Ubuntu
tomcat9 package

Bug #1964881
Comment #33

Comment 33 for bug 1964881

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2022-07-27:

#33

Focal verification

Reproducing the problems:
root@f-tomcat9-logging:~# apt-cache policy tomcat9
tomcat9:
  Installed: 9.0.31-1ubuntu0.2
  Candidate: 9.0.31-1ubuntu0.2
  Version table:
*** 9.0.31-1ubuntu0.2 500
        500 http://br.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages

a) rsyslog is complaining that it can't change the ownership of catalina.out:

In the case of focal, it's even worse, as catalina.out cannot even be created because the parent directory doesn't allow the adm group write access:

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/catalina.out
ls: cannot access '/var/log/tomcat9/catalina.out': No such file or directory

root@f-tomcat9-logging:~# grep -E 'catalina\.out' /var/log/syslog
Jul 27 14:04:30 f-tomcat9-logging rsyslogd: file '/var/log/tomcat9/catalina.out': open error: Permission denied [v8.2001.0 try https://www.rsyslog.com/e/2433 ]

b) logrotate fails:
Again, focal is different, since the log file doesn't exist, logrotate won't fail yet out of the box:

root@f-tomcat9-logging:~# logrotate -f /etc/logrotate.conf

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 8
drwxr-s--- 1 tomcat adm 164 Jul 27 14:04 .
drwxrwxr-x 1 root syslog 430 Jul 27 14:07 ..
-rw-r----- 1 tomcat adm 5668 Jul 27 14:04 catalina.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

c) if the package is reinstalled, or an update without this fix becomes available and is applied, the catalina.out file will have incorrect ownership and rsyslog won't be able to write to it anymore:

Since catalona.out doesn't exist, reinstalling the package doesn't break it:
root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 8
drwxr-s--- 1 tomcat adm 164 Jul 27 14:04 .
drwxrwxr-x 1 root syslog 430 Jul 27 14:07 ..
-rw-r----- 1 tomcat adm 5668 Jul 27 14:04 catalina.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

root@f-tomcat9-logging:~# apt install --reinstall tomcat9
(...)
Unpacking tomcat9 (9.0.31-1ubuntu0.2) over (9.0.31-1ubuntu0.2) ...
Setting up tomcat9 (9.0.31-1ubuntu0.2) ...
Processing triggers for rsyslog (8.2001.0-1ubuntu1.3) ...

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 12
drwxr-s--- 1 tomcat adm 164 Jul 27 14:04 .
drwxrwxr-x 1 root syslog 430 Jul 27 14:07 ..
-rw-r----- 1 tomcat adm 11836 Jul 27 14:08 catalina.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

So for focal, the main problem is (a), and (b) and (c) don't get a chance to appear because of that. But once (a) is fixed, (b) and (c) will happen, and need to be fixed as well.

Installing the fixed version from proposed:
root@f-tomcat9-logging:~# apt-cache policy tomcat9
tomcat9:
  Installed: 9.0.31-1ubuntu0.3
  Candidate: 9.0.31-1ubuntu0.3
  Version table:
*** 9.0.31-1ubuntu0.3 500
        500 http://br.archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages

0) Right after installing the fixed package from proposed, catalina.out shows up with content, and correct permissions and ownership, and /var/log/tomcat9 is 2770 (instead of 2775) as expected:
root@f-tomcat9-logging:~# l /var/log/tomcat9/
total 24K
drwxrws--- 1 tomcat adm 188 Jul 27 14:11 .
drwxrwxr-x 1 root syslog 482 Jul 27 14:11 ..
-rw-r----- 1 tomcat adm 18K Jul 27 14:11 catalina.2022-07-27.log
-rw-r----- 1 syslog adm 3.8K Jul 27 14:11 catalina.out
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

a) rsyslog won't complain anymore about failing to open or chown the file:
root@f-tomcat9-logging:~# systemctl stop rsyslog.service syslog.socket
root@f-tomcat9-logging:~# > /var/log/syslog
root@f-tomcat9-logging:~# systemctl start rsyslog.service syslog.socket
root@f-tomcat9-logging:~# systemctl restart tomcat9 # just to trigger writing to catalina.out
root@f-tomcat9-logging:~# grep rsyslogd /var/log/syslog
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2001.0]
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: activation of module imklog failed [v8.2001.0 try https://www.rsyslog.com/e/2145 ]
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: rsyslogd's groupid changed to 110
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: rsyslogd's userid changed to 104
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="6986" x-info="https://www.rsyslog.com"] start

b) since now we have a catalina.out file, logrotate works on it, and there are no errors, and the correct permissions and ownership are preserved:
root@f-tomcat9-logging:~# l /var/log/tomcat9/
total 24K
drwxrws--- 1 tomcat adm 188 Jul 27 14:11 .
drwxrwxr-x 1 root syslog 482 Jul 27 14:11 ..
-rw-r----- 1 tomcat adm 18K Jul 27 14:11 catalina.2022-07-27.log
-rw-r----- 1 syslog adm 3.8K Jul 27 14:11 catalina.out
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

root@f-tomcat9-logging:~# logrotate -f /etc/logrotate.conf

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 32
drwxrws--- 1 tomcat adm 216 Jul 27 14:14 .
drwxrwxr-x 1 root syslog 586 Jul 27 14:14 ..
-rw-r----- 1 tomcat adm 24174 Jul 27 14:13 catalina.2022-07-27.log
-rw-r----- 1 syslog adm 0 Jul 27 14:14 catalina.out
-rw-r----- 1 syslog adm 7756 Jul 27 14:14 catalina.out.1
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm 0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

c) reinstalling the package doesn't break catalina.out logging again (note: catalina.out is 0 sized because this was run right after the logrotate from above)

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/catalina.out
-rw-r----- 1 syslog adm 0 Jul 27 14:14 /var/log/tomcat9/catalina.out

root@f-tomcat9-logging:~# apt install tomcat9 -y --reinstall
(...)
Preparing to unpack .../tomcat9_9.0.31-1ubuntu0.3_all.deb ...
Unpacking tomcat9 (9.0.31-1ubuntu0.3) over (9.0.31-1ubuntu0.3) ...
Setting up tomcat9 (9.0.31-1ubuntu0.3) ...
Processing triggers for rsyslog (8.2001.0-1ubuntu1.3) ...

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/catalina.out
-rw-r----- 1 syslog adm 3877 Jul 27 14:16 /var/log/tomcat9/catalina.out

Focal verification succeeded.

Focal verification

Reproducing the problems:
root@f-tomcat9-logging:~# apt-cache policy tomcat9
tomcat9:
  Installed: 9.0.31-1ubuntu0.2
  Candidate: 9.0.31-1ubuntu0.2
  Version table:
 *** 9.0.31-1ubuntu0.2 500
        500 http://br.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages

a) rsyslog is complaining that it can't change the ownership of catalina.out:

In the case of focal, it's even worse, as catalina.out cannot even be created because the parent directory doesn't allow the adm group write access:

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/catalina.out
ls: cannot access '/var/log/tomcat9/catalina.out': No such file or directory

root@f-tomcat9-logging:~# grep -E 'catalina\.out' /var/log/syslog 
Jul 27 14:04:30 f-tomcat9-logging rsyslogd: file '/var/log/tomcat9/catalina.out': open error: Permission denied [v8.2001.0 try https://www.rsyslog.com/e/2433 ]

b) logrotate fails:
Again, focal is different, since the log file doesn't exist, logrotate won't fail yet out of the box:

root@f-tomcat9-logging:~# logrotate -f /etc/logrotate.conf

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 8
drwxr-s--- 1 tomcat adm     164 Jul 27 14:04 .
drwxrwxr-x 1 root   syslog  430 Jul 27 14:07 ..
-rw-r----- 1 tomcat adm    5668 Jul 27 14:04 catalina.2022-07-27.log
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

c) if the package is reinstalled, or an update without this fix becomes available and is applied, the catalina.out file will have incorrect ownership and rsyslog won't be able to write to it anymore:

Since catalona.out doesn't exist, reinstalling the package doesn't break it:
root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 8
drwxr-s--- 1 tomcat adm     164 Jul 27 14:04 .
drwxrwxr-x 1 root   syslog  430 Jul 27 14:07 ..
-rw-r----- 1 tomcat adm    5668 Jul 27 14:04 catalina.2022-07-27.log
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 12
drwxr-s--- 1 tomcat adm      164 Jul 27 14:04 .
drwxrwxr-x 1 root   syslog   430 Jul 27 14:07 ..
-rw-r----- 1 tomcat adm    11836 Jul 27 14:08 catalina.2022-07-27.log
-rw-r----- 1 tomcat adm        0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm        0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

So for focal, the main problem is (a), and (b) and (c) don't get a chance to appear because of that. But once (a) is fixed, (b) and (c) will happen, and need to be fixed as well.

Installing the fixed version from proposed:
root@f-tomcat9-logging:~# apt-cache policy tomcat9
tomcat9:
  Installed: 9.0.31-1ubuntu0.3
  Candidate: 9.0.31-1ubuntu0.3
  Version table:
 *** 9.0.31-1ubuntu0.3 500
        500 http://br.archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages

0) Right after installing the fixed package from proposed, catalina.out shows up with content, and correct permissions and ownership, and /var/log/tomcat9 is 2770 (instead of 2775) as expected:
root@f-tomcat9-logging:~# l /var/log/tomcat9/
total 24K
drwxrws--- 1 tomcat adm     188 Jul 27 14:11 .
drwxrwxr-x 1 root   syslog  482 Jul 27 14:11 ..
-rw-r----- 1 tomcat adm     18K Jul 27 14:11 catalina.2022-07-27.log
-rw-r----- 1 syslog adm    3.8K Jul 27 14:11 catalina.out
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

a) rsyslog won't complain anymore about failing to open or chown the file:
root@f-tomcat9-logging:~# systemctl stop rsyslog.service syslog.socket
root@f-tomcat9-logging:~# > /var/log/syslog
root@f-tomcat9-logging:~# systemctl start rsyslog.service syslog.socket
root@f-tomcat9-logging:~# systemctl restart tomcat9 # just to trigger writing to catalina.out
root@f-tomcat9-logging:~# grep rsyslogd /var/log/syslog
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2001.0]
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: activation of module imklog failed [v8.2001.0 try https://www.rsyslog.com/e/2145 ]
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: rsyslogd's groupid changed to 110
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: rsyslogd's userid changed to 104
Jul 27 14:13:32 f-tomcat9-logging rsyslogd: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="6986" x-info="https://www.rsyslog.com"] start

b) since now we have a catalina.out file, logrotate works on it, and there are no errors, and the correct permissions and ownership are preserved:
root@f-tomcat9-logging:~# l /var/log/tomcat9/
total 24K
drwxrws--- 1 tomcat adm     188 Jul 27 14:11 .
drwxrwxr-x 1 root   syslog  482 Jul 27 14:11 ..
-rw-r----- 1 tomcat adm     18K Jul 27 14:11 catalina.2022-07-27.log
-rw-r----- 1 syslog adm    3.8K Jul 27 14:11 catalina.out
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm       0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

root@f-tomcat9-logging:~# logrotate -f /etc/logrotate.conf

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/
total 32
drwxrws--- 1 tomcat adm      216 Jul 27 14:14 .
drwxrwxr-x 1 root   syslog   586 Jul 27 14:14 ..
-rw-r----- 1 tomcat adm    24174 Jul 27 14:13 catalina.2022-07-27.log
-rw-r----- 1 syslog adm        0 Jul 27 14:14 catalina.out
-rw-r----- 1 syslog adm     7756 Jul 27 14:14 catalina.out.1
-rw-r----- 1 tomcat adm        0 Jul 27 14:04 localhost.2022-07-27.log
-rw-r----- 1 tomcat adm        0 Jul 27 14:04 localhost_access_log.2022-07-27.txt

c) reinstalling the package doesn't break catalina.out logging again (note: catalina.out is 0 sized because this was run right after the logrotate from above)

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/catalina.out
-rw-r----- 1 syslog adm 0 Jul 27 14:14 /var/log/tomcat9/catalina.out

root@f-tomcat9-logging:~# ls -la /var/log/tomcat9/catalina.out
-rw-r----- 1 syslog adm 3877 Jul 27 14:16 /var/log/tomcat9/catalina.out

Focal verification succeeded.

Ubuntutomcat9 package

Comment 33 for bug 1964881

Ubuntu
tomcat9 package