83,7 +83,6 @@ struct nsd_gtls_s { - gnutls_x509_privkey_t ourKey; /**< our private key, if in client mode (unused in server mode) */ - short bOurCertIsInit; /**< 1 if our certificate is initialized and must be deinit on destruction */ - short bOurKeyIsInit; /**< 1 if our private key is initialized and must be deinit on destruction */ -- unsigned short loggedWarnings; /**< bitfield of logged warnings */ - char *pszRcvBuf; - int lenRcvBuf; - /**< -1: empty, 0: connection closed, 1..NSD_GTLS_MAX_RCVBUF-1: data of that size present */ -diff --git a/tests/omfwd-gtls-missing-cert-key.sh b/tests/omfwd-gtls-missing-cert-key.sh -new file mode 100755 -index 000000000..36cb2f3f5 ---- /dev/null -+++ b/tests/omfwd-gtls-missing-cert-key.sh -@@ -0,0 +1,29 @@ -+#!/bin/bash -+# Test for gnutls loggedWarnings functionality with omfwd -+# This test verifies that warnings for missing cert/key files are logged only once -+# even when the action retries multiple times (loggedWarnings mechanism) -+. ${srcdir:=.}/diag.sh init -+ -+export PORT_RCVR="$(get_free_port)" -+export RS_REDIR=">${RSYSLOG_DYNNAME}.rsyslog.log 2>&1" -+ -+generate_conf -+add_conf ' -+global(defaultNetstreamDriverCAFile="'$srcdir/tls-certs/ca.pem'") -+ -+action(type="omfwd" protocol="tcp" target="127.0.0.1" port="'$PORT_RCVR'" -+ StreamDriver="gtls" -+ StreamDriverMode="1" -+ StreamDriverAuthMode="x509/name" -+ action.resumeRetryCount="-1" -+ action.resumeInterval="10") -+' -+startup -+sleep 30 -+shutdown_immediate -+wait_shutdown -+ -+content_count_check "warning: certificate file is not set" 1 ${RSYSLOG_DYNNAME}.rsyslog.log -+content_count_check "warning: key file is not set" 1 ${RSYSLOG_DYNNAME}.rsyslog.log -+ -+exit_test --- -2.51.0 - diff --git a/imfile-inotify-fd-release-on-delete.patch b/imfile-inotify-fd-release-on-delete.patch new file mode 100644 index 0000000..52e7009 --- /dev/null +++ b/imfile-inotify-fd-release-on-delete.patch @@ -0,0 +1,172 @@ +From 600553721413e8981383b73138b8a086ad7dfba7 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Thu, 23 Apr 2026 10:35:22 +0200 +Subject: [PATCH] imfile: release deleted-file FDs after FILE_DELETE_DELAY in + inotify mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In inotify mode, when a monitored file is deleted and no further +inotify events arrive, poll() blocks indefinitely and the deleted +file's FD is never closed — the disk space is never reclaimed. + +Cap poll() timeout to FILE_DELETE_DELAY+1 s whenever deletions are +pending, and run a tree walk on that timeout to clean up stale FDs. +--- + plugins/imfile/imfile.c | 30 +++++++++++ + tests/Makefile.am | 1 + + tests/imfile-inotify-fd-release-on-delete.sh | 56 ++++++++++++++++++++ + 3 files changed, 87 insertions(+) + create mode 100755 tests/imfile-inotify-fd-release-on-delete.sh + +diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c +index d9c754811e..a60813a2ab 100644 +--- a/plugins/imfile/imfile.c ++++ b/plugins/imfile/imfile.c +@@ -106,6 +106,7 @@ DEF_IMOD_STATIC_DATA /* must be present, starts static data */ + const size_t outlen); /* see siphash.c */ + + static int bLegacyCnfModGlobalsPermitted; /* are legacy module-global config parameters permitted? */ ++static sbool havePendingDeletes = 0; /* set when files await deferred deletion after FILE_DELETE_DELAY */ + + #define NUM_MULTISUB 1024 /* default max number of submits */ + #define DFLT_PollInterval 10 +@@ -970,6 +971,7 @@ static void detect_updates(fs_edge_t *const edge) { + "detect_updates obj gone away, keep '%s' " + "open: %" PRId64 "/%" PRId64 "/%" PRId64 "s!\n", + act_name, (int64_t)act->time_to_delete, (int64_t)ttNow, (int64_t)ttNow - act->time_to_delete); ++ havePendingDeletes = 1; + pollFile(act); + } + break; +@@ -2649,6 +2651,7 @@ static rsRetVal do_inotify(void) { + int currev; + static int last_timeout = 0; + time_t last_fallback = 0; ++ time_t last_delete_check = 0; + struct pollfd pollfd; + DEFiRet; + +@@ -2684,6 +2687,14 @@ static rsRetVal do_inotify(void) { + poll_timeout = fallback_timeout; + } + } ++ /* Cap poll() so we wake up to clean up deleted-file FDs even ++ * when no inotify events arrive. */ ++ if (havePendingDeletes) { ++ const int delete_timeout = (FILE_DELETE_DELAY + 1) * 1000; ++ if (poll_timeout == -1 || delete_timeout < poll_timeout) { ++ poll_timeout = delete_timeout; ++ } ++ } + r = poll(&pollfd, 1, poll_timeout); + + if (r == -1 && errno == EINTR) { +@@ -2703,6 +2714,14 @@ static rsRetVal do_inotify(void) { + last_fallback = now; + } + } ++ /* poll() timed out — re-check deleted files whose ++ * FILE_DELETE_DELAY has now elapsed. */ ++ if (havePendingDeletes) { ++ DBGPRINTF("pending deletes exist, running tree walk to re-check\n"); ++ havePendingDeletes = 0; ++ fs_node_walk(runModConf->conf_tree, poll_tree); ++ last_delete_check = time(NULL); ++ } + continue; + } else if (r == -1) { + LogError(errno, RS_RET_INTERNAL_ERROR, "%s:%d: unexpected error during poll timeout wait", __FILE__, +@@ -2730,6 +2749,17 @@ static rsRetVal do_inotify(void) { + last_fallback = now; + } + } ++ /* Under sustained event load poll() never times out, so ++ * also check here, rate-limited to once per FILE_DELETE_DELAY. */ ++ if (havePendingDeletes) { ++ time_t now = time(NULL); ++ if (last_delete_check == 0 || last_delete_check + FILE_DELETE_DELAY + 1 <= now) { ++ DBGPRINTF("pending deletes exist (event path), running tree walk to re-check\n"); ++ havePendingDeletes = 0; ++ fs_node_walk(runModConf->conf_tree, poll_tree); ++ last_delete_check = now; ++ } ++ } + rd = read(ino_fd, iobuf, sizeof(iobuf)); + if (rd == -1 && errno == EINTR) { + /* This might have been our termination signal! */ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 63fb091703..3302c614ef 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -1681,6 +1681,7 @@ TESTS_IMFILE = \ + imfile-rename.sh \ + imfile-symlink.sh \ + imfile-symlink-multi.sh \ ++ imfile-inotify-fd-release-on-delete.sh \ + imfile-symlink-ext-tmp-dir-tree.sh \ + imfile-logrotate.sh \ + imfile-logrotate-async.sh \ +diff --git a/tests/imfile-inotify-fd-release-on-delete.sh b/tests/imfile-inotify-fd-release-on-delete.sh +new file mode 100755 +index 0000000000..d71905724f +--- /dev/null ++++ b/tests/imfile-inotify-fd-release-on-delete.sh +@@ -0,0 +1,56 @@ ++#!/bin/bash ++# Test that imfile in inotify mode releases FDs of deleted files ++# after FILE_DELETE_DELAY without requiring any additional inotify ++# events. When no new events arrive after a file is deleted, poll() ++# blocks indefinitely and the FD is never closed, leaking disk space. ++# This is part of the rsyslog testbench, licensed under ASL 2.0 ++. "${srcdir:=.}"/diag.sh init ++. "$srcdir"/diag.sh check-inotify-only ++ ++export TESTMESSAGES=100 ++export RETRIES=50 ++ ++generate_conf ++add_conf ' ++global(workDirectory="'${RSYSLOG_DYNNAME}'.spool") ++module(load="../plugins/imfile/.libs/imfile" mode="inotify") ++input(type="imfile" tag="file:" file="./'$RSYSLOG_DYNNAME'.input") ++ ++template(name="outfmt" type="string" string="%msg:F,58:2%\n") ++if $msg contains "msgnum:" then ++ action(type="omfile" file=`echo $RSYSLOG_OUT_LOG` template="outfmt") ++' ++ ++./inputfilegen -m $TESTMESSAGES > "$RSYSLOG_DYNNAME".input ++startup ++wait_file_lines "$RSYSLOG_OUT_LOG" $TESTMESSAGES $RETRIES ++ ++PID=$(cat "$RSYSLOG_PIDBASE".pid) ++if [ -z "$PID" ]; then ++ printf 'FAIL: could not read rsyslog PID\n' ++ error_exit 1 ++fi ++check_fd_for_pid "$PID" exists ".input" ++ ++rm "$RSYSLOG_DYNNAME".input ++ ++# Wait for rsyslog to release the FD on its own — no new files, no ++# trigger events. FILE_DELETE_DELAY is 5 s, the fix caps poll() at ++# FILE_DELETE_DELAY+1 s, so 20 s is more than enough. ++max_wait=20 ++i=0 ++while ! check_fd_for_pid "$PID" absent ".input (deleted)"; do ++ if [ "$i" -ge "$max_wait" ]; then ++ printf 'FAIL: rsyslog did not release FD for deleted file after %d s\n' "$max_wait" ++ find /proc/"$PID"/fd/ -lname '*deleted*' -ls 2>/dev/null ++ error_exit 1 ++ fi ++ ./msleep 1000 ++ ((i++)) ++done ++printf 'PASS: FD released after %d s\n' "$i" ++ ++shutdown_when_empty ++wait_shutdown ++seq_check 0 $(( TESTMESSAGES - 1 )) ++exit_test diff --git a/ossl-free-cert.patch b/ossl-free-cert.patch deleted file mode 100644 index 2b569e0..0000000 --- a/ossl-free-cert.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e21ea186a88d2750c97092c016811d1378cbe24c Mon Sep 17 00:00:00 2001 -From: Cropi -Date: Thu, 9 Oct 2025 11:39:46 +0200 -Subject: [PATCH] ossl bugfix: ensure peer cert is freed in osslChkPeerAuth - -Ensure osslChkPeerAuth starts with a null peer-certificate pointer and -frees any retrieved X509 certificate so OpenSSL allocations from -SSL_get_peer_certificate do not leak after TLS handshakes. ---- - runtime/nsd_ossl.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c -index 30300156b..954277fef 100644 ---- a/runtime/nsd_ossl.c -+++ b/runtime/nsd_ossl.c -@@ -353,7 +353,7 @@ finalize_it: - */ - rsRetVal osslChkPeerAuth(nsd_ossl_t *pThis) { - DEFiRet; -- X509 *certpeer; -+ X509 *certpeer = NULL; - - ISOBJ_TYPE_assert(pThis, nsd_ossl); - uchar *fromHostIP = NULL; -@@ -388,6 +388,9 @@ rsRetVal osslChkPeerAuth(nsd_ossl_t *pThis) { - break; - } - finalize_it: -+ if (certpeer != NULL) { -+ X509_free(certpeer); -+ } - if (fromHostIP != NULL) { - free(fromHostIP); - } --- -2.51.0 - diff --git a/rsyslog.spec b/rsyslog.spec index c864206..dd53cbc 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -5,8 +5,8 @@ Summary: Enhanced system logging and kernel message trapping daemon Name: rsyslog -Version: 8.2510.0 -Release: 2%{?dist} +Version: 8.2604.0 +Release: 1%{?dist} License: GPL-3.0-or-later AND Apache-2.0 URL: http://www.rsyslog.com/ Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz @@ -19,8 +19,7 @@ Source4: rsyslog.service Source5: https://archive.apache.org/dist/qpid/proton/%{qpid_proton_v}/qpid-proton-%{qpid_proton_v}.tar.gz Source7: rsyslog-tmpfiles.conf -Patch0: ossl-free-cert.patch -Patch1: gtls-unused-certificates.patch +Patch0: imfile-inotify-fd-release-on-delete.patch BuildRequires: make BuildRequires: gcc @@ -43,18 +42,15 @@ BuildRequires: libcap-ng-devel Conflicts: selinux-policy < 38.1.29-1 -Recommends: %{name}-logrotate = %version-%release +Recommends: logrotate +Obsoletes: rsyslog-logrotate < 8.2604.0-1 +Provides: rsyslog-logrotate = %{version}-%{release} Requires: bash >= 2.0 %{?systemd_ordering} Provides: syslog Obsoletes: sysklogd < 1.5-11 -%package logrotate -Summary: Log rotation for rsyslog -Requires: %name = %version-%release -Requires: logrotate >= 3.5.2 - %package crypto Summary: Encryption support Requires: %name = %version-%release @@ -162,9 +158,6 @@ and can be used as a drop-in replacement. Rsyslog is simple to set up, with advanced features suitable for enterprise-class, encryption-protected syslog relay chains. -%description logrotate -This subpackage contains the default logrotate configuration for rsyslog. - %description crypto This package contains a module providing log file encryption and a command line tool to process encrypted logs. @@ -250,7 +243,6 @@ container metadata. # set up rsyslog sources %setup -q -D %patch -P 0 -p1 -%patch -P 1 -p1 # Unpack qpid-proton for rhel %setup -q -D -T -b 5 @@ -340,7 +332,8 @@ autoreconf -if --enable-snmp \ --enable-unlimited-select \ --enable-usertools \ - --enable-omkafka + --enable-omkafka \ + --disable-impstats-push make V=1 @@ -377,6 +370,8 @@ rm -f %{buildroot}%{_libdir}/rsyslog/*.la # imdiag and liboverride is only used for testing rm -f %{buildroot}%{_libdir}/rsyslog/imdiag.so rm -f %{buildroot}%{_libdir}/rsyslog/liboverride_gethostname.so +rm -f %{buildroot}%{_libdir}/rsyslog/liboverride_getaddrinfo.so +rm -f %{buildroot}%{_libdir}/rsyslog/liboverride_gethostname_nonfqdn.so %post for n in /var/log/{messages,secure,maillog,spooler} @@ -412,6 +407,7 @@ done %{_tmpfilesdir}/rsyslog.conf %config(noreplace) %{_sysconfdir}/rsyslog.conf %config(noreplace) %{_sysconfdir}/sysconfig/rsyslog +%config(noreplace) %{_sysconfdir}/logrotate.d/rsyslog # plugins %{_libdir}/rsyslog/fmhash.so %{_libdir}/rsyslog/fmhttp.so @@ -448,9 +444,6 @@ done %{_libdir}/rsyslog/pmlastmsg.so %{_libdir}/rsyslog/pmsnare.so -%files logrotate -%config(noreplace) %{_sysconfdir}/logrotate.d/rsyslog - %files crypto %{_bindir}/rscryutil %{_mandir}/man1/rscryutil.1.gz @@ -521,6 +514,20 @@ done %changelog +* Wed Apr 29 2026 Attila Lakatos - 8.2604.0-1 +- Rebase to 8.2604.0 + Resolves: RHEL-140914 +- Drop ossl-free-cert.patch (upstream) +- Drop gtls-unused-certificates.patch (upstream) +- Add SAN:IP validation support + Resolves: RHEL-169794 +- Fix omelasticsearch IPv6 handling + Resolves: RHEL-169492 +- Fix imfile not releasing deleted file FDs in inotify mode + Resolves: RHEL-171897 +- Move logrotate configuration back to the main package + Resolves: RHEL-173192 + * Fri Oct 31 2025 Attila Lakatos - 8.2510.0-2 - Rebase to 8.2510.0 - gnutls netstream driver: improve doc diff --git a/sources b/sources index 1294997..4e1834b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (rsyslog-8.2510.0.tar.gz) = d2e693fd8c7112e4ccc36ea6fbb19909df885e7cb2778e95c04b7c5e9db8240224decfee52308a46865b7deffcf1e31ade0104c90d84b768a4dece15e5ea190e +SHA512 (rsyslog-8.2604.0.tar.gz) = 99743293858f36f728370a1d52a9484ad4bc9dea04b79b893bff7fddccf7c558ce425e117881975ab03e199a7f49c451df7a7937a93993943047a0515c3423b9 SHA512 (qpid-proton-0.40.0.tar.gz) = 3e7fe56ca1423f45f71d81f5e1d6ec5f21c073cc580628e12a8dbd545a86805b7312834e0d1234dde43797633d575ed639f21a96239b217500cc0a824482aae3