Graylog Charm

Merge ~peppepetra/charm-graylog:lp-1954764 into charm-graylog:master

  1. Git
  2. lp:~peppepetra/charm-graylog
  3. lp-1954764
  4. Merge into master
Proposed by Giuseppe Petralia
Status: Merged
Approved by: James Troup
Approved revision: ff2b261bc050cb011c2a344da1a0632c909cbe6b
Merged at revision: 0d9b0f278badbf421d0b2566dda7659d5879fff2
Proposed branch: ~peppepetra/charm-graylog:lp-1954764
Merge into: charm-graylog:master
Diff against target: 124 lines (+35/-7)
4 files modified
src/lib/charms/layer/graylog/snap_change.py (+3/-0)
src/reactive/graylog.py (+24/-1)
src/tests/functional/tests/tests.yaml (+1/-1)
src/tests/unit/test_graylog.py (+7/-5)
Reviewer Review Type Date Requested Status
🤖 prod-jenkaas-bootstack (community) continuous-integration Needs Fixing
Drew Freiberger (community) Approve
BootStack Reviewers Pending
Review via email: mp+413151@code.launchpad.net

Commit message

Mitigate log4j CVE-2021-44228

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:63fe5dff0c8efcdb6e4816916db684584ea08821
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/62/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/264/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/705/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/62//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:e3d94613fddcdde76d561bb8864b72066aab529b
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/63/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/265/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/706/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/63//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:b33915cf13b434603150a2a4dc3ba033d93430e0
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/64/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/266/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/707/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/64//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/65/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/267/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/708/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/65//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/66/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/268/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/709/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/66//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/67/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/269/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/710/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/67//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Drew Freiberger (afreiberger) wrote :

+1 on this approach

There's a bug with the new 3.x version that the conf file now matches the regex twice, which needs to be bypassed.

I would suggest adding in a forced writing of the new_conf file if it doesn't exist, rather than checking against the settings of the SHIPPED_SNAP_DEFAULT_CONF_FILE contents before deciding to write a conf file.

review: Needs Fixing
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/69/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/272/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/712/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/69//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
Drew Freiberger (afreiberger) wrote :

CI appears to be failing at timeout for settling for graylog2-focal, but passed for graylog2-bionic. No errors, just not enough time to settle. Can we get a manual graylog2-focal test run outside CI and possibly move gl2-focal to a non-gating test?

I'm +1 on the change.

review: Approve
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:87da3dec3d6df387559927d36d1f4a88a325db5e
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/70/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/273/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/713/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/70//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Giuseppe Petralia (peppepetra) wrote :

Proof of gl2 passing on serverstack https://pastebin.canonical.com/p/wvd8792JRx/

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:7cdd02589d5f4b45439a8064601153790a5c8b81
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/71/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/274/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/716/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/71//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:00909086e1943701c9aca18ffff5a9da09688231
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/72/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/275/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/717/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/72//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:00909086e1943701c9aca18ffff5a9da09688231
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/73/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/277/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/719/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/73//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:00909086e1943701c9aca18ffff5a9da09688231
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/74/
Executed test runs:
    None: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/278/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/720/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/74//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:ff2b261bc050cb011c2a344da1a0632c909cbe6b
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/75/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/279/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/721/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/75//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 0d9b0f278badbf421d0b2566dda7659d5879fff2

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/src/lib/charms/layer/graylog/snap_change.py b/src/lib/charms/layer/graylog/snap_change.py
2index 9de8d45..59dd792 100644
3--- a/src/lib/charms/layer/graylog/snap_change.py
4+++ b/src/lib/charms/layer/graylog/snap_change.py
5@@ -106,3 +106,6 @@ def perform_snap_channel_change(new_channel):
6 data_changed("elasticsearch.relation", None)
7 data_changed("mongodb.uri", None)
8 remove_state("graylog.configured")
9+ else:
10+ # If reconfiguration is not needed, restart the snap
11+ host.service_start(SERVICE_NAME)
12diff --git a/src/reactive/graylog.py b/src/reactive/graylog.py
13index 2bb524d..4bfcac7 100644
14--- a/src/reactive/graylog.py
15+++ b/src/reactive/graylog.py
16@@ -1028,8 +1028,11 @@ def set_jvm_heap_size(heap_size="1G", conf_path=SERVER_DEFAULT_CONF_FILE): # no
17 # file shipped out by the snap
18 if not os.path.exists(conf_path):
19 updated_conf_path = SHIPPED_SNAP_SERVER_DEFAULT_CONF_FILE
20+ # if current config does not exist, force writing it even with default opts
21+ changed = True
22 else:
23 updated_conf_path = conf_path
24+
25 with open(updated_conf_path, "rb") as conf_file:
26 for line in conf_file:
27 line = line.decode()
28@@ -1037,8 +1040,20 @@ def set_jvm_heap_size(heap_size="1G", conf_path=SERVER_DEFAULT_CONF_FILE): # no
29 if not m:
30 conf.append(line)
31 continue
32- new_opts = parse_java_opts(m.group(1), size)
33+ all_opts = parse_java_opts(m.group(1), size)
34+
35+ # Mitigate log4j CVE-2021-44228
36+ mitigation_option = "-Dlog4j2.formatMsgNoLookups=true"
37+ if mitigation_option not in all_opts:
38+ all_opts.append(mitigation_option)
39+
40+ # Avoid repeating opts
41+ new_opts = []
42+ for opt in all_opts:
43+ if not key_in_list(opt, conf):
44+ new_opts.append(opt)
45 new_line = 'GRAYLOG_SERVER_JAVA_OPTS="{}"\n'.format(" ".join(new_opts))
46+
47 if new_line != line:
48 hookenv.log(
49 'Updating GRAYLOG_SERVER_JAVA_OPTS="{}".'.format("".join(new_opts))
50@@ -1294,3 +1309,11 @@ def _maybe_configure_graylog_jvm_keystore():
51 context={},
52 perms=0o644,
53 )
54+
55+
56+def key_in_list(key, lines):
57+ """Check if key is a substring of any lines."""
58+ for line in lines:
59+ if key in line:
60+ return True
61+ return False
62diff --git a/src/tests/functional/tests/tests.yaml b/src/tests/functional/tests/tests.yaml
63index 9b53b3b..95eb05a 100644
64--- a/src/tests/functional/tests/tests.yaml
65+++ b/src/tests/functional/tests/tests.yaml
66@@ -1,7 +1,6 @@
67 charm_name: graylog
68 gate_bundles:
69 - gl2: bionic-graylog2
70- - gl2: focal-graylog2
71 - gl3: bionic-graylog3
72 - gl3: bionic-graylog3-tls
73 - gl3: focal-graylog3
74@@ -12,6 +11,7 @@ smoke_bundles:
75 - gl3: bionic-graylog3
76 dev_bundles:
77 - gl3: bionic-graylog3
78+ - gl2: focal-graylog2
79 tests:
80 - gl2:
81 - tests.test_legacy.LegacyTests
82diff --git a/src/tests/unit/test_graylog.py b/src/tests/unit/test_graylog.py
83index 1f9a57a..1819b85 100644
84--- a/src/tests/unit/test_graylog.py
85+++ b/src/tests/unit/test_graylog.py
86@@ -472,13 +472,13 @@ GRAYLOG_COMMAND_WRAPPER=""
87 heap_default = u"""
88 GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB \
89 -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
90--XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"
91+-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true"
92 """
93
94 heap_2g = u"""
95 GRAYLOG_SERVER_JAVA_OPTS="-Xms2g -Xmx2g -XX:NewRatio=1 -server -XX:+ResizeTLAB \
96 -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
97--XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"
98+-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true"
99 """
100
101 heap_not_present = u"""
102@@ -490,19 +490,21 @@ GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
103 heap_unset = u"""
104 GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
105 -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
106--XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"
107+-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true"
108 """
109
110 heap_not_present = u"""
111 GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
112 -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
113--XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Xms4g -Xmx4g"
114+-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true \
115+-Xms4g -Xmx4g"
116 """
117
118 heap_twice = u"""
119 GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
120 -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
121--XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Xms8g -Xmx8g"
122+-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true \
123+-Xms8g -Xmx8g"
124 """
125
126

Subscribers

People subscribed via source and target branches

to all changes: