Only start Journald input with supported systemd versions

[belimawr]

Proposed commit message

Systemd/Journald has a bug that will cause Filebeat to be killed by a SIGBUS when reading from rotated logs. This bug is fixed in Systemd v255.

This commit checks the Systemd version when a Journald input is instantiated, if it is not supported, then then the input creation fails. A warning was added to the documentation stating the minimal version of Systemd.

A Ubuntu 2204 Vagrant Box is added for testing.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Filebeat will refuse to start if a Journald input is configured and the host is running an unsupported version of Journald.

There should be no disruptions for the current users because the Journald input is still in technical preview.

Author's Checklist

• We can test the Journald input on CI
• Any problems with adding the fork system call?
• Do we want to use D-Bus?

How to test this PR locally

1. Start two VMs: Ubuntu 2204 and Archlinux

   vagrant up ubuntu2204
   vagrant up arch
   

2. SSH into the Archlinux VM and update the system to get the fixed version of Systemd and install other dependencies

   sudo pacman -Sy archlinux-keyring --noconfirm
   sudo pacman -Syu  --noconfirm
   sudo pacman -Sy base-devel --noconfirm
   sudo reboot
   # ssh into the VM again, install Go
   cd /tmp
   curl -L https://go.dev/dl/go`cat /vagrant/.go-version`.linux-amd64.tar.gz -o go.tar.gz
   sudo tar -C /usr/local -xzf ./go.tar.gz
   export PATH=$PATH:/usr/local/go/bin
   

3. Run the tests

    cd /vagrant
    go test -tags=withjournald,cgo,linux ./filebeat/input/journald/
   

4. Build Filebeat with Journald support (you can do this from within the VM):

   cd /vagrant/filebeat
   go build -tags="cgo,linux,withjournald" .
   

5. Run Filebeat in each VM: ./filebeat -e -v using the following filebeat.yml

   filebeat.yml

   filebeat.inputs:
     - type: journald
       id: journald-input
   
   output.file:
     path: ${path.home}
     filename: output
     codec.json:
       pretty: true

6. Assert that:

   • Filebeat starts and runs successfully in the Archlinux VM
   • Filebeat fails to start in the Ubuntu 2204 VM with the following error message:

     {"log.level":"error","@timestamp":"2024-05-16T19:28:17.850Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1345},"message":"Exiting: Failed to start crawler: starting input failed: error while initializing input: systemd version must be >= 255. Systemd version: 249","service.name":"filebeat","ecs.version":"1.6.0"}
     Exiting: Failed to start crawler: starting input failed: error while initializing input: systemd version must be >= 255. Systemd version: 249
     

Related issues

• Closes [Filebeat] Journald causes Filebeat to crash #34077

## Use cases
## Screenshots

Logs

Filebeat will fail to start with:

{"log.level":"error","@timestamp":"2024-05-16T19:28:17.850Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1345},"message":"Exiting: Failed to start crawler: starting input failed: error while initializing input: systemd version must be >= 255. Systemd version: 249","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: error while initializing input: systemd version must be >= 255. Systemd version: 249

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @belimawr? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b journald-causes-filebeat-to-panic-34077 upstream/journald-causes-filebeat-to-panic-34077
git merge upstream/main
git push upstream journald-causes-filebeat-to-panic-34077

[belimawr]

I converted this PR to draft because we still need to decide how if we want to move forward with D-Bus and the best way to test it.

[belimawr]

The Systemd D-Bus documentation clearly states the version property should not be parsed because its scheme may change and it is not part of the API.

Version encodes the version string of the running systemd instance. Note that the version string is purely informational, it should not be parsed, one may not assume the version to be formatted in any particular way. We take the liberty to change the versioning scheme at any time and it is not part of the API.

However, it seems to be stable enough among the versions I manually tested:

• Archlinux
• Ubuntu 2204
• AmazonLinux2

So I believe it is safe to move forward using it.

It does add the D-Bus dependency to the Journald input, which I believe is not a problem to run the input, but we will need to make some changes in CI to run the tests.