Ubuntu
tomcat9 package

Merge ~ahasenack/ubuntu/+source/tomcat9:kinetic-tomcat9-logging-fix into ubuntu/+source/tomcat9:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/tomcat9
  3. kinetic-tomcat9-logging-fix
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Andreas Hasenack
Merged at revision: 165edec1c2d4dced29ab2a01c4d45ccade3f68b6
Proposed branch: ~ahasenack/ubuntu/+source/tomcat9:kinetic-tomcat9-logging-fix
Merge into: ubuntu/+source/tomcat9:ubuntu/devel
Diff against target: 74 lines (+21/-4)
5 files modified
debian/changelog (+13/-0)
debian/control (+2/-1)
debian/logrotate.template (+2/-2)
debian/rsyslog/tomcat9.conf (+1/-1)
debian/tomcat9.postinst (+3/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Christian Ehrhardt  (community) Approve
Canonical Server Reporter Pending
Canonical Server Pending
Review via email: mp+425340@code.launchpad.net

Description of the change

This fixes tomcat9's logging via ubuntu's unprivileged rsyslog.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/tomcat9-logging/

# Context

The package sets /var/log/tomcat9 to be 2770 tomcat:adm, so newly created files will inherit the adm group ownership.

There are 4 entities writing to /var/log/tomcat9 and they all need to agree on permissions and ownership:
- rsyslog: catalina.out only, runs as syslog:adm. It can write to /var/log/tomcat9 due to the adm group permission
- logrotate: catalina.out and its rotated logs only. Runs as root, can set any permission/ownership it wants
- java (tomcat9 itself): localhost*, catalina.<date>.log: runs as tomcat:tomcat, manages its own rotation of these logs. The log files end up being owned by group adm because of the group sticky bit in the /var/log/tomcat9 directory
- tomcat9's maintainer scripts (postinst): chown -Rh tomcat:adm /var/log/tomcat9

With the above in mind, consider that there are only two groups of files in /var/log/tomcat9:
- logs produced by the java process directly, which runs as tomcat:tomcat
- single log file written to by rsyslogd, which runs as syslog:adm

Our main problem is with the rsyslogd-produced log file: /var/log/tomcat9/catalina.out

I chose to alter 3 of these writers:
- rsyslog: drop the ownership setting of catalina.out. We run unprivileged and cannot set the owner to tomcat, which is what debian does
- logrotate: switch to syslog:adm. Without this, rsyslog won't be able to write to catalina.out. Here I could have just dropped the "create" and "su" lines, because logrotate will keep the permissions and ownership of the file it is rotating in the new empty file it creates. I also don't think we need to use "copytruncate", this seems to be old history from when catalina.out was produced by tomcat itself, and not via rsyslog. But one thing at a time.
- postinst: add another chown, specific to catalina.out*, to adjust the permissions back to syslog:adm. I could have replaced debian's chown -R with something more elaborate, that would loop over the logs and skip catalina.out*, or chown it differently, but here I wanted to keep our delta simple.

The above changes survive logrotation events ("logrotate -f /etc/logrotate.conf" can be used to test), package upgrade/reinstall events, and even a full rm -rf /var/log/tomcat9/* (i.e., it doesn't rely on pre-creating of log files with correct permissions before a daemon (rsyslog or java) can write to them). It also "fixes" previous installations which will start working wrt logging.

For testing, an easy way to trigger writing to /var/log/tomcat9/catalina.out (which is via rsyslogd) is to install or purge the tomcat9-admin package.

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Wow there are really a lot of combinations of different actions and their order to consider here.
AFAICS you covered them all well and I approve +1

I have one minimal comment to enhance an explanation that you have made, but that is up to you if you agree.

For Kinetic this really is step forward.

I'm a bit scared of SRUing this despite seeming absolutely correct.
Changing permissions/ownership always has an odd feel of "what if someone manually adapted for this problem".
We have had this in the past and depending on the uncertainty level we guarded the changes by evaluating the situation if it matches the expected one (in this case perm/ownership) but back then all changes were in maintainer scripts, here with conf files and such this would not work.
Did you discuss the SRUability of this with anyone on the SRU team already?

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, paelzer
Uploaders: ahasenack, paelzer
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> Changing permissions/ownership always has an odd feel of "what if someone manually adapted for
> this problem".

I had no discussion yet about an SRU, and I share this concern. The biggest issue I think is the maintainer script, which even without our changes (pristine debian) is already forcing a bunch of chown/chmod everytime. Even if an admin changed config files, the maintainer script would still be running chmod/chown on /var/log/tomcat9. I don't really know how someone would have adapted and fixed their system in the meantime, unless they changed the logging directory to be somewhere else entirely. Then all the remaining changes are in config files, which a package upgrade wouldn't override.

I could refrain from my chown in postinst if I detect something changed, but then I would have to include debian's chown/chmod in that if/then/else clause.

~ahasenack/ubuntu/+source/tomcat9:kinetic-tomcat9-logging-fix updated
165edec... by Andreas Hasenack

Expand comment on changing ownership of catalina.out and the rotated
logs

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> back then all changes were in maintainer scripts, here with conf files and such this would not
> work.

Indeed, I was thinking of ways to check the config files, maybe a simple grep looking for the settings I'm changing (fileOwner in rsyslog snippet, and "create" in logrotate snippet), or even md5sums, but the biggest problem is that this are config file *snippets*, i.e., they could be named anything in a .d directory, or the user could have changed the main config file even (logrotate.conf or rsyslog.conf).

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded:

Uploading tomcat9_9.0.64-2ubuntu1.dsc
Uploading tomcat9_9.0.64-2ubuntu1.debian.tar.xz
Uploading tomcat9_9.0.64-2ubuntu1_source.buildinfo
Uploading tomcat9_9.0.64-2ubuntu1_source.changes

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated. It wasn't merged automatically because of the empty directory problem:

ERROR: Empty directories exist and will disappear on commit, causing
extraneous unintended changes:

webapps/examples/WEB-INF/lib

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 8709e15..db50166 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,16 @@
6+tomcat9 (9.0.64-2ubuntu1) kinetic; urgency=medium
7+
8+ * Fix logging for unprivileged rsyslogd (LP: #1964881):
9+ - d/logrotate.template: use syslog:adm for log rotation so that
10+ rsyslog can write to the file
11+ - d/rsyslog/tomcat9.conf: drop "fileOwner" as it cannot be set by an
12+ unprivileged rsyslogd
13+ - d/tomcat9.postinst: adjust ownership of catalina.out so that
14+ rsyslogd can write to it. Also change the rotated log files for
15+ consistency.
16+
17+ -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Jun 2022 18:02:52 -0300
18+
19 tomcat9 (9.0.64-2) unstable; urgency=medium
20
21 * Fallback to the default log formatter when systemd isn't used
22diff --git a/debian/control b/debian/control
23index 7d593a8..27968d7 100644
24--- a/debian/control
25+++ b/debian/control
26@@ -1,7 +1,8 @@
27 Source: tomcat9
28 Section: java
29 Priority: optional
30-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
31+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
32+XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
33 Uploaders:
34 tony mancill <tmancill@debian.org>,
35 Emmanuel Bourg <ebourg@apache.org>
36diff --git a/debian/logrotate.template b/debian/logrotate.template
37index 1cf0315..3d76318 100644
38--- a/debian/logrotate.template
39+++ b/debian/logrotate.template
40@@ -5,6 +5,6 @@
41 compress
42 delaycompress
43 missingok
44- create 640 tomcat adm
45- su tomcat adm
46+ create 640 syslog adm
47+ su syslog adm
48 }
49diff --git a/debian/rsyslog/tomcat9.conf b/debian/rsyslog/tomcat9.conf
50index f09f4f9..0ed099e 100644
51--- a/debian/rsyslog/tomcat9.conf
52+++ b/debian/rsyslog/tomcat9.conf
53@@ -2,6 +2,6 @@
54 $template TomcatFormat,"[%timegenerated:::date-year%-%timegenerated:::date-month%-%timegenerated:::date-day% %timegenerated:::date-hour%:%timegenerated:::date-minute%:%timegenerated:::date-second%] [%syslogseverity-text%]%msg%\n"
55
56 :programname, startswith, "tomcat9" {
57- action(type="omfile" file="/var/log/tomcat9/catalina.out" Template="TomcatFormat" fileOwner="tomcat" fileCreateMode="0640")
58+ action(type="omfile" file="/var/log/tomcat9/catalina.out" Template="TomcatFormat" fileCreateMode="0640")
59 stop
60 }
61diff --git a/debian/tomcat9.postinst b/debian/tomcat9.postinst
62index 7e4c9ba..2dad7e2 100644
63--- a/debian/tomcat9.postinst
64+++ b/debian/tomcat9.postinst
65@@ -64,6 +64,9 @@ case "$1" in
66
67 # Grant read/write access to tomcat to the log and cache directories
68 chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
69+ # catalina.out is written to by rsyslogd, which runs as the "syslog" user in Ubuntu
70+ # also include rotated catalina.out files, usually with an extension of [0-9]+[.gz]
71+ chown syslog:adm /var/log/tomcat9/catalina.out* 2>/dev/null || : # file might not exist yet
72 chmod 2770 /var/log/tomcat9/
73 chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
74 chmod 750 /var/cache/tomcat9/

Subscribers

People subscribed via source and target branches