Issue 68930045: Implement rsyslog TLS support

Can't Edit
Can't Publish+Mail
Start Review

Created:
10 years, 2 months ago by axw

Modified:
10 years, 2 months ago

Reviewers:
mp+208531, thumper

Visibility:
Public.

Description

Implement rsyslog TLS support This changes the rsyslog configuration we generate to use TLS. We install the rsyslog-gnutls package and generate a new CA cert, server cert and key specifically for rsyslog. This completely changes the way rsyslog configuration is managed. Now, instead of writing at bootstrap time and having an upgrade step, we have a worker that writes the syslog config whenever syslog parameters change. The state server will generate certificates and propagate the CA cert to other agents via environ config. There are some other miscellaneous changes: - we now use reliable forwarding, as otherwise the machine agent and unit agent will restart rsyslog while log messages are buffered causing message loss - dedicated upgrades for rsyslog are redundant and removed. The new worker upgrades machine and unit agent rsyslog automatically. - syslog-port can now be changed, and must be changed to work around the privilege drop race in rsyslog 5.x (this is the sole motivation) - the local provider symlinks machine-0.log into /var/log/juju$namespace so that we do not need any configuration other than the existing namespace to determine log location Fixes lp:1281071 Fixes lp:1284020 https://code.launchpad.net/~axwalk/juju-core/lp1281071-rsyslog-worker-tls/+merge/208531 Requires: https://code.launchpad.net/~axwalk/juju-core/remove-syslog-cloudinit-config/+merge/208278 (do not edit description out of merge proposal)

Patch Set 1 #

Patch Set 2 : Implement rsyslog TLS support #

Total comments: 6

Created: 10 years, 2 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+1010 lines, -32 lines)			Patch
A	[revision details]	View	1	1 chunk	+2 lines, -0 lines	0 comments	Download
M	cmd/jujud/agent.go	View		2 chunks	+18 lines, -0 lines	0 comments	Download
M	cmd/jujud/machine.go	View		3 chunks	+12 lines, -0 lines	0 comments	Download
M	cmd/jujud/machine_test.go	View		3 chunks	+27 lines, -0 lines	0 comments	Download
M	cmd/jujud/unit.go	View		2 chunks	+4 lines, -0 lines	1 comment	Download
M	cmd/jujud/unit_test.go	View		2 chunks	+22 lines, -0 lines	0 comments	Download
M	environs/cloudinit/cloudinit.go	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	environs/config/config.go	View		4 chunks	+14 lines, -2 lines	0 comments	Download
M	log/syslog/config.go	View		7 chunks	+73 lines, -19 lines	2 comments	Download
M	log/syslog/config_test.go	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	log/syslog/testing/syslogconf.go	View		3 chunks	+21 lines, -4 lines	1 comment	Download
M	provider/local/config.go	View		1 chunk	+0 lines, -1 line	0 comments	Download
M	provider/local/environ.go	View		2 chunks	+9 lines, -5 lines	0 comments	Download
M	state/api/params/params.go	View		1 chunk	+5 lines, -0 lines	0 comments	Download
A	state/api/rsyslog/package_test.go	View		1 chunk	+14 lines, -0 lines	0 comments	Download
A	state/api/rsyslog/rsyslog.go	View		1 chunk	+44 lines, -0 lines	0 comments	Download
A	state/api/rsyslog/rsyslog_test.go	View		1 chunk	+35 lines, -0 lines	0 comments	Download
M	state/api/state.go	View		2 chunks	+6 lines, -0 lines	0 comments	Download
M	state/apiserver/root.go	View		2 chunks	+12 lines, -0 lines	0 comments	Download
A	state/apiserver/rsyslog/package_test.go	View		1 chunk	+14 lines, -0 lines	0 comments	Download
A	state/apiserver/rsyslog/rsyslog.go	View		1 chunk	+56 lines, -0 lines	0 comments	Download
A	state/apiserver/rsyslog/rsyslog_test.go	View		1 chunk	+82 lines, -0 lines	0 comments	Download
A	upgrades/rsysloggnutls.go	View		1 chunk	+14 lines, -0 lines	0 comments	Download
M	upgrades/steps118.go	View		1 chunk	+5 lines, -0 lines	0 comments	Download
M	upgrades/steps118_test.go	View		1 chunk	+2 lines, -1 line	0 comments	Download
A	worker/rsyslog/export_test.go	View	1	1 chunk	+12 lines, -0 lines	0 comments	Download
A	worker/rsyslog/rsyslog_test.go	View		1 chunk	+248 lines, -0 lines	0 comments	Download
A	worker/rsyslog/worker.go	View		1 chunk	+257 lines, -0 lines	2 comments	Download

Messages

Total messages: 4

Expand All Messages | Collapse All Messages

thumper

LGTM Initially thought this would clash with Ian's work, but appears not. https://codereview.appspot.com/68930045/diff/20001/cmd/jujud/unit.go File cmd/jujud/unit.go ...

10 years, 2 months ago (2014-02-27 06:22:38 UTC) #3

axw

10 years, 2 months ago (2014-02-27 07:02:49 UTC) #4

https://codereview.appspot.com/68930045/diff/20001/log/syslog/config.go
File log/syslog/config.go (right):

https://codereview.appspot.com/68930045/diff/20001/log/syslog/config.go#newco...
log/syslog/config.go:57: $DefaultNetstreamDriverCAFile {{tlsCACertPath}}
On 2014/02/27 06:22:38, thumper wrote:
> I know all this is going to conflict with Ian's branch we he changes the
> behaviour to use a struct.

Nah, Ian's stuff just changed the tests. We should probably do the same thing
here, but really it's not that important.

https://codereview.appspot.com/68930045/diff/20001/worker/rsyslog/worker.go
File worker/rsyslog/worker.go (right):

https://codereview.appspot.com/68930045/diff/20001/worker/rsyslog/worker.go#n...
worker/rsyslog/worker.go:175: var lookupUser = func(username string) (uid, gid
int, err error) {
On 2014/02/27 06:22:38, thumper wrote:
> useful elsewhere?

I'd rather not institutionalise it, because this will only work on *Nix (other
OSes, such as Windows, may have non-integer Uid/Gid). I'll keep an eye out for
people doing the same thing.

Expand All Messages | Collapse All Messages