New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for journald logs filtering on a per-unit basis #24058
Conversation
Seems there's a few CI failures (I think when PCRE2 is missing?)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did an initial pass, approach looks good but some comments.
Please add tests for this new feature |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
somehow i forgot to post these comments when i wrote them the other day, i hope they still apply to the current version of the PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, a few comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more comments
This pull request introduces 1 alert when merging 1bf9ace into 5f4ccb0 - view on LGTM.com new alerts:
|
As far as I can tell this feature isn't compatible with log namespaces at this point. systemd-run --property 'LogFilterRegex=GREP ME' bash -c 'echo GREP ME; echo TEST'
Running as unit: run-r323cc3e560cf41148bbcdc2fa9d23631.service
journalctl -u run-r323cc3e560cf41148bbcdc2fa9d23631.service
Jul 26 15:11:15 C systemd[1]: Started run-r323cc3e560cf41148bbcdc2fa9d23631.service.
Jul 26 15:11:15 C bash[201]: GREP ME
Jul 26 15:11:15 C systemd[1]: run-r323cc3e560cf41148bbcdc2fa9d23631.service: Deactivated successfully. systemd-run --property 'LogFilterRegex=GREP ME' --property LogNamespace=wat bash -c 'echo GREP ME; echo TEST'
Running as unit: run-r135e7b4d02e74f41bc745ab4c81159c5.service
journalctl -u run-r135e7b4d02e74f41bc745ab4c81159c5.service --namespace wat
Jul 26 15:12:25 C bash[205]: GREP ME
Jul 26 15:12:25 C bash[205]: TEST I think it should be documented as well (if it's intentional) and it would be great if it was possible to cover that with tests. |
Also my fuzz targets didn't get far
|
Looking at #6432 (comment) it appears this PR doesn't cover use cases where as far as I understand the idea is not to keep sensitive data in journald but to be able to forward them via |
Having finished reading that thread I wonder why this setting can't be used to filter out messages coming from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits but LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add assertions about each function argument.
Add function set_make_nulstr() to create a nulstr out of a set. Behave the same way as strv_make_nulstr().
Define new unit parameter (LogFilterPatterns) to filter logs processed by journald. This option is used to store a regular expression which is carried from PID1 to systemd-journald through a cgroup xattrs: `user.journald_log_filter_patterns`.
Parse DBus structure send by LogFilterPatterns to print it in systemctl show.
Use LogFilterPatterns from the unit's cgroup xattr in order to keep or discard log messages before writing them to the journal. When a log message is discarded, it won't be written to syslog, console... either. When a native, syslog, or standard output log message is received, systemd-journald will process it if it matches against at least one allowed pattern (if any) and none of the denied patterns (if any).
Add integration tests for journald's log filtering feature.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
TEST-04-JOURNAL passed on the CentOS CIs, only the repart integration test failed because of a different issue unrelated to this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry for the late review, but somehow i never actually sent these review points. they still apply on the merged version, any chance you can still adjust the implmenetation in a follow-up commit?
Done! #25954 |
Fix followup comments on PR #24058: - Use `mempcpy_safe()`. - Remove unused `pcre2_code` variable. - Use `static const` when relevant.
Fix followup comments on PR systemd#24058: - Use `mempcpy_safe()`. - Remove unused `pcre2_code` variable. - Use `static const` when relevant.
Fix followup comments on PR systemd#24058: - Use `mempcpy_safe()`. - Remove unused `pcre2_code` variable. - Use `static const` when relevant.
Implement mechanism to filter logs ingested by journald using regexes (#6432).
Implement for two new keywords in unit files (in
Service
section):LogIncludeRegex=
LogExcludeRegex=
When journald will process logs on a unit with
LogIncludeRegex
defined, it will continue processing if the log message matches the regex, and discard it if it doesn't. The opposite behaviour is used forLogExcludeRegex
. If none is defined, then all log messages are processed as usual. If both are defined, then the log message must matchLogIncludeRegex
but notLogExcludeRegex
to be processed.Both regexes are read from the unit file (or from D-Bus or
systemctl set-property
) and stored within the unit's cgroup xattr for journald to read.Changes in this PR have been tested using
mkosi qemu
. Sending logs to journald usinglogger
,systemd-cat
andStandardOutput=journal
. This change is feature complete, I will add a last commit to update integration tests.Based on #25394