Backport systemd-journal-remote fix PR #11953

Bug #1847527 reported by Tom Cameron
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-ansible
New
Undecided
Unassigned
systemd
Fix Released
Unknown
systemd (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Invalid
Undecided
Unassigned
Disco
Fix Released
Medium
Dan Streetman
Eoan
Fix Released
Undecided
Unassigned

Bug Description

[impact]

upstream commit 7fdb237f5473cb8fc2129e57e8a0039526dcb4fd broke remote journal upload, because it added a check to verify the Content-Length header, but the upload may use Transfer-Encoding of 'chunked' which does
not specify Content-Length.

[test case]

setup 2 systems, A and B. Install systemd-journal-remote on both.

On A:

$ sudo systemctl edit systemd-journal-remote.service

in the editor, add:

[Service]
ExecStart=
ExecStart=/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote/

Then enable/start the socket:

$ sudo systemctl enable systemd-journal-remote.socket
$ sudo systemctl start systemd-journal-remote.socket

Optionally, start the service and verify it is running (not required, since the socket will start the service):

$ sudo systemctl start systemd-journal-remote.service
$ sudo systemctl status systemd-journal-remote.service | grep Active
   Active: active (running) since Thu 2019-11-14 20:08:48 UTC; 7min ago

On B:

Edit the file /etc/systemd/journal-upload.conf:

[Upload]
URL=http://192.168.122.184:19532

Replacing the IP address with the actual ip addr of node A. Then enable/start the service:

$ sudo systemctl enable systemd-journal-upload.service
$ sudo systemctl start systemd-journal-upload.service

Check for failure:

ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:19:34 UTC. --
Nov 14 20:19:03 lp1847527-d systemd[1]: Started Journal Remote Upload Service.
Nov 14 20:19:03 lp1847527-d systemd-journal-upload[721]: Upload to http://192.168.122.184:19532/upload failed with code 411: gth Required
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Failed with result 'exit-code'.

[regression potential]

this limits the Transfer-Encoding to only be either unspecified, or 'chunked'. Any other value will fail. However, journal-upload.c does not ever use any other Transfer-Encoding than 'chunked', and this fix comes from upstream and has not changed since applied there.

Any regression would likely result in the failure to upload a remote journal.

[other info]

the commit that caused this is not included in Bionic, and the commit to fix this is already in Eoan; this is needed only in Disco.

original description:
--

I'm requesting that systemd 240 receive the fix in upstream PR 11953 found here https://github.com/systemd/systemd/pull/11953

This fixes remote journal shipping using systemd components. I believe only Disco (19.04) is impacted by this issue.

Tom Cameron (drdabbles)
summary: - Backport journal-remote fix PR #11953
+ Backport systemd-journal-remote fix PR #11953
Revision history for this message
Tom Cameron (drdabbles) wrote :

For those that may try to search for this bug in the future, the error I received was

Error 411: gth required

The issue is that libmicrohttpd exhibits a bug when Content-Length is omitted, even if Transfer-Encoding is set to "chunked". The HTTP/1.1 spec allows Content-Length to be omitted when the length is unknown as long as Transfer-Encoding: Chunked is specified. The proper behavior would be for journald to return an error to the client when it has received too much data.

Changed in systemd:
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
Balint Reczey (rbalint) wrote :

This is fixed with v242, present in Eoan.

Changed in systemd (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Dan Streetman (ddstreet) wrote :

@drdabbles can you provide steps and/or conf files to reproduce this please

Revision history for this message
Tom Cameron (drdabbles) wrote :

@ddstreet any configuration that ships lots to a remote host will trigger this. The server always responds with the bug, so the configuration effectively doesn't matter. As long as one host is attempting to send journals to another in Disco, this bug will be triggered.

Examples configs:

###################
# Server 1 Config #
###################
$ cat /etc/systemd/system/systemd-journal-remote.service
[Unit]
Description=Journal Remote Sink Service
Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5)
Requires=systemd-journal-remote.socket

[Service]
ExecStart=/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote/
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
User=systemd-journal-remote
WatchdogSec=3min

# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
LimitNOFILE=524288

[Install]
Also=systemd-journal-remote.socket

###################
# Server 2 Config #
###################
$ cat /etc/systemd/journal-upload.conf
[Upload]
URL=http://server1:19532

Dan Streetman (ddstreet)
description: updated
description: updated
Changed in systemd (Ubuntu Bionic):
status: New → Invalid
Changed in systemd (Ubuntu Disco):
status: New → In Progress
assignee: nobody → Dan Streetman (ddstreet)
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Tom, or anyone else affected,

Accepted systemd into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/240-6ubuntu5.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in systemd (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/240-6ubuntu5.8)

All autopkgtests for the newly accepted systemd (240-6ubuntu5.8) for disco have finished running.
The following regressions have been reported in tests triggered by the package:

prometheus-bind-exporter/unknown (armhf)
php7.2/7.2.24-0ubuntu0.19.04.1 (armhf)
gvfs/1.40.1-1ubuntu0.1 (ppc64el)
pdns-recursor/unknown (armhf)
webhook/unknown (armhf)
munin/2.0.47-1ubuntu3 (armhf, arm64)
systemd/240-6ubuntu5.8 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/disco/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Dan Streetman (ddstreet) wrote :

@drdabbles can you please verify the fix in systemd in proposed

Dan Streetman (ddstreet)
description: updated
Revision history for this message
Tom Cameron (drdabbles) wrote : Re: [Bug 1847527] Re: Backport systemd-journal-remote fix PR #11953

I'm currently traveling for work, but will verify the fix this evening
hopefully.

Thanks

On Thu, Nov 14, 2019, 10:41 Dan Streetman <email address hidden> wrote:

> @drdabbles can you please verify the fix in systemd in proposed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1847527
>
> Title:
> Backport systemd-journal-remote fix PR #11953
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openstack-ansible/+bug/1847527/+subscriptions
>

Revision history for this message
Dan Streetman (ddstreet) wrote :

with testcase setup from description, system A is -remote and system B is -d

ubuntu@lp1847527-remote:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.7 amd64 system and service manager
ubuntu@lp1847527-d:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.7 amd64 system and service manager
ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:19:34 UTC. --
Nov 14 20:19:03 lp1847527-d systemd[1]: Started Journal Remote Upload Service.
Nov 14 20:19:03 lp1847527-d systemd-journal-upload[721]: Upload to http://192.168.122.184:19532/upload failed with code 411: gth Required
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 20:19:03 lp1847527-d systemd[1]: systemd-journal-upload.service: Failed with result 'exit-code'.

Fix must be applied to system A (where systemd-journal-remote.serivce is running):

ubuntu@lp1847527-remote:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.8 amd64 system and service manager
ubuntu@lp1847527-d:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.7 amd64 system and service manager
ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:34:28 UTC. --
Nov 14 20:33:33 lp1847527-d systemd[1]: Started Journal Remote Upload Service.

and upgrading system B, it still works correctly (as long as system A has been upgraded):

ubuntu@lp1847527-d:~$ dpkg -l systemd|grep ii
ii systemd 240-6ubuntu5.8 amd64 system and service manager
ubuntu@lp1847527-d:~$ journalctl -b -u systemd-journal-upload.service
-- Logs begin at Thu 2019-11-14 16:34:08 UTC, end at Thu 2019-11-14 20:38:38 UTC. --
Nov 14 20:38:35 lp1847527-d systemd[1]: Started Journal Remote Upload Service.

tags: added: verification-done verification-done-disco
removed: verification-needed verification-needed-disco
Revision history for this message
Dan Streetman (ddstreet) wrote :

> I'm currently traveling for work, but will verify the fix this evening
hopefully.

Thanks - I did a quick verification but it would be good if you could verify it works for you as well.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 240-6ubuntu5.8

---------------
systemd (240-6ubuntu5.8) disco; urgency=medium

  [ Victor Tapia ]
  * d/p/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch
    Fix regression introduced by
    resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch when
    DNSSEC=yes (LP: #1796501)

  [ Dan Streetman ]
  * d/p/lp1840640-shared-seccomp-add-sync_file_range2.patch:
    allow sync_file_range2 in nspawn container (LP: #1840640)
  * d/p/lp1847527-journal-remote-do-not-request-Content-Length-if-Tran.patch:
    do not request Content-Length if Transfer-Encoding is chunked
    (LP: #1847527)
  * d/t/storage: fix flaky test
    (LP: #1847815)
  * d/p/lp1843381-dell_passthrough_skip_rename_retry.patch,
    debian/extra/rules/73-usb-net-by-mac.rules:
    fix rename delay for systems using "Dell MAC passthrough"
    (LP: #1843381)
  * d/p/lp1849733/0001-resolved-if-we-can-t-append-EDNS-OPT-RR-then-indicat.patch,
    d/p/lp1849733/0002-resolved-don-t-let-EDNS0-OPT-dgram-size-affect-TCP.patch:
    ignore EDNS0 payload limit when responding over TCP (LP: #1849733)
  * d/p/lp1849658-resolved-set-stream-type-during-DnsStream-creation.patch:
    - Fix bug in refcounting TCP stream types (LP: #1849658)
  * d/extra/dhclient-enter-resolved-hook:
    - only restart resolved if dhclient conf changed (LP: #1805183)

  [ Balint Reczey ]
  * d/p/test-execute-Filter-dev-.lxc-in-exec-dynamicuser-statedir.patch:
    fix test breakage due to running in nested lxd container
    (LP: #1845337)

 -- Dan Streetman <email address hidden> Fri, 04 Oct 2019 09:06:58 -0400

Changed in systemd (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.