New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd input plugin cannot read zstd compressed/hash collision hardened journal files in systemd >= 246 #2998
Comments
FWIW, our solution was to customize the docker file for 1.6.x, switching the builder from buster-slim to buster-backports, so that the container had systemd v247.x shared libraries inside of it instead of v241.x shared libraries. |
@chadcatlett Do you mean bullseye-backports? As buster-backports still has v241-7.
|
@xcompass whoops, i forgot one detail. I made all calls to apt-get have edit: specifically apt-get install and I also added a apt-get dist-upgrade as well to make it ensure the update was installed. |
Got it. Thanks! |
FYI I've opened a PR about this #3177 |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
remove stale |
Bump to merge PR from yasn77 |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
remove stale |
Hello folks, reaching out to you from the Flatcar Container Linux maintainers team to get an update on this issue. We understand keyed hashes are a security / integrity feature in journald to mitigate a hash collision vulnerability of earlier versions. Currently, the only workaround available to Flatcar users to keep fluentd working is to switch off this feature, exposing their journals to potential manipulation, and making the journal less usable for e.g. auditing purposes. I noticed there's a PR open to fix the root cause, updating the systemd libraries in fluentd's docker image to a version which is capable of parsing the new journal. Also, this issue appears to be on the roadmap for the fluent bit 1.7 release. Is there anything we can help you with to get more traction with ingesting the fix into fluent bit? |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
remove stale |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Remove kale |
I've updated PR #3177. As pointed out by @t-lo, in its current state using docker images provided by fluentbit is problematic on systems with newer versions of systemd. This issue and PR have been open for some time. It would be really appreciated in getting some feedback. Even if my PR isn't accepted, I'd just be happy knowing that something is in the pipeline to fix this issue. |
The ritual remove stale before it rears its ugly head. |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the |
This issue was closed because it has been stalled for 5 days with no activity. |
Bug Report
Describe the bug
systemd 246 changed the default format of journal files:
See https://github.com/systemd/systemd/blob/v246/NEWS#L323-L331 and https://www.freedesktop.org/software/systemd/man/journald.conf.html.
The systemd input plugin is unable to read these files unless
SYSTEMD_JOURNAL_KEYED_HASH=0
(to disable the hash table hardening) andCompress=false
(to disable compression of large fields).To Reproduce
SYSTEMD_JOURNAL_KEYED_HASH=0
andCompress=false
Expected behavior
The systemd input plugin should be able to parse any valid journal file format. Alternatively, the behavior and workaround should be documented in the input plugin's documentation.
Screenshots
Your Environment
Additional context
This was tricky to spot since Fluent Bit did not log any errors attempting to read the new files. The best way to detect this is to examine the input plugin metrics.
We're running an older version of Fluent Bit but the systemd input plugin hasn't changed significantly since that version.
The text was updated successfully, but these errors were encountered: