[Bug 2073628] Re: imjournal module works with rsyslog package of ubuntu 22.04 but not with ubuntu 24.04
Andreas Hasenack
2073628 at bugs.launchpad.net
Fri Jan 31 20:25:37 UTC 2025
** Description changed:
[ Impact ]
- * An explanation of the effects of the bug on users and justification
- for backporting the fix to the stable release.
+ rsyslog has an apparmor profile that we have been fine tuning as ubuntu
+ releases go by. Every now and then, a new rule needs to be added.
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ In this particular case, the usage of the imjournal[1] module is being
+ blocked by apparmor. Specifically, these accesses are being denied:
+
+ apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/log/journal/" pid=3351 comm="in:imjournal" requested_mask="r" denied_mask="r" fsuid=102 ouid=0
+ apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/etc/machine-id" pid=3351 comm="in:imjournal" requested_mask="r" denied_mask="r" fsuid=102 ouid=0
+
+ This prevents the imjournal module from being used.
+
+
+ 1. https://www.rsyslog.com/doc/configuration/modules/imjournal.html
[ Test Plan ]
- * detailed instructions how to reproduce the bug
+ - Deploy the ubuntu release under verification in a VM
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package
- fixes the problem.
+ - enable the imjournal module by creating a config file for it (the
+ whole command in one line):
- * if other testing is appropriate to perform before landing this
- update, this should also be described here.
+ echo 'module(load="imjournal" fileCreateMode="0666"
+ PersistStateInterval="999"
+ StateFile="/var/spool/rsyslog/journal_state")' | sudo tee
+ /etc/rsyslog.d/10-imjournal.conf
+
+ - in another terminal, run this dmesg command:
+
+ sudo dmesg -wT | grep apparmor | grep rsyslog
+
+ - in yet another terminal, tail the logs:
+
+ tail -f /var/log/syslog | grep rsyslogd
+
+ - restart rsyslog:
+
+ sudo systemctl restart rsyslog
+
+ - with the affected version of rsyslog installed, you will see the
+ apparmor DENIED messages in the dmesg terminal, and error messages about
+ "imjournal" in the syslog logs
+
+ - with the package from proposed, there should be no apparmor DENIED
+ messages, and no imjournal errors
+
[ Where problems could occur ]
- * Think about what the upload changes in the software. Imagine the
- change is wrong or breaks something else: how would this show up?
+ The extra apparmor rules we are adding allow reading of the systemd
+ journal, and the /etc/machine-id file. There are no extra rules allowing
+ writing, but we are allowing rsyslog to have access to more logs. But
+ that is its purpose, after all.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the event
- of a regression.
+ Specifically about the imjournal module, without this change, it is not
+ working already.
- * This must never be "None" or "Low", or entirely an argument as to why
- your upload is low risk.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
-
- * Anything else you think is useful to include
-
- * Make sure to explain any deviation from the norm, to save the SRU
- reviewer from having to infer your reasoning, possibly incorrectly.
- This should also help reduce review iterations, particularly when the
- reason for the deviation is not obvious.
-
- * Anticipate questions from users, SRU, +1 maintenance, security teams
- and the Technical Board and address these questions in advance
+ Other apparmor rules are being added to rsyslog via this upload, closing other bugs:
+ - LP: #2056768 for noble only
+ - LP: #2061726 for noble, oracular, and plucky
[ Original Description ]
imjournal module fails to create /var/spool/rsyslog/journal-state file
in ubuntu 24.04, rsyslog version(8.2312.0) x86 and s390x both, but works
well in ubuntu 22.04 , rsyslog version(8.2112.0) x86 and s390x
*******
Ubuntu 24.04 s390x
lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
# apt-cache policy rsyslog
rsyslog:
Installed: 8.2312.0-3ubuntu9
Candidate: 8.2312.0-3ubuntu9
Version table:
*** 8.2312.0-3ubuntu9 500
500 http://ports.ubuntu.com/ubuntu-ports noble/main s390x Packages
100 /var/lib/dpkg/status
Have below line in /etc/rsyslog.conf
module(load="imjournal" fileCreateMode="0666" PersistStateInterval="999"
StateFile="/var/spool/rsyslog/journal_state")
ul 19 18:39:35 latest-logs systemd[1]: Starting rsyslog.service - System Logging Service...
Jul 19 18:39:35 latest-logs rsyslogd[8647]: rsyslogd's groupid changed to 102
Jul 19 18:39:35 latest-logs rsyslogd[8647]: rsyslogd's userid changed to 102
Jul 19 18:39:35 latest-logs systemd[1]: Started rsyslog.service - System Logging Service.
Jul 19 18:39:35 latest-logs rsyslogd[8647]: [origin software="rsyslogd" swVersion="8.2312.0" x-pid="8647" x-info="https://www.rsyslog.com"] start
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: No statefile exists, /var/spool/rsyslog/journal_state will be created (ignore if this is first run): No such file or directory >
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: Journal indicates no msgs when positioned at head. [v8.2312.0 try https://www.rsyslog.com/e/0 ]
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: journal files changed, reloading... [v8.2312.0 try https://www.rsyslog.com/e/0 ]
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: No statefile exists, /var/spool/rsyslog/journal_state will be created (ignore if this is first run): No such file or directory >
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: Journal indicates no msgs when positioned at head. [v8.2312.0 try https://www.rsyslog.com/e/0 ]
lines 1-25/25 (END)
FIle /var/spool/rsyslog/journal_state should have created and logs
should have redirected to rsyslog server
******
In Ubuntu 22.04 all is working as expected
# lsb_release -rd
Description: Ubuntu 22.04.4 LTS
Release: 22.04
#apt-cache policy rsyslog
rsyslog:
Installed: 8.2112.0-2ubuntu2.2
Candidate: 8.2112.0-2ubuntu2.2
Version table:
*** 8.2112.0-2ubuntu2.2 100
100 /var/lib/dpkg/status
Use the same line as above in /etc/rsyslog.conf
restart service. it did gave error about fileCreateMode which got
ignored and proceeded to create the journal-state file and continued
without any error
Jul 19 18:44:37 systemd[1]: Starting System Logging Service...
Jul 19 18:44:37 rsyslogd[13664]: error during parsing file /etc/rsyslog.conf, on or before line 16: parameter 'fileCreateMode' not known -- typo in co>
Jul 19 18:44:37 systemd[1]: Started System Logging Service.
Jul 19 18:44:37 rsyslogd[13664]: rsyslogd's groupid changed to 111
Jul 19 18:44:37 rsyslogd[13664]: rsyslogd's userid changed to 104
Jul 19 18:44:37 rsyslogd[13664]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="13664" x-info="https://www.rsyslog.com"] start
Jul 19 18:44:37 rsyslogd[13664]: imjournal: journal files changed, reloading... [v8.2112.0 try https://www.rsyslog.com/e/0 ]
/var/spool/rsyslog# ls
journal_state
*****
please help with this issue
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2073628
Title:
imjournal module works with rsyslog package of ubuntu 22.04 but not
with ubuntu 24.04
Status in rsyslog package in Ubuntu:
Confirmed
Status in rsyslog source package in Noble:
Confirmed
Status in rsyslog source package in Oracular:
Confirmed
Status in rsyslog source package in Plucky:
Confirmed
Bug description:
[ Impact ]
rsyslog has an apparmor profile that we have been fine tuning as
ubuntu releases go by. Every now and then, a new rule needs to be
added.
In this particular case, the usage of the imjournal[1] module is being
blocked by apparmor. Specifically, these accesses are being denied:
apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/log/journal/" pid=3351 comm="in:imjournal" requested_mask="r" denied_mask="r" fsuid=102 ouid=0
apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/etc/machine-id" pid=3351 comm="in:imjournal" requested_mask="r" denied_mask="r" fsuid=102 ouid=0
This prevents the imjournal module from being used.
1. https://www.rsyslog.com/doc/configuration/modules/imjournal.html
[ Test Plan ]
- Deploy the ubuntu release under verification in a VM
- enable the imjournal module by creating a config file for it (the
whole command in one line):
echo 'module(load="imjournal" fileCreateMode="0666"
PersistStateInterval="999"
StateFile="/var/spool/rsyslog/journal_state")' | sudo tee
/etc/rsyslog.d/10-imjournal.conf
- in another terminal, run this dmesg command:
sudo dmesg -wT | grep apparmor | grep rsyslog
- in yet another terminal, tail the logs:
tail -f /var/log/syslog | grep rsyslogd
- restart rsyslog:
sudo systemctl restart rsyslog
- with the affected version of rsyslog installed, you will see the
apparmor DENIED messages in the dmesg terminal, and error messages
about "imjournal" in the syslog logs
- with the package from proposed, there should be no apparmor DENIED
messages, and no imjournal errors
[ Where problems could occur ]
The extra apparmor rules we are adding allow reading of the systemd
journal, and the /etc/machine-id file. There are no extra rules
allowing writing, but we are allowing rsyslog to have access to more
logs. But that is its purpose, after all.
Specifically about the imjournal module, without this change, it is
not working already.
[ Other Info ]
Other apparmor rules are being added to rsyslog via this upload, closing other bugs:
- LP: #2056768 for noble only
- LP: #2061726 for noble, oracular, and plucky
[ Original Description ]
imjournal module fails to create /var/spool/rsyslog/journal-state file
in ubuntu 24.04, rsyslog version(8.2312.0) x86 and s390x both, but
works well in ubuntu 22.04 , rsyslog version(8.2112.0) x86 and s390x
*******
Ubuntu 24.04 s390x
lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
# apt-cache policy rsyslog
rsyslog:
Installed: 8.2312.0-3ubuntu9
Candidate: 8.2312.0-3ubuntu9
Version table:
*** 8.2312.0-3ubuntu9 500
500 http://ports.ubuntu.com/ubuntu-ports noble/main s390x Packages
100 /var/lib/dpkg/status
Have below line in /etc/rsyslog.conf
module(load="imjournal" fileCreateMode="0666"
PersistStateInterval="999"
StateFile="/var/spool/rsyslog/journal_state")
ul 19 18:39:35 latest-logs systemd[1]: Starting rsyslog.service - System Logging Service...
Jul 19 18:39:35 latest-logs rsyslogd[8647]: rsyslogd's groupid changed to 102
Jul 19 18:39:35 latest-logs rsyslogd[8647]: rsyslogd's userid changed to 102
Jul 19 18:39:35 latest-logs systemd[1]: Started rsyslog.service - System Logging Service.
Jul 19 18:39:35 latest-logs rsyslogd[8647]: [origin software="rsyslogd" swVersion="8.2312.0" x-pid="8647" x-info="https://www.rsyslog.com"] start
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: No statefile exists, /var/spool/rsyslog/journal_state will be created (ignore if this is first run): No such file or directory >
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: Journal indicates no msgs when positioned at head. [v8.2312.0 try https://www.rsyslog.com/e/0 ]
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: journal files changed, reloading... [v8.2312.0 try https://www.rsyslog.com/e/0 ]
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: No statefile exists, /var/spool/rsyslog/journal_state will be created (ignore if this is first run): No such file or directory >
Jul 19 18:39:35 latest-logs rsyslogd[8647]: imjournal: Journal indicates no msgs when positioned at head. [v8.2312.0 try https://www.rsyslog.com/e/0 ]
lines 1-25/25 (END)
FIle /var/spool/rsyslog/journal_state should have created and logs
should have redirected to rsyslog server
******
In Ubuntu 22.04 all is working as expected
# lsb_release -rd
Description: Ubuntu 22.04.4 LTS
Release: 22.04
#apt-cache policy rsyslog
rsyslog:
Installed: 8.2112.0-2ubuntu2.2
Candidate: 8.2112.0-2ubuntu2.2
Version table:
*** 8.2112.0-2ubuntu2.2 100
100 /var/lib/dpkg/status
Use the same line as above in /etc/rsyslog.conf
restart service. it did gave error about fileCreateMode which got
ignored and proceeded to create the journal-state file and continued
without any error
Jul 19 18:44:37 systemd[1]: Starting System Logging Service...
Jul 19 18:44:37 rsyslogd[13664]: error during parsing file /etc/rsyslog.conf, on or before line 16: parameter 'fileCreateMode' not known -- typo in co>
Jul 19 18:44:37 systemd[1]: Started System Logging Service.
Jul 19 18:44:37 rsyslogd[13664]: rsyslogd's groupid changed to 111
Jul 19 18:44:37 rsyslogd[13664]: rsyslogd's userid changed to 104
Jul 19 18:44:37 rsyslogd[13664]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="13664" x-info="https://www.rsyslog.com"] start
Jul 19 18:44:37 rsyslogd[13664]: imjournal: journal files changed, reloading... [v8.2112.0 try https://www.rsyslog.com/e/0 ]
/var/spool/rsyslog# ls
journal_state
*****
please help with this issue
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2073628/+subscriptions
More information about the foundations-bugs
mailing list