Backport systemd-journal-remote fix PR #11953

Bug #1847527 reported by Tom Cameron on 2019-10-09
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-ansible
Undecided
Unassigned
systemd
Fix Released
Unknown
systemd (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Disco
Medium
Dan Streetman
Eoan
Undecided
Unassigned

Bug Description

[impact]

upstream commit 7fdb237f5473cb8fc2129e57e8a0039526dcb4fd broke remote journal upload, because it added a check to verify the Content-Length header, but the upload may use Transfer-Encoding of 'chunked' which does
not specify Content-Length.

[test case]

setup 2 systems, A and B. Install systemd-journal-remote on both.

On A:

$ sudo systemctl edit systemd-journal-remote.service

in the editor, add:

[Service]
ExecStart=
ExecStart=/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote/

Then enable/start the socket:

$ sudo systemctl enable systemd-journal-remote.socket
$ sudo systemctl start systemd-journal-remote.socket

Optionally, start the service and verify it is running (not required, since the socket will start the service):

$ sudo systemctl start systemd-journal-remote.service
$ sudo systemctl status systemd-journal-remote.service | grep Active
   Active: active (running) since Thu 2019-11-14 20:08:48 UTC; 7min ago

On B:

Edit the file /etc/systemd/journal-upload.conf:

[Upload]
URL=http://192.168.122.184:19532

Replacing the IP address with the actual ip addr of node A. Then enable/start the service:

$ sudo systemctl enable systemd-journal-upload.service
$ sudo systemctl start systemd-journal-upload.service

Check for failure:

ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:19:34 UTC. --
Nov 14 20:19:03 lp1847527-d systemd[1]: Started Journal Remote Upload Service.
Nov 14 20:19:03 lp1847527-d systemd-journal-upload[721]: Upload to http://192.168.122.184:19532/upload failed with code 411: gth Required
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Failed with result 'exit-code'.

[regression potential]

this limits the Transfer-Encoding to only be either unspecified, or 'chunked'. Any other value will fail. However, journal-upload.c does not ever use any other Transfer-Encoding than 'chunked', and this fix comes from upstream and has not changed since applied there.

Any regression would likely result in the failure to upload a remote journal.

[other info]

the commit that caused this is not included in Bionic, and the commit to fix this is already in Eoan; this is needed only in Disco.

original description:
--

I'm requesting that systemd 240 receive the fix in upstream PR 11953 found here https://github.com/systemd/systemd/pull/11953

This fixes remote journal shipping using systemd components. I believe only Disco (19.04) is impacted by this issue.

Tom Cameron (drdabbles) on 2019-10-09
summary: - Backport journal-remote fix PR #11953
+ Backport systemd-journal-remote fix PR #11953
Tom Cameron (drdabbles) wrote :

For those that may try to search for this bug in the future, the error I received was

Error 411: gth required

The issue is that libmicrohttpd exhibits a bug when Content-Length is omitted, even if Transfer-Encoding is set to "chunked". The HTTP/1.1 spec allows Content-Length to be omitted when the length is unknown as long as Transfer-Encoding: Chunked is specified. The proper behavior would be for journald to return an error to the client when it has received too much data.

Changed in systemd:
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Balint Reczey (rbalint) wrote :

This is fixed with v242, present in Eoan.

Changed in systemd (Ubuntu):
status: Confirmed → Fix Released
Dan Streetman (ddstreet) wrote :

@drdabbles can you provide steps and/or conf files to reproduce this please

Tom Cameron (drdabbles) wrote :

@ddstreet any configuration that ships lots to a remote host will trigger this. The server always responds with the bug, so the configuration effectively doesn't matter. As long as one host is attempting to send journals to another in Disco, this bug will be triggered.

Examples configs:

###################
# Server 1 Config #
###################
$ cat /etc/systemd/system/systemd-journal-remote.service
[Unit]
Description=Journal Remote Sink Service
Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5)
Requires=systemd-journal-remote.socket

[Service]
ExecStart=/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote/
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
User=systemd-journal-remote
WatchdogSec=3min

# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
LimitNOFILE=524288

[Install]
Also=systemd-journal-remote.socket

###################
# Server 2 Config #
###################
$ cat /etc/systemd/journal-upload.conf
[Upload]
URL=http://server1:19532

Dan Streetman (ddstreet) on 2019-10-14
description: updated
description: updated
Changed in systemd (Ubuntu Bionic):
status: New → Invalid
Changed in systemd (Ubuntu Disco):
status: New → In Progress
assignee: nobody → Dan Streetman (ddstreet)
importance: Undecided → Medium

Hello Tom, or anyone else affected,

Accepted systemd into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/240-6ubuntu5.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in systemd (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco

All autopkgtests for the newly accepted systemd (240-6ubuntu5.8) for disco have finished running.
The following regressions have been reported in tests triggered by the package:

prometheus-bind-exporter/unknown (armhf)
php7.2/7.2.24-0ubuntu0.19.04.1 (armhf)
gvfs/1.40.1-1ubuntu0.1 (ppc64el)
pdns-recursor/unknown (armhf)
webhook/unknown (armhf)
munin/2.0.47-1ubuntu3 (armhf, arm64)
systemd/240-6ubuntu5.8 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/disco/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Dan Streetman (ddstreet) wrote :

@drdabbles can you please verify the fix in systemd in proposed

Dan Streetman (ddstreet) on 2019-11-14
description: updated

I'm currently traveling for work, but will verify the fix this evening
hopefully.

Thanks

On Thu, Nov 14, 2019, 10:41 Dan Streetman <email address hidden> wrote:

> @drdabbles can you please verify the fix in systemd in proposed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1847527
>
> Title:
> Backport systemd-journal-remote fix PR #11953
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openstack-ansible/+bug/1847527/+subscriptions
>

Dan Streetman (ddstreet) wrote :

with testcase setup from description, system A is -remote and system B is -d

ubuntu@lp1847527-remote:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.7 amd64 system and service manager
ubuntu@lp1847527-d:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.7 amd64 system and service manager
ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:19:34 UTC. --
Nov 14 20:19:03 lp1847527-d systemd[1]: Started Journal Remote Upload Service.
Nov 14 20:19:03 lp1847527-d systemd-journal-upload[721]: Upload to http://192.168.122.184:19532/upload failed with code 411: gth Required
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Failed with result 'exit-code'.

Fix must be applied to system A (where systemd-journal-remote.serivce is running):

ubuntu@lp1847527-remote:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.8 amd64 system and service manager
ubuntu@lp1847527-d:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.7 amd64 system and service manager
ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:34:28 UTC. --
Nov 14 20:33:33 lp1847527-d systemd[1]: Started Journal Remote Upload Service.

and upgrading system B, it still works correctly (as long as system A has been upgraded):

ubuntu@lp1847527-d:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.8 amd64 system and service manager
ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:38:38 UTC. --
Nov 14 20:38:35 lp1847527-d systemd[1]: Started Journal Remote Upload Service.

tags: added: verification-done verification-done-disco
removed: verification-needed verification-needed-disco
Dan Streetman (ddstreet) wrote :

> I'm currently traveling for work, but will verify the fix this evening
hopefully.

Thanks - I did a quick verification but it would be good if you could verify it works for you as well.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.