haproxy_server: rsyslog unable to log haproxy locally
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Corey Wright |
Bug Description
HAProxy logs are not written locally by rsyslog as configured by the haproxy_server role, at least on Ubuntu 16.04/"Xenial", because:
1. Rsyslog runs as user/group unable to write to OSA's /var/log/haproxy symlink target directory (eg /openstack/
2. HAProxy package's rsyslog config takes priority over OSA's HAProxy rsyslog config (ie 49-haproxy.conf vs 99-haproxy-
This problem is applicable to stable/pike, stable/queens, and master branches of openstack-
1. Rsyslog vs /var/log/haproxy
Rsyslog can't write to /var/log/haproxy (technically the target directory of that symlink, but as that directory varies and is based on whether HAProxy is running on "infra" nodes or a dedicated "loadbalancer" node, eg
root@infra1:~# ps -o pid,user,group,args -p $(systemctl status rsyslog.service | awk '/Main PID:/ { print $3; }')
PID USER GROUP COMMAND
15948 syslog syslog /usr/sbin/rsyslogd -n
root@infra1:~# ls -ld /var/log/haproxy $(realpath /var/log/haproxy)
drwxr-xr-x 2 haproxy adm 4096 Jul 26 05:16 /openstack/
lrwxrwxrwx 1 haproxy adm 29 Jul 26 05:16 /var/log/haproxy -> /openstack/
So while rsyslog runs as "syslog:syslog" (in chown syntax), the directory it is suppose to write to is "haproxy:adm" as set by the haproxy_server role, which is incompatible.
2. OSA vs Ubuntu/Debian package HAProxy Rsyslog config
The HAProxy package installs /etc/rsyslog.
root@infra1:~# ls -l /etc/rsyslog.
-rw-r--r-- 1 root root 282 Jun 14 2016 /etc/rsyslog.
-rw-r--r-- 1 root root 171 Jul 26 05:16 /etc/rsyslog.
root@infra1:~# dpkg -S /etc/rsyslog.
haproxy: /etc/rsyslog.
root@infra1:~# apt-cache policy haproxy
haproxy:
Installed: 1.6.3-1ubuntu0.1
Candidate: 1.6.3-1ubuntu0.1
Version table:
*** 1.6.3-1ubuntu0.1 500
500 http://
500 http://
100 /var/lib/
1.6.3-1 500
500 http://
root@infra1:~# tail -n3 /etc/rsyslog.
# Send HAProxy messages to a dedicated logfile
if $programname startswith 'haproxy' then /var/log/
&~
Corey Wright (coreywright) wrote : | #1 |
Corey Wright (coreywright) wrote : | #2 |
testing methodology of (and within) openstack-
1. create Ansible "roles" directory symlinked back to haproxy_server Git repo
mkdir roles
ln -s ../ roles/haproxy_
2. create haproxy_server role deployment playbook
cat <<EOF >test.yml
---
- name: Playbook for role testing
hosts: all
user: root
roles:
- role: "haproxy_server"
vars:
- haproxy_
- external_
EOF
3. create inventory
cat <<EOF >hosts
# centos-7
a.b.c.d
# opensuse-42.3
e.f.g.h
# ubuntu-16.04
i.j.k.l
# ubuntu-18.04
m.n.o.p
EOF
4. create ansible config
cat <<EOF >ansible.cfg
[defaults]
hostfile = hosts
EOF
5. deploy haproxy_server role
ansible-playbook test.yml -l a.b.c.d
6. inspect haproxy_server role deploy
ssh root@a.b.c.d
Corey Wright (coreywright) wrote : | #3 |
Ubuntu 16.04 with haproxy_server master
user@host:
18.0.0.
user@host:
ansible-playbook 2.6.2
user@host:
user@host:
root@ubuntu-
Ubuntu 16.04.3 LTS
root@ubuntu-
PID EUSER EGROUP LABEL COMMAND
13832 syslog syslog unconfined /usr/sbin/rsyslogd -n
root@ubuntu-
drwxr-xr-x 2 haproxy adm ? 4096 Jul 31 18:29 /var/log/haproxy
drwxr-xr-x 2 haproxy adm ? 4096 Jul 31 18:29 /var/log/haproxy/.
root@ubuntu-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
root@ubuntu-
2018-07-31 18:37:55+00:00
root@ubuntu-
root@ubuntu-
root@ubuntu-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
root@ubuntu-
/etc/rsyslog.
/etc/rsyslog.
root@ubuntu-
# Create an additional socket in haproxy's chroot in order to allow logging via
# /dev/log to chroot'ed HAProxy processes
$AddUnixListenS
# Send HAProxy messages to a dedicated logfile
if $programname startswith 'haproxy' then /var/log/
&~
root@ubuntu-
Jul 31 18:38:18 host haproxy[1234]: local0.info -> /var/log/
Jul 31 18:38:25 host haproxy[1234]: local1.warn -> /var/log/
root@ubuntu-
root@ubuntu-
root@ub...
Corey Wright (coreywright) wrote : | #4 |
user@host:
18.0.0.
user@host:
ansible-playbook 2.6.2
user@host:
user@host:
root@ubuntu-
Ubuntu 18.04 LTS
root@ubuntu-
PID EUSER EGROUP LABEL COMMAND
15076 syslog syslog unconfined /usr/sbin/rsyslogd -n
root@ubuntu-
drwxr-xr-x 2 haproxy adm ? 4096 Jul 31 18:51 /var/log/haproxy
drwxr-xr-x 2 haproxy adm ? 4096 Jul 31 18:51 /var/log/haproxy/.
root@ubuntu-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
root@ubuntu-
2018-07-31 18:55:57+00:00
root@ubuntu-
root@ubuntu-
root@ubuntu-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
root@ubuntu-
/etc/rsyslog.
/etc/rsyslog.
root@ubuntu-
# Create an additional socket in haproxy's chroot in order to allow logging via
# /dev/log to chroot'ed HAProxy processes
$AddUnixListenS
# Send HAProxy messages to a dedicated logfile
if $programname startswith 'haproxy' then /var/log/
&~
root@ubuntu-
Jul 31 18:56:09 host haproxy[1234]: local0.info -> /var/log/
Jul 31 18:56:16 host haproxy[1234]: local1.warn -> /var/log/
root@ubuntu-
root@ubuntu-
root@ubuntu-
Corey Wright (coreywright) wrote : | #5 |
CentOS 7 with git master: No bug.
user@host:
18.0.0.
user@host:
ansible-playbook 2.6.2
user@host:
user@host:
[root@centos-
CentOS Linux 7 (Core)
[root@centos-
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@centos-
PID EUSER EGROUP LABEL COMMAND
17562 root root system_
[root@centos-
drwxr-xr-x. haproxy adm unconfined_
drwxr-xr-x. haproxy adm unconfined_
[root@centos-
tail: cannot open ‘/var/log/
tail: cannot open ‘/var/log/
[root@centos-
2018-07-31 17:48:50+00:00
[root@centos-
[root@centos-
[root@centos-
==> /var/log/
Jul 31 17:49:20 host haproxy[1234]: local0.info -> /var/log/
==> /var/log/
Jul 31 17:49:24 host haproxy[1234]: local1.warn -> /var/log/
Corey Wright (coreywright) wrote : | #6 |
openSUSE 42.3 with git master: No bug.
user@host:
18.0.0.
user@host:
user@host:
user@host:
opensuse-
openSUSE Leap 42.3
opensuse-
PID EUSER EGROUP LABEL COMMAND
23079 root root unconfined /usr/sbin/rsyslogd -n
opensuse-
drwxr-xr-x 2 haproxy adm ? 4096 Jul 31 18:11 /var/log/haproxy
drwxr-xr-x 2 haproxy adm ? 4096 Jul 31 18:11 /var/log/haproxy/.
opensuse-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
opensuse-
2018-07-31 18:17:49+00:00
opensuse-
opensuse-
opensuse-
==> /var/log/
2018-07-
==> /var/log/
2018-07-
Corey Wright (coreywright) wrote : | #7 |
Corey Wright (coreywright) wrote : | #8 |
tl;dr haproxy logging by way of rsyslog works on ubuntu 16.04 after applying proposed commit.
user@host:
18.0.0.
user@host:
ansible-playbook 2.6.2
user@host:
user@host:
user@host:
root@ubuntu-
Ubuntu 16.04.3 LTS
root@ubuntu-
PID EUSER EGROUP LABEL COMMAND
4241 syslog syslog unconfined /usr/sbin/rsyslogd -n
root@ubuntu-
drwxr-xr-x 2 syslog adm ? 4096 Aug 1 04:04 /var/log/haproxy
drwxr-xr-x 2 syslog adm ? 4096 Aug 1 04:04 /var/log/haproxy/.
root@ubuntu-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
root@ubuntu-
2018-08-01 04:15:33+00:00
root@ubuntu-
root@ubuntu-
root@ubuntu-
==> /var/log/
Aug 1 04:15:46 host haproxy[1234]: local0.info -> /var/log/
==> /var/log/
Aug 1 04:15:54 host haproxy[1234]: local1.warn -> /var/log/
Corey Wright (coreywright) wrote : | #9 |
tl;dr haproxy logging by way of rsyslog works on ubuntu 18.04 after applying proposed commit.
user@host:
18.0.0.
user@host:
ansible-playbook 2.6.2
user@host:
user@host:
root@ubuntu-
Ubuntu 18.04 LTS
root@ubuntu-
PID EUSER EGROUP LABEL COMMAND
3725 syslog syslog unconfined /usr/sbin/rsyslogd -n
root@ubuntu-
drwxr-xr-x 2 syslog adm ? 4096 Aug 1 04:24 /var/log/haproxy
drwxr-xr-x 2 syslog adm ? 4096 Aug 1 04:24 /var/log/haproxy/.
root@ubuntu-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
root@ubuntu-
2018-08-01 04:29:33+00:00
root@ubuntu-
root@ubuntu-
root@ubuntu-
==> /var/log/
Aug 1 04:29:42 host haproxy[1234]: local0.info -> /var/log/
==> /var/log/
Aug 1 04:29:49 host haproxy[1234]: local1.warn -> /var/log/
Corey Wright (coreywright) wrote : | #10 |
tl;dr haproxy logging by way of rsyslog continues to work on centos 7 after applying proposed commit.
user@host:
18.0.0.
user@host:
ansible-playbook 2.6.2
user@host:
user@host:
[root@centos-
CentOS Linux 7 (Core)
[root@centos-
PID EUSER EGROUP LABEL COMMAND
10460 root root system_
[root@centos-
drwxr-xr-x. haproxy adm unconfined_
drwxr-xr-x. haproxy adm unconfined_
[root@centos-
tail: cannot open ‘/var/log/
tail: cannot open ‘/var/log/
[root@centos-
2018-08-01 04:43:12+00:00
[root@centos-
[root@centos-
[root@centos-
==> /var/log/
Aug 1 04:43:24 host haproxy[1234]: local0.info -> /var/log/
==> /var/log/
Aug 1 04:43:30 host haproxy[1234]: local1.warn -> /var/log/
Corey Wright (coreywright) wrote : | #11 |
tl;dr haproxy logging by way of rsyslog continues to work on opensuse 42.3 after applying proposed commit.
user@host:
18.0.0.
user@host:
ansible-playbook 2.6.2
user@host:
user@host:
opensuse-
openSUSE Leap 42.3
opensuse-
PID EUSER EGROUP LABEL COMMAND
20852 root root unconfined /usr/sbin/rsyslogd -n
opensuse-
drwxr-xr-x 2 haproxy adm ? 4096 Aug 1 04:50 /var/log/haproxy
drwxr-xr-x 2 haproxy adm ? 4096 Aug 1 04:50 /var/log/haproxy/.
opensuse-
tail: cannot open '/var/log/
tail: cannot open '/var/log/
opensuse-
2018-08-01 04:52:57+00:00
opensuse-
opensuse-
opensuse-
==> /var/log/
2018-08-
==> /var/log/
2018-08-
Changed in openstack-ansible: | |
assignee: | nobody → Corey Wright (coreywright) |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-haproxy_server (master) | #12 |
Fix proposed to branch: master
Review: https:/
Changed in openstack-ansible: | |
status: | New → In Progress |
Corey Wright (coreywright) wrote : | #13 |
Ansible playbook of and resulting log from testing haproxy's rsyslog configuration by generating syslog messages on ubuntu 16.04, ubuntu 18.04, opensuse 4.23, & centos 7 of commit 1e0aa6bf473e634
https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-haproxy_server (master) | #14 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 1e0aa6bf473e634
Author: Corey Wright <email address hidden>
Date: Tue Jul 31 04:47:01 2018 -0500
Allow rsyslog to log HAProxy locally
* Install haproxy-logging.cfg numerically before Ubuntu's
/
logs before they are discarded by 49-haproxy.conf.
* Set owner of /var/log/haproxy to rsyslog's `syslog` user so rsyslog
can write to it on Ubuntu.
* Limit HAProxy-related rsyslog processing to HAProxy log messages
instead of any/all log messages with the local0 or local1 facility
and assuming HAProxy is the only application using those facilities.
Change-Id: Ic259abc281619b
Closes-Bug: #1783886
Changed in openstack-ansible: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server stein-eol | #15 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server train-eol | #16 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server ussuri-eol | #17 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server yoga-eom | #18 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server victoria-eom | #19 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server wallaby-eom | #20 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server xena-eom | #21 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-haproxy_server zed-eom | #22 |
This issue was fixed in the openstack/
argh, too many interruptions while writing/editing the bug report resulted in an incomplete paragraph:
Rsyslog can't write to /var/log/haproxy (technically the target directory of that symlink, but as that directory varies and is based on whether HAProxy is running on "infra" nodes or a dedicated "loadbalancer" node, eg...
/openstack/ log/${hostname} -haproxy, so I'll simply use the symlink name, however technically incorrect).