Graylog Charm

Merge ~peppepetra/charm-graylog:lp-1954764 into charm-graylog:master

  1. Git
  2. lp:~peppepetra/charm-graylog
  3. lp-1954764
  4. Merge into master
Proposed by Giuseppe Petralia
Status: Merged
Approved by: James Troup
Approved revision: ff2b261bc050cb011c2a344da1a0632c909cbe6b
Merged at revision: 0d9b0f278badbf421d0b2566dda7659d5879fff2
Proposed branch: ~peppepetra/charm-graylog:lp-1954764
Merge into: charm-graylog:master
Diff against target: 124 lines (+35/-7)
4 files modified
src/lib/charms/layer/graylog/snap_change.py (+3/-0)
src/reactive/graylog.py (+24/-1)
src/tests/functional/tests/tests.yaml (+1/-1)
src/tests/unit/test_graylog.py (+7/-5)
Reviewer Review Type Date Requested Status
🤖 prod-jenkaas-bootstack (community) continuous-integration Needs Fixing
Drew Freiberger (community) Approve
BootStack Reviewers Pending
Review via email: mp+413151@code.launchpad.net

Commit message

Mitigate log4j CVE-2021-44228

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:63fe5dff0c8efcdb6e4816916db684584ea08821
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/62/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/264/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/705/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/62//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:e3d94613fddcdde76d561bb8864b72066aab529b
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/63/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/265/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/706/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/63//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:b33915cf13b434603150a2a4dc3ba033d93430e0
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/64/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/266/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/707/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/64//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/65/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/267/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/708/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/65//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/66/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/268/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/709/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/66//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/67/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/269/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/710/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/67//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Drew Freiberger (afreiberger) wrote :

+1 on this approach

There's a bug with the new 3.x version that the conf file now matches the regex twice, which needs to be bypassed.

I would suggest adding in a forced writing of the new_conf file if it doesn't exist, rather than checking against the settings of the SHIPPED_SNAP_DEFAULT_CONF_FILE contents before deciding to write a conf file.

review: Needs Fixing
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:033234c8cbbbb413c40d31234ef085ae54746032
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/69/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/272/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/712/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/69//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
Drew Freiberger (afreiberger) wrote :

CI appears to be failing at timeout for settling for graylog2-focal, but passed for graylog2-bionic. No errors, just not enough time to settle. Can we get a manual graylog2-focal test run outside CI and possibly move gl2-focal to a non-gating test?

I'm +1 on the change.

review: Approve
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:87da3dec3d6df387559927d36d1f4a88a325db5e
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/70/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/273/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/713/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/70//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Giuseppe Petralia (peppepetra) wrote :

Proof of gl2 passing on serverstack https://pastebin.canonical.com/p/wvd8792JRx/

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:7cdd02589d5f4b45439a8064601153790a5c8b81
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/71/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/274/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/716/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/71//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:00909086e1943701c9aca18ffff5a9da09688231
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/72/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/275/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/717/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/72//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:00909086e1943701c9aca18ffff5a9da09688231
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/73/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/277/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/719/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/73//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:00909086e1943701c9aca18ffff5a9da09688231
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/74/
Executed test runs:
    None: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/278/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/720/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/74//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:ff2b261bc050cb011c2a344da1a0632c909cbe6b
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/75/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-functest/279/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/721/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-graylog-ci/75//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 0d9b0f278badbf421d0b2566dda7659d5879fff2

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/src/lib/charms/layer/graylog/snap_change.py b/src/lib/charms/layer/graylog/snap_change.py
index 9de8d45..59dd792 100644
--- a/src/lib/charms/layer/graylog/snap_change.py
+++ b/src/lib/charms/layer/graylog/snap_change.py
@@ -106,3 +106,6 @@ def perform_snap_channel_change(new_channel):
106 data_changed("elasticsearch.relation", None)106 data_changed("elasticsearch.relation", None)
107 data_changed("mongodb.uri", None)107 data_changed("mongodb.uri", None)
108 remove_state("graylog.configured")108 remove_state("graylog.configured")
109 else:
110 # If reconfiguration is not needed, restart the snap
111 host.service_start(SERVICE_NAME)
diff --git a/src/reactive/graylog.py b/src/reactive/graylog.py
index 2bb524d..4bfcac7 100644
--- a/src/reactive/graylog.py
+++ b/src/reactive/graylog.py
@@ -1028,8 +1028,11 @@ def set_jvm_heap_size(heap_size="1G", conf_path=SERVER_DEFAULT_CONF_FILE): # no
1028 # file shipped out by the snap1028 # file shipped out by the snap
1029 if not os.path.exists(conf_path):1029 if not os.path.exists(conf_path):
1030 updated_conf_path = SHIPPED_SNAP_SERVER_DEFAULT_CONF_FILE1030 updated_conf_path = SHIPPED_SNAP_SERVER_DEFAULT_CONF_FILE
1031 # if current config does not exist, force writing it even with default opts
1032 changed = True
1031 else:1033 else:
1032 updated_conf_path = conf_path1034 updated_conf_path = conf_path
1035
1033 with open(updated_conf_path, "rb") as conf_file:1036 with open(updated_conf_path, "rb") as conf_file:
1034 for line in conf_file:1037 for line in conf_file:
1035 line = line.decode()1038 line = line.decode()
@@ -1037,8 +1040,20 @@ def set_jvm_heap_size(heap_size="1G", conf_path=SERVER_DEFAULT_CONF_FILE): # no
1037 if not m:1040 if not m:
1038 conf.append(line)1041 conf.append(line)
1039 continue1042 continue
1040 new_opts = parse_java_opts(m.group(1), size)1043 all_opts = parse_java_opts(m.group(1), size)
1044
1045 # Mitigate log4j CVE-2021-44228
1046 mitigation_option = "-Dlog4j2.formatMsgNoLookups=true"
1047 if mitigation_option not in all_opts:
1048 all_opts.append(mitigation_option)
1049
1050 # Avoid repeating opts
1051 new_opts = []
1052 for opt in all_opts:
1053 if not key_in_list(opt, conf):
1054 new_opts.append(opt)
1041 new_line = 'GRAYLOG_SERVER_JAVA_OPTS="{}"\n'.format(" ".join(new_opts))1055 new_line = 'GRAYLOG_SERVER_JAVA_OPTS="{}"\n'.format(" ".join(new_opts))
1056
1042 if new_line != line:1057 if new_line != line:
1043 hookenv.log(1058 hookenv.log(
1044 'Updating GRAYLOG_SERVER_JAVA_OPTS="{}".'.format("".join(new_opts))1059 'Updating GRAYLOG_SERVER_JAVA_OPTS="{}".'.format("".join(new_opts))
@@ -1294,3 +1309,11 @@ def _maybe_configure_graylog_jvm_keystore():
1294 context={},1309 context={},
1295 perms=0o644,1310 perms=0o644,
1296 )1311 )
1312
1313
1314def key_in_list(key, lines):
1315 """Check if key is a substring of any lines."""
1316 for line in lines:
1317 if key in line:
1318 return True
1319 return False
diff --git a/src/tests/functional/tests/tests.yaml b/src/tests/functional/tests/tests.yaml
index 9b53b3b..95eb05a 100644
--- a/src/tests/functional/tests/tests.yaml
+++ b/src/tests/functional/tests/tests.yaml
@@ -1,7 +1,6 @@
1charm_name: graylog1charm_name: graylog
2gate_bundles:2gate_bundles:
3 - gl2: bionic-graylog23 - gl2: bionic-graylog2
4 - gl2: focal-graylog2
5 - gl3: bionic-graylog34 - gl3: bionic-graylog3
6 - gl3: bionic-graylog3-tls5 - gl3: bionic-graylog3-tls
7 - gl3: focal-graylog36 - gl3: focal-graylog3
@@ -12,6 +11,7 @@ smoke_bundles:
12 - gl3: bionic-graylog311 - gl3: bionic-graylog3
13dev_bundles:12dev_bundles:
14 - gl3: bionic-graylog313 - gl3: bionic-graylog3
14 - gl2: focal-graylog2
15tests:15tests:
16 - gl2:16 - gl2:
17 - tests.test_legacy.LegacyTests17 - tests.test_legacy.LegacyTests
diff --git a/src/tests/unit/test_graylog.py b/src/tests/unit/test_graylog.py
index 1f9a57a..1819b85 100644
--- a/src/tests/unit/test_graylog.py
+++ b/src/tests/unit/test_graylog.py
@@ -472,13 +472,13 @@ GRAYLOG_COMMAND_WRAPPER=""
472heap_default = u"""472heap_default = u"""
473GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB \473GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB \
474-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \474-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
475-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"475-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true"
476"""476"""
477477
478heap_2g = u"""478heap_2g = u"""
479GRAYLOG_SERVER_JAVA_OPTS="-Xms2g -Xmx2g -XX:NewRatio=1 -server -XX:+ResizeTLAB \479GRAYLOG_SERVER_JAVA_OPTS="-Xms2g -Xmx2g -XX:NewRatio=1 -server -XX:+ResizeTLAB \
480-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \480-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
481-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"481-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true"
482"""482"""
483483
484heap_not_present = u"""484heap_not_present = u"""
@@ -490,19 +490,21 @@ GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
490heap_unset = u"""490heap_unset = u"""
491GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \491GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
492-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \492-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
493-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"493-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true"
494"""494"""
495495
496heap_not_present = u"""496heap_not_present = u"""
497GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \497GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
498-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \498-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
499-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Xms4g -Xmx4g"499-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true \
500-Xms4g -Xmx4g"
500"""501"""
501502
502heap_twice = u"""503heap_twice = u"""
503GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \504GRAYLOG_SERVER_JAVA_OPTS="-XX:NewRatio=1 -server -XX:+ResizeTLAB \
504-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \505-XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled \
505-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Xms8g -Xmx8g"506-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j2.formatMsgNoLookups=true \
507-Xms8g -Xmx8g"
506"""508"""
507509
508510

Subscribers

People subscribed via source and target branches

to all changes: