Backport systemd-journal-remote fix PR #11953

Bug #1847527 reported by Tom Cameron on 2019-10-09
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-ansible
Undecided
Unassigned
systemd
Fix Released
Unknown
systemd (Ubuntu)
Undecided
Unassigned
Disco
Undecided
Unassigned

Bug Description

I'm requesting that systemd 240 receive the fix in upstream PR 11953 found here https://github.com/systemd/systemd/pull/11953

This fixes remote journal shipping using systemd components. I believe only Disco (19.04) is impacted by this issue.

Tom Cameron (drdabbles) on 2019-10-09
summary: - Backport journal-remote fix PR #11953
+ Backport systemd-journal-remote fix PR #11953
Tom Cameron (drdabbles) wrote :

For those that may try to search for this bug in the future, the error I received was

Error 411: gth required

The issue is that libmicrohttpd exhibits a bug when Content-Length is omitted, even if Transfer-Encoding is set to "chunked". The HTTP/1.1 spec allows Content-Length to be omitted when the length is unknown as long as Transfer-Encoding: Chunked is specified. The proper behavior would be for journald to return an error to the client when it has received too much data.

Changed in systemd:
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Balint Reczey (rbalint) wrote :

This is fixed with v242, present in Eoan.

Changed in systemd (Ubuntu):
status: Confirmed → Fix Released
Dan Streetman (ddstreet) wrote :

@drdabbles can you provide steps and/or conf files to reproduce this please

Tom Cameron (drdabbles) wrote :

@ddstreet any configuration that ships lots to a remote host will trigger this. The server always responds with the bug, so the configuration effectively doesn't matter. As long as one host is attempting to send journals to another in Disco, this bug will be triggered.

Examples configs:

###################
# Server 1 Config #
###################
$ cat /etc/systemd/system/systemd-journal-remote.service
[Unit]
Description=Journal Remote Sink Service
Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5)
Requires=systemd-journal-remote.socket

[Service]
ExecStart=/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote/
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
User=systemd-journal-remote
WatchdogSec=3min

# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
LimitNOFILE=524288

[Install]
Also=systemd-journal-remote.socket

###################
# Server 2 Config #
###################
$ cat /etc/systemd/journal-upload.conf
[Upload]
URL=http://server1:19532

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.